Yuri
2017-Dec-10 17:46 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/10/17 09:39, Igor Mozolevsky wrote:> There has been no instance of in-transit compromise reported since SVN was > introduced. > > Even when the back-end was compromised, there was not detectable compromise > of the codebase [1]. So even if the codebase was compromised, unless people > *really knew* what they were doing, HTTPS would seed a false sense of > security.This is another incarnation of the bogus argument: https also has some vulnerabilities, so let's just stay with a completely insecure http until some ideal solution will be found in the future. Yuri
Igor Mozolevsky
2017-Dec-10 17:51 UTC
http subversion URLs should be discontinued in favor of https URLs
On 10 December 2017 at 17:46, Yuri <yuri at rawbw.com> wrote:> On 12/10/17 09:39, Igor Mozolevsky wrote: > > There has been no instance of in-transit compromise reported since SVN was > introduced. > > Even when the back-end was compromised, there was not detectable compromise > of the codebase [1]. So even if the codebase was compromised, unless people**really knew** what they were doing, HTTPS would seed a false sense of > security. > > > This is another incarnation of the bogus argument: https also has some > vulnerabilities, so let's just stay with a completely insecure http until > some ideal solution will be found in the future. >Hypothetical MITM-bogeyman and "suits not knowing that I use FreeBSD" doesn't make SVN over HTTP insecure. -- Igor M.