continuum-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Graham Leggett" <minf...@sharp.fm>
Subject Re: server certificate verification failed
Date Mon, 15 Oct 2007 12:40:36 GMT
On Mon, October 15, 2007 1:51 pm, Ashley Williams wrote:

> I would expect that if I have taken the decision to connect to a
> repository for development then it would go without saying that I also
> trust that site.

You are missing the point behind SSL.

Obviously you trust the site, you put it there, but how does your
continuum know that the site it is connecting to is the site you trust?
Diverting continuum to connect to something else is not very difficult to
do at all by a third party device on the same LAN (even a switched LAN),
it is not difficult to fool your subversion client to try and log into a
fake repository using the correct credentials. Having done this, the
attacker has a known working username and password for your repo, and
depending on how you set it up, they could either steal code or alter code
to their advantage.

(Luckily as you run svn over https, you are not open to the risk of a
disgruntled employee deleting the files behind your CVS repo, as happened
at a friend's company a few weeks ago causing much angst and grief).

Regards,
Graham
--



Mime
View raw message