continuum-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ashley Williams <ashley.willi...@db.com>
Subject Re: server certificate verification failed
Date Mon, 15 Oct 2007 13:08:25 GMT
See comments inline...

"Graham Leggett" <minfrin@sharp.fm> wrote on 15/10/2007 13:40:36:

> On Mon, October 15, 2007 1:51 pm, Ashley Williams wrote:
> 
> > I would expect that if I have taken the decision to connect to a
> > repository for development then it would go without saying that I also
> > trust that site.
> 
> You are missing the point behind SSL.

Quite possibly!

Although I would have thought the issue of whether or not
I trust a particular site is different from whether my continuum 
installation is connecting
me to the site I think it should be.

So can you give guidance as to what my action should be? Each developer 
has
just been hitting the 'accept permanently' button in subclipse in their 
own
workspaces. So should we be thoroughly investigating the proposed 
certificate before doing
this, since a glance at the certificate hostname field looks fine to me (
*.ibitdev.com).
Continuum is in a dmz and has not been reconfigured since
the last build, so I am fairly certain it is connecting to the correct 
url.


> 
> Obviously you trust the site, you put it there, but how does your
> continuum know that the site it is connecting to is the site you trust?
> Diverting continuum to connect to something else is not very difficult 
to
> do at all by a third party device on the same LAN (even a switched LAN),
> it is not difficult to fool your subversion client to try and log into a
> fake repository using the correct credentials. Having done this, the
> attacker has a known working username and password for your repo, and
> depending on how you set it up, they could either steal code or alter 
code
> to their advantage.
> 
> (Luckily as you run svn over https, you are not open to the risk of a
> disgruntled employee deleting the files behind your CVS repo, as 
happened
> at a friend's company a few weeks ago causing much angst and grief).
> 
> Regards,
> Graham
> --
> 
> 


---

This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in
this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate
and regulatory disclosures.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message