See comments inline... "Graham Leggett" <[EMAIL PROTECTED]> wrote on 15/10/2007 13:40:36:
> On Mon, October 15, 2007 1:51 pm, Ashley Williams wrote: > > > I would expect that if I have taken the decision to connect to a > > repository for development then it would go without saying that I also > > trust that site. > > You are missing the point behind SSL. Quite possibly! Although I would have thought the issue of whether or not I trust a particular site is different from whether my continuum installation is connecting me to the site I think it should be. So can you give guidance as to what my action should be? Each developer has just been hitting the 'accept permanently' button in subclipse in their own workspaces. So should we be thoroughly investigating the proposed certificate before doing this, since a glance at the certificate hostname field looks fine to me ( *.ibitdev.com). Continuum is in a dmz and has not been reconfigured since the last build, so I am fairly certain it is connecting to the correct url. > > Obviously you trust the site, you put it there, but how does your > continuum know that the site it is connecting to is the site you trust? > Diverting continuum to connect to something else is not very difficult to > do at all by a third party device on the same LAN (even a switched LAN), > it is not difficult to fool your subversion client to try and log into a > fake repository using the correct credentials. Having done this, the > attacker has a known working username and password for your repo, and > depending on how you set it up, they could either steal code or alter code > to their advantage. > > (Luckily as you run svn over https, you are not open to the risk of a > disgruntled employee deleting the files behind your CVS repo, as happened > at a friend's company a few weeks ago causing much angst and grief). > > Regards, > Graham > -- > > --- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.