[jira] Commented: (MNG-4626) Avoid cleartext passwords over http

Wed, 07 Apr 2010 15:08:51 -0700 

    [ 
http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217077#action_217077
 ] 

Paul Benedict commented on MNG-4626:
------------------------------------

Even with an encrypted password sent over HTTP, unless the encryption is time 
sensitive (nonce?), an intercept could allow its unauthorized reuse.

> Avoid cleartext passwords over http
> -----------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of 
> cleartext passwords on local files by allowing them to be encrypted locally 
> and decrypted just before the maven client requests from or deploys to a 
> central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by 
> Artifactory, where passwords are _transmitted_ encrypted, and only decrypted 
> on the server side by the repository. Requests and deployments are made over 
> http and transmitted in the clear. Where the passwords are system passwords 
> integrated to Active Directory or similar using LDAP, this is not an option 
> even within a company's LAN. I like the idea of where Nexus and the Maven 
> development stack in general is going (I listened to Jason's seminar recently 
> and I'm keen on much of where you are going). But passwords in the clear over 
> http is a showstopper and I'm surprised you haven't already borrowed this 
> idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext 
> passwords has been mentioned by a colleague of mine in MNG-4611. We currently 
> use Artifactory for EXACTLY this reason (the password encryption) and maven 
> logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to