On Fri, Oct 8, 2010 at 08:09, Nico Kadel-Garcia <nka...@gmail.com> wrote: > Also note: both the 'svn' and 'http' access send the passwords ovder > the network in clear text. There are ways around this (such as SSH or > SSL tunneling), but they're pesky to set up. Fortunately, "https" > already has that built in.
HTTP Digest Authentication does not send the password in cleartext, it sends an MD5 hash. Yes, the hash is sent in cleartext, but that is not exactly the same as sending the *password* in cleartext. If you configure your svnserve to use SASL, it can use several methods of encryption for authentication. http://svnbook.red-bean.com/en/1.5/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.sasl I understand that you're very concerned with security shortcomings, but you're leaving out important details that may make the system appear less secure than it really can be with proper configuration.
