Oh, so THAT’s why SSL is the default for SVN…

Posted February 3, 2009 * Comments(4)

It appears as though I made a rather bone-headed mistake when configuring Subversion at work a few weeks ago.

Since we were not exposing our SVN server externally and decided that sending our code files in plain text across our internal network did not represent a significant security risk, we opted to not use SSL as a way to optimize performance.

I’m not sure why I assumed that the actual credentials would be encrypted even though I knew the content would not be.

Perhaps it was because we were using windows authentication security scheme in SVN. Maybe it was because I actually opened up the svn.simple file in the Subversion app data cache on my local machine and saw that my TortoiseSVN credentials were saved in an encrypted form on disk when using the ‘save credentials’ checkbox.

Whatever the reason, it was a very bad assumption.

Here is a screen shot from WireShark, my favorite packet sniffer. The blurred out part under authentication was my windows password in clear text. Oops…

packetsniffercredentials

Luckily, it was an easy matter to correct.

On the server-side, I simply had to check a box on the property tab of Visual SVN to turn SSL back on. On the client side, I had to have everyone run an svn switch command with the –relocate option to change their working directories to use the new url.

So what was the lesson learned?

Next time I make a mistake like this, I will use WireShark to gather all of the passwords of my fellow developers before I switch to the more secure option. Dumb…dumb…dumb…

Popularity: 23% [?]

 Subscribe in a reader

4 Comments so far

  1. Oh, so THAT’s why SSL is the default for SVN… | Caffeinated Coder on February 3rd, 2009

    [...] Read more:  Oh, so THAT’s why SSL is the default for SVN… | Caffeinated Coder [...]

  2. Mike on February 5th, 2009

    I would have assumed the same thing and if you had an employee that was going to be malicious, he/she could have easily gotten passwords to the development team. Btw, the screenshot is a hyper link to your local machine :-)

  3. Russell Ball on February 5th, 2009

    @Mike – Thanks for the heads-up about the screenshot. I was having trouble with Windows Live Writer, so I had to do a quick copy-paste effort through the wordpress web interface and somehow missed that.

  4. Robz on February 6th, 2009

    Sweet dude, thanks for the passwords… IaMaH4X0r

Leave a reply