[Ffmpeg-devel] SVN challenge response authentication weaknesses

[Ivan Kalvachev]

You are all making fun on Michael's concerns, but they are actually
quite serious.

CRAM-MD5 is 9 years old technique. Actually it doesn't matter how
strong your password is. The MD5 could be cracked in reasonable time,
as MD5 bruteforcers and processor power are quite common these days.

It is trivial for a sniffer to get both incoming and outgoing traffic.
Knowing the salt and cracking the transmited MD5 hash you get the
password. (using hash of a hash may slowdown twice the bruteforce but
it is still reasonable time).

You would not put your MD5 password hash in all-readable /etc/passwd
but you find it perfectly normal to send it over Internet??? And then
bitch about weak and strong passwords? And also don't forget that
CRAM-MD5 doesn't allow server authentication...

The absence of strong cryptography protection for the svnserve is huge
drawback. Today when RSA cryptography is widely deployed it is insane
to use so weak hashing. I have no idea why svn authors haven't
provided ssl/tls solution yet.


P.S.
There seems to be work on the way
http://svn.collab.net/repos/svn/branches/svnserve-ssl/
I guess it is not prime-time ready.

How about using VPN until then?