[Ffmpeg-devel] SVN challenge response authentication weaknesses

Attila Kinali attila
Sun May 28 23:08:14 CEST 2006 

On Sun, 28 May 2006 23:34:40 +0300
"Ivan Kalvachev" <ikalvachev at gmail.com> wrote:

> You are all making fun on Michael's concerns, but they are actually
> quite serious.

I don't think anyone made fun of Michael. We are aware of the
security risks (especialy after he reminded us), but we are also
aware that not everything is very likely to happen.

> CRAM-MD5 is 9 years old technique. Actually it doesn't matter how
> strong your password is. The MD5 could be cracked in reasonable time,
> as MD5 bruteforcers and processor power are quite common these days.

Yes and no. It's currently enough. It may not be enough in a few years.
 
> It is trivial for a sniffer to get both incoming and outgoing traffic.

It's far from being trivial. As i said in another mail, you have
to sit at an transit ISP for that. Or be using a wireless network.

> Knowing the salt and cracking the transmited MD5 hash you get the
> password. (using hash of a hash may slowdown twice the bruteforce but
> it is still reasonable time).

What is for you reasonable? It'll still take months to crack
a password, if you have enough CPU power (given that the passwords
are not weak). This is not something an average script kiddy would do.
If someone who is really determined to harm us, then he'll have 
a lot of other points to get in, that are even weaker than the svn
passwords and far less noticable.

> You would not put your MD5 password hash in all-readable /etc/passwd
> but you find it perfectly normal to send it over Internet??? And then
> bitch about weak and strong passwords? And also don't forget that
> CRAM-MD5 doesn't allow server authentication...

Valid point.

> The absence of strong cryptography protection for the svnserve is huge
> drawback. Today when RSA cryptography is widely deployed it is insane
> to use so weak hashing. I have no idea why svn authors haven't
> provided ssl/tls solution yet.

Send patch.

> How about using VPN until then?

Only if you do it.
I wonder whether you have been away the last week or so.
Or whether you are just blind. We have been very busy just to
get the necessary things working. Very few people tried to help us
out although Diego asked for it.. 
I've spend the better part of last week just fiddling with
the mail server to get the mailinglists to a usable state.
Now do the math! If it takes a person about one week
to get something as simple as mail working, how long will it
take to get something as complex as a large scale VPN system
working?

I'm really sick of reading good advices what we could do
to improve security or availability or what not. Most of
these would be really nice, yes. But we have our hands
already full with the stuff we have to do just to get
basic functionality. We do not have the time to implement
complex systems or something that needs permanent maintenance.
I have a personal todo list of 10 items that need to be
done within next week, just keep natsuki working in a good
state. I have no idea whether i am able to get trough everything
or not.

So, please, either keep your requests reasonable or help us to
get there.

			Attila Kinali
-- 
??????????????

More information about the ffmpeg-devel mailing list