[Ffmpeg-devel] SVN challenge response authentication weaknesses
Michael Niedermayer
michaelni
Sat May 27 12:57:35 CEST 2006
Hi
First, this is not intended as critique against how things are setup but
rather as a list of possible issues with svns challenge response auth
with the intent to 1. confirm i/we understand the issues and 2. can take
precautions to avoid some possible sideeffects ...
description of the challenge response auth
1. server send random salt to client
2. client takes random salt + password computes checksum of it and send that
to the server
3. server takes random salt + password computes checksum of it and compares it
1. passwords are stored in plaintext on the server this means everyone
who has root or can get his hands on the servers harddisk knows your password
-> dont reuse any important password
2. someone who can listen to network traffic can get salt + md5 pairs
with which he can perform a offline bruteforce attack (never use weak
passwords)
3. someone who can listen to network traffic and can inject packets
can hijack your connection and possibly inject some changes iam not
sure how easy this is in practice the problem is the connection will
get reset unless the client is kept from participating (by DOS or so)
4. someone who can listen and modify network traffic will trivially
be able to do anything he wants after authentication
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
In the past you could go to a library and read, borrow or copy any book
Today you'd get arrested for mere telling someone where the library is
More information about the ffmpeg-devel
mailing list