RE: CVS Security Issues

[Greg A. Woods]

[ On Friday, December 19, 2003 at 11:18:57 (-0500), Jim.Hyslop wrote: ]
> Subject: RE: CVS Security Issues
>
> Why is this level of security so important? Exactly what are the security
> attacks you're concerned with?

Exactly the kind which necessesitated this recent "<strong>(security
update)</strong>" release.

> Well, clearly pserver is not secure because the password is sent effectively
> in plain text, allowing anyone with a packet sniffer to retrieve CVS
> passwords. That's a big no-no on the security level. But this is
> well-documented in the Cederqvist - as I recall, it says something along the
> lines of "if you want real security, don't use pserver."

Meanwhile people the world over continut to mis-use pserver.

It's been proven time and time again that we can't stomp out ignorance
about digital security by documentation alone.

However we can remove features that are 100,000% guaranteed insecure and
force people to either think a little more to gain the insecurity they
desire, or at maybe at least to get them to follow the herd over to
using some more secure digital security mechanism that's widely
available and easy to use.

> So, where am I deluding myself?

If you have any use whatsoever for something like CVS then clearly you
_must_ also have some need for at least minimal security, whether you
realize it or not.  There's no point to recording revision information
if anybody can muck with it and there is no accountability whatsoever
amongst your users.  I.e. if you use pserver for anything more than
totally anonymous access then you really have no security, none, zip,
zilch, zero, nada, not one bit of security whatsoever.  If you don't see
the conflict here then clearly you are deluding yourself!  ;-)

> > I.e. please do not pretend you can gain anything by pretending to make
> > the CVSROOT/passwd file harder to mess with.
> 
> That's a good point - as Bruce Schneier, author of "Applied Cryptography"
> and a computer security expert, is fond of saying: Security is only as good
> as its weakest link. For pserver, access to the passwd file is not the
> weakest link by any means. Moving the file to a different location will not
> significantly improve its inherent insecurity.

Worse.  It will cause people to have an increased level of _false_
security.

BTW, for this discussion Schneier's book "Serets & Lies:  Digital
Security in a Networked World" is much more apropos.  :-)

-- 
                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>