[Zope-Coders] cvs vulnerability
seb bacon
seb@jamkit.com
Mon, 1 Oct 2001 12:20:52 +0100
It occured to me that there's a weak point in the security for CVS
commiters: we deposit our keys TTW over SSL, using our normal zope.org
password, which also gets used elsewhere, unencrypted. What's more,
my zope.org password has about 1 bit of entropy, and several of my
colleagues know it; my ssl passphrase, on the other hand, is very
secure. (I think ;-)
Perhaps you should only be able to deposit a key once TTW, and
subsequently must do so using ssh?
seb