Integrated Authentication

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
Posts: 56
Joined: Mon Jan 10, 2005 4:34 pm
Location: Bellingham WA

Integrated Authentication

Post by nemoby » Fri Mar 31, 2006 4:53 pm

I am using Vault for a project that I would like to be able to access from multiple locations over the internet. Can I securely do this without using SSL and without using a VPN?

Not talking about encrypting the wire; if someone wants to watch my code, checkins and checkouts fly over the wire then they should fine a better source.....

but I just want to protect my user name and password so Clear Text is out? Does vault encrypt the authentication of its web service?

what would the best practice be here without going crazy?


Posts: 3660
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear

Post by jclausius » Fri Mar 31, 2006 8:33 pm

To answer your first question - No. It cannot be done securely. Security is a strategy we've tried to implement directly into the API. When we use this phrase, we mean ALL communications between client and server.

Now, if all your concerned about is plain passwords, there would be no change required. Vault's authentication is done through a web service, and the passwords have been symmetrically encrypted.

Also, since the Vault web server is based in ASP.Net, you could also use web.config's authorization to protect some of the web service. However, I'd like to point out, if you're not using SSL, you yourself open to "man in the middle" type attacks.
Jeff Clausius

Post Reply