I am using Vault for a project that I would like to be able to access from multiple locations over the internet. Can I securely do this without using SSL and without using a VPN?
Not talking about encrypting the wire; if someone wants to watch my code, checkins and checkouts fly over the wire then they should fine a better source.....
but I just want to protect my user name and password so Clear Text is out? Does vault encrypt the authentication of its web service?
what would the best practice be here without going crazy?
thanks,
Integrated Authentication
Moderator: SourceGear
To answer your first question - No. It cannot be done securely. Security is a strategy we've tried to implement directly into the API. When we use this phrase, we mean ALL communications between client and server.
Now, if all your concerned about is plain passwords, there would be no change required. Vault's authentication is done through a web service, and the passwords have been symmetrically encrypted.
Also, since the Vault web server is based in ASP.Net, you could also use web.config's authorization to protect some of the web service. However, I'd like to point out, if you're not using SSL, you yourself open to "man in the middle" type attacks.
Now, if all your concerned about is plain passwords, there would be no change required. Vault's authentication is done through a web service, and the passwords have been symmetrically encrypted.
Also, since the Vault web server is based in ASP.Net, you could also use web.config's authorization to protect some of the web service. However, I'd like to point out, if you're not using SSL, you yourself open to "man in the middle" type attacks.
Jeff Clausius
SourceGear
SourceGear