"hg archive" with remote URL

Kastner Masilko, Friedrich kastner-masilko at at.festo.com
Fri Aug 9 17:20:14 UTC 2013


> From: Mutlu Dogruel [mailto:mutludogruel at gmail.com]
> 
> Hiding the password is a good practice but eventually if you use this
> basic authentication, wget still sends the password in plain. In
> practice, there is no difference between supplying your password on the
> URL or wget reading it and sending it along the URL, apart from the
> fact that the command line history will not have any line with your
> password. Thus, you need to encrypt the password sent, otherwise any
> person sniffing your network will get hold of it. The solution is to
> use a "digest access authentication" which is theoretically supported
> both by wget and curl. However, apparently wget has a bug with its
> digest auth implementation, so Bitbucket people are recommending curl:
> 
> https://bitbucket.org/site/master/issue/3225/commanline-download-
> compressed-tip

This is not true. If you use wget with basic authentication over HTTPS, it will not send the user and password in plain text over the wire. It will first establish the SSL link, and then use this encrypted channel to send the HTTP request with the basic authentication in it. A sniffer on the network between you and the BB server will just see the encrypted data, not the plain text password.

This is just the way SSL works, but I additionally verified this here with tcpdump.

Regards,
Fritz



Development Software Systems
Festo Gesellschaft m.b.H.
Linzer Strasse 227
Austria - 1140 Wien

Firmenbuch Wien
FN 38435y
UID: ATU14650108

Tel: +43(1)91075-198
Fax: +43(1)91075-282
www.festo.at

Der Inhalt dieser E-Mail und moeglicher Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt.
Jede Form der Kenntnisnahme, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des Inhalts dieser E-Mail und
moeglicher Anhaenge durch unberechtigte Dritte ist unzulaessig. Wir bitten Sie, sich mit dem Absender der E-Mail in
Verbindung zu setzen, falls Sie nicht der Adressat dieser E-Mail sind sowie das Material von Ihrem Computer zu loeschen.

This e-mail and any attachments are confidential and intended solely for the addressee. The perusal, publication, copying or
dissemination of the contents of this e-mail by unauthorised third parties is prohibited. If you are not the intended recipient of this
e-mail, please delete it and immediately notify the sender.




More information about the Mercurial mailing list