Security Warning: Watch out using CVS at JavaOne

Very nearly got bit by this one today. I wanted to show someone the DWR code at JavaOne, so I flipped up the the lid on my laptop and was just about to double click on a java class when it occurred to me that doing so would probably be telling someone my password.

Whenever you open a file in a CVS project using Eclipse it checks CVS to see what you have changed compared to the CVS version (the same goes for Intellij as well I think). Since java.net advises you to use pserver for CVS access, this means you password will be being broadcast in clear-text using wifi to 15,000 developers at JavaOne?

How many of those 15,000 developers will be snooping on the network do you think? Anyone want to bet their password on 0?

The good news is that there is a solution, the shame is that java.net don't publicize it more.

I pointed it out to the java.net people, who said, roughly speaking "there is a special 'tunnel' ssh user that can fix the issue". (The lady I was speaking to even spoke in HTML - very impressive!)

It's a bit of a shame that java.net don't publicize this one more, but appatently it has something to do with the 'tunnel' user being a Sun enhancement, and the website descriptions are provided by Colab.net.

Comments

Comments have been turned off on old posts