On 13/04/16 12:37, Andreas Schwab wrote:
Thomas Biege <thomas@suse.de> writes:
Well I assume that at least the credentials and the source code is transferred in plaintext and can be manipulated on the fly or captured.
The API always uses TLS, only certificate verification can be skipped.
So it needs an active man in the middle attack or just redirect traffic via DHCP/DNS etc. -- Viele Grüße / Best regards Thomas -- Thomas Biege <thomas@suse.de>, Team Lead MaintenanceSecurity, CSSLP https://www.suse.com/security SUSE Linux GmbH, GF: Felix Imendoerffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org