[Clo-devel] HTTPS

Erik Huelsmann ehuels at gmail.com
Wed Jan 28 11:55:46 UTC 2015


Hi Frank,

On Wed, Jan 28, 2015 at 10:11 AM, Frank <fau at riseup.net> wrote:

> Hello,
>
> First I'm not an expert in the following matter so please correct me if
> I'm wrong here! But my concern is that without HTTPS enabled for git a
> man in the middle attack would be possible.
>
> As far as I understand cloning a git repo is atm only possible via
> standard git protocol (e.g. git clone
> git://common-lisp.net/projects/alexandria/alexandria.git) and I believe
> the git protocol is not secured.  See
> https://gist.github.com/grawity/4392747.
>
> What is the greatest software in world good for if you can't distribute
> it securely?
>

Unfortunately, MITM is also possible for SSL and SSH (
http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists
publicly available implementations to execute them!).

To mitigate the attack, basically the only option listed at
http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_attack
that's available to us, hasn't been implemented (yet) by most large parties
either (definitely not GitHub or Google): it's the roll-out of DNSSEC.

Well, lets start with just implementing SSL certs to improve the situation.
Then, from there, we can work to implement the rest. I'm mainly writing
that the attack exists so that you're very careful when you trust the
"green lock" when dealing with your bank's internet access methods.



-- 
Bye,

Erik.

http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/clo-devel/attachments/20150128/9c2202ab/attachment.html>


More information about the clo-devel mailing list