fau at riseup.net
Wed Jan 28 19:22:46 UTC 2015
On Wed, 2015-01-28 at 12:55 +0100, Erik Huelsmann wrote:
> Hi Frank,
> On Wed, Jan 28, 2015 at 10:11 AM, Frank <fau at riseup.net> wrote:
> > Hello,
> > First I'm not an expert in the following matter so please correct me if
> > I'm wrong here! But my concern is that without HTTPS enabled for git a
> > man in the middle attack would be possible.
> > As far as I understand cloning a git repo is atm only possible via
> > standard git protocol (e.g. git clone
> > git://common-lisp.net/projects/alexandria/alexandria.git) and I believe
> > the git protocol is not secured. See
> > https://gist.github.com/grawity/4392747.
> > What is the greatest software in world good for if you can't distribute
> > it securely?
> Unfortunately, MITM is also possible for SSL and SSH (
> http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists
> publicly available implementations to execute them!).
> To mitigate the attack, basically the only option listed at
> that's available to us, hasn't been implemented (yet) by most large parties
> either (definitely not GitHub or Google): it's the roll-out of DNSSEC.
> Well, lets start with just implementing SSL certs to improve the situation.
> Then, from there, we can work to implement the rest.
Thanks, sounds like a good start.
> I'm mainly writing
> that the attack exists so that you're very careful when you trust the
> "green lock" when dealing with your bank's internet access methods.
More information about the clo-devel