Hi Frank,
On Wed, Jan 28, 2015 at 10:11 AM, Frank fau@riseup.net wrote:
Hello,
First I'm not an expert in the following matter so please correct me if I'm wrong here! But my concern is that without HTTPS enabled for git a man in the middle attack would be possible.
As far as I understand cloning a git repo is atm only possible via standard git protocol (e.g. git clone git://common-lisp.net/projects/alexandria/alexandria.git) and I believe the git protocol is not secured. See https://gist.github.com/grawity/4392747.
What is the greatest software in world good for if you can't distribute it securely?
Unfortunately, MITM is also possible for SSL and SSH ( http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists publicly available implementations to execute them!).
To mitigate the attack, basically the only option listed at http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_a... that's available to us, hasn't been implemented (yet) by most large parties either (definitely not GitHub or Google): it's the roll-out of DNSSEC.
Well, lets start with just implementing SSL certs to improve the situation. Then, from there, we can work to implement the rest. I'm mainly writing that the attack exists so that you're very careful when you trust the "green lock" when dealing with your bank's internet access methods.