Hi Frank,

On Wed, Jan 28, 2015 at 10:11 AM, Frank <fau@riseup.net> wrote:

Hello,

First I'm not an expert in the following matter so please correct me if
I'm wrong here! But my concern is that without HTTPS enabled for git a
man in the middle attack would be possible.

As far as I understand cloning a git repo is atm only possible via
standard git protocol (e.g. git clone
git://common-lisp.net/projects/alexandria/alexandria.git) and I believe
the git protocol is not secured. See
https://gist.github.com/grawity/4392747.

What is the greatest software in world good for if you can't distribute
it securely?

Unfortunately, MITM is also possible for SSL and SSH (http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists publicly available implementations to execute them!).

To mitigate the attack, basically the only option listed at http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_attack that's available to us, hasn't been implemented (yet) by most large parties either (definitely not GitHub or Google): it's the roll-out of DNSSEC.

Well, lets start with just implementing SSL certs to improve the situation. Then, from there, we can work to implement the rest. I'm mainly writing that the attack exists so that you're very careful when you trust the "green lock" when dealing with your bank's internet access methods.

Bye,

Erik.

http://efficito.com -- Hosted accounting and ERP.

Robust and Flexible. No vendor lock-in.