On Wed, 2015-01-28 at 12:55 +0100, Erik Huelsmann wrote:
Hi Frank,
On Wed, Jan 28, 2015 at 10:11 AM, Frank fau@riseup.net wrote:
Hello,
First I'm not an expert in the following matter so please correct me if I'm wrong here! But my concern is that without HTTPS enabled for git a man in the middle attack would be possible.
As far as I understand cloning a git repo is atm only possible via standard git protocol (e.g. git clone git://common-lisp.net/projects/alexandria/alexandria.git) and I believe the git protocol is not secured. See https://gist.github.com/grawity/4392747.
What is the greatest software in world good for if you can't distribute it securely?
Unfortunately, MITM is also possible for SSL and SSH ( http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists publicly available implementations to execute them!).
To mitigate the attack, basically the only option listed at http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_a... that's available to us, hasn't been implemented (yet) by most large parties either (definitely not GitHub or Google): it's the roll-out of DNSSEC.
Well, lets start with just implementing SSL certs to improve the situation. Then, from there, we can work to implement the rest.
Thanks, sounds like a good start.
I'm mainly writing that the attack exists so that you're very careful when you trust the "green lock" when dealing with your bank's internet access methods.