Hi,

if I understood correctly, the issue is that although the repositories are public, it is still nobody's business what one does download.

We need a proper key setup anyway, which implies buying an ssl certificate. I'll look into this.

Once we have the cert, it is just a matter of enabling https, and public repos can be checked out or cloned in a secure manner.

Regards, Mario

On Tue, 27 Jan 2015 23:06:56 +0100 Erik Huelsmann ehuels@gmail.com wrote:

Hi Frank,

On Tue, Jan 27, 2015 at 10:29 PM, Frank fau@riseup.net wrote:

...

Have you made any progress regarding https access via git?

Hi! Thanks for sending a follow-up. Actually, reading Mario's response, I was under the impression that we were waiting for a response to Mario's mail: From Mario's mail I read that there are some doubts as to what that would add? In other words: why do you want https, given that the code you'll be cloning is public code anyway?

Regards,

Hi Frank,

On Wed, Jan 28, 2015 at 10:11 AM, Frank fau@riseup.net wrote:

Hello,

First I'm not an expert in the following matter so please correct me if I'm wrong here! But my concern is that without HTTPS enabled for git a man in the middle attack would be possible.

As far as I understand cloning a git repo is atm only possible via standard git protocol (e.g. git clone git://common-lisp.net/projects/alexandria/alexandria.git) and I believe the git protocol is not secured. See https://gist.github.com/grawity/4392747.

What is the greatest software in world good for if you can't distribute it securely?

Unfortunately, MITM is also possible for SSL and SSH ( http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists publicly available implementations to execute them!).

To mitigate the attack, basically the only option listed at http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_a... that's available to us, hasn't been implemented (yet) by most large parties either (definitely not GitHub or Google): it's the roll-out of DNSSEC.

Well, lets start with just implementing SSL certs to improve the situation. Then, from there, we can work to implement the rest. I'm mainly writing that the attack exists so that you're very careful when you trust the "green lock" when dealing with your bank's internet access methods.

On Wed, 2015-01-28 at 12:55 +0100, Erik Huelsmann wrote:

Hi Frank,

On Wed, Jan 28, 2015 at 10:11 AM, Frank fau@riseup.net wrote:

...

Hello,

First I'm not an expert in the following matter so please correct me if I'm wrong here! But my concern is that without HTTPS enabled for git a man in the middle attack would be possible.

As far as I understand cloning a git repo is atm only possible via standard git protocol (e.g. git clone git://common-lisp.net/projects/alexandria/alexandria.git) and I believe the git protocol is not secured. See https://gist.github.com/grawity/4392747.

What is the greatest software in world good for if you can't distribute it securely?

Unfortunately, MITM is also possible for SSL and SSH ( http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Implementations lists publicly available implementations to execute them!).

To mitigate the attack, basically the only option listed at http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_a... that's available to us, hasn't been implemented (yet) by most large parties either (definitely not GitHub or Google): it's the roll-out of DNSSEC.

Well, lets start with just implementing SSL certs to improve the situation. Then, from there, we can work to implement the rest.

Thanks, sounds like a good start.

I'm mainly writing that the attack exists so that you're very careful when you trust the "green lock" when dealing with your bank's internet access methods.