[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers-public] git over https
From: |
Leo Famulari |
Subject: |
Re: [Savannah-hackers-public] git over https |
Date: |
Wed, 8 Feb 2017 02:28:43 +0100 |
User-agent: |
Mutt/1.7.2 (2016-11-26) |
On Tue, Feb 07, 2017 at 03:18:32PM -0700, Bob Proulx wrote:
> Leo Famulari wrote:
> > I bet that most of them use the unauthenticated HTTP or Git protocols
> > and are vulnerable to man-in-the-middle attacks and eavesdropping.
>
> Certainly it is vulnerable to easedropping. And to some extent https
> metadata is also vulnerable too. And since all of the hosted projects
> that might be downloaded is available to anyone I think that even with
> https it is possible for a well funded attacker with access to the
> metadata to know what someone has downloaded. But with git using SHA1
> hashes for everything I think it would be quite the challenge to
> produce a viable modification attack. (However I acknowledge that
> some of the proof of concept attacks for other attacks that I have
> looked at have quite surprised me by the cleverness used and that they
> did work.)
I don't think that the SHA1 hashes can protect somebody who is doing
`git clone` against MITM, because they would not already have a SHA1
graph that would become broken.
For `git fetch`, the attacker could add their changes after the most
recent commit.
> > I think this is a regression from the old Savannah server. The old
> > server appears to use the so-called "smart HTTP" Git protocol [0], which
> > provides informative output while it is working. On the other hand, the
> > "dumb HTTP" Git protocol [1] does not provide any output.
>
> Drat! This does appear to be a regression.
>
> In your opinion is that enough of a regression to warrent reverting
> (once again) the git service back to the old server? Of course that
> means another IP address change thrash for people who have ssh
> configured to watch such things. And more delay in getting things
> moved. Sigh.
I'm not sure, because I've never set up the "smart" protocol, and thus
have never been able to compare them from the same server. Perhaps one
of them is more efficient, but I don't know. The only difference I've
noticed as a user is the informative output. I think it's a major
improvement to offer HTTPS, so perhaps the "smart" protocol can be saved
for later.