Re: git and https
Excerpts from Russ Allbery's message of 2015-05-27 22:23:02 -0700:
> Josh Triplett <josh@joshtriplett.org> writes:
>
> > https:// avoids MITM;
>
> If you aren't doing certificate pinning, I don't think you can really say
> this with a straight face.
>
The word is "avoids", it is not "eliminates". What ever happened to
defense in depth? There's no such thing as a perfect solution, but we
can at least lock the doors, right?
> It makes MITM moderately harder, at the cost of giving money to a bunch of
> exploitative clowns who have no concept of what security means.
>
In the specific case where we'd recommend using https:// instead of git://
_for Debian's git services_, the cost noted above would not apply for
any Debian users because in theory we can use the Debian-specific CA.
Reply to: