Re: git and https

To: debian-devel@lists.debian.org
Subject: Re: git and https
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 30 May 2015 15:36:14 -0300
Message-id: <[🔎] 20150530183614.GA30557@khazad-dum.debian.net>
In-reply-to: <[🔎] 87617bjbxw.fsf@hope.eyrie.org>
References: <[🔎] 55631103.3020200@zoho.com> <[🔎] 20150525183805.GA2452@x> <[🔎] 20150527080835.GA20359@grep.be> <[🔎] 20150527160230.GA1068@jtriplet-mobl1> <[🔎] 87pp5l5l8p.fsf@hope.eyrie.org> <[🔎] 1432852719-sup-2275@fewbar.com> <[🔎] 87oal4xocb.fsf@hope.eyrie.org> <[🔎] 20150529213013.GA8472@home.philkern.de> <[🔎] 87617bjbxw.fsf@hope.eyrie.org>

On Fri, 29 May 2015, Russ Allbery wrote:
> Philipp Kern <pkern@debian.org> writes:
> > Perfect is the enemy of good. Debian is already paying the protection
> > money at this point and TBH I don't understand the resistance to add
> > and promote the https:// variant of it. We can still switch to Let's
> > Encrypt once it is available.
> 
> I don't object to promoting https.  I do think we should be careful about
> what claims we make about MITM protection, since I believe https without

There is also traffic analysis.  This is something that https and TLS in
general *cannot fix*, depending on just what you are trying to hide. And git
won't make it any easier for TLS to resist traffic analysis, either.

It won't leak passords or other such low-level details, but trying to hide
high level details such as the fact that it is a git session, or which
repository you are working on out of a *known* set?  Don't bet your life on
it.

> certificate pinning does not provide real MITM protection.  It does,
> however, raise the bar against casual eavesdropping if you're already
> having to pay the CA cartel for other reasons, and that's worthwhile.

That's correct, and for the *specific* case of git over https, most of the
typical collateral damage of enabling https is not relevant: git is already
quite hard to scale on the server side, and its network bandwidth usage is
not relevant so making it impossible to cache is not going to matter.

There is, however, the minor detail that you will be more vulnerable to
being remotely exploited by a rogue server, rogue client or MITM attacker.

This is no theory: we have fixed issues in openssl that would allow exactly
that to happen.  It is also likely to happen again because TLS is such an
utter nightmare to implement safely.

OTOH, it would only matter when attacking the TLS layer of a git connection
would let an attacker into a system partition that makes no other use of
TLS/https other than git-over-https... thus it is only a "minor detail".

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- git and https
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Wouter Verhelst <wouter@debian.org>
- Re: git and https
  - From: Josh Triplett <josh@joshtriplett.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>
- Re: git and https
  - From: Clint Byrum <spamaps@debian.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>
- Re: git and https
  - From: Philipp Kern <pkern@debian.org>
- Re: git and https
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: [xml/sgml] Stepping back from the Debian XML/SGML team, effectively orphaning all my packages (docbook*, xml-core, xmlto, etc. pp)
Next by Date: Re: Bug#786902: O: ifupdown -- high level tools to configure network interfaces
Previous by thread: Re: git and https
Next by thread: Re: git and https
Index(es):
- Date
- Thread