Re: Death to git://! Long live git://!
Christoph Anton Mitterer <calestyo@scientia.net> writes:
> On Fri, 2016-01-08 at 10:43 -0500, Paul Tagliamonte wrote:
>> I'd like to suggest we move all Vcs-Git entries to either `https` or
> I doubt https will give any real hard additional security, based on the
> inherent problems of the X.509 CA system.
Moving the goalposts from trivial MITM via a rogue AP to obtaining a
fradulent SSL certificate is probably not "hard" security, whatever that
means to you, but is a substantial increase the level of work required for
the attacker. Given that it's a fairly trivial change in most cases,
since most Git services already expose the repository via HTTPS, I'm not
sure why you're objecting.
> Thus using ssh AND signed tags or even better signed commits seems to be
> the best solution from a security PoV :)
I'm not letting random Internet users ssh into my Git repository host,
thanks. Securing untrusted ssh is a pain with a lot of fail-open
pitfalls. I always tightly firewall ssh to only IP addresses I'm actually
using.
I'm also entertained that you think that the completely unchecked host
keys that everyone always approves without even looking at are better
security than X.509 CAs, for all the problems those have.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: