On Sat, 19 Aug 2017 10:25:02 +0200 Michał Górny wrote:
> Explicitly warn about any URI that uses an unsecure protocol (git, http)
> even if it's a fallback URI. This is necessary because an attacker may
> block HTTPS connections, effectively forcing the fallback to
> the unsecure protocol.
[...]
> +	local r
> +	for r in "${repos[@]}"; do
> +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> +			ewarn "(even if used only as fallback). Please use https instead."
> +			ewarn "[URI: ${r}]"
> +		fi
> +	done
> +

Sigh... https also makes MITM attacks possible, especially if SSL
or TLS < 1.2 is used or are allowed and protocol version downgrade
attack may be performed.

Such messages create a false impression of a safety of https.
Safety more or less can be gained by verifying GPG signatures and
fingerprints of the upstream commits, if upstream supports this. Of
course using https is better than using http or git, but better
only by a bit.

Best regards,
Andrew Savchenko