From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F0ACB1396D0 for ; Wed, 23 Aug 2017 08:46:14 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 71E7E1FC040; Wed, 23 Aug 2017 08:46:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2BC2B1FC003 for ; Wed, 23 Aug 2017 08:46:09 +0000 (UTC) Received: from localhost (unknown [46.148.235.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bircoph) by smtp.gentoo.org (Postfix) with ESMTPSA id 06B66341AD8 for ; Wed, 23 Aug 2017 08:46:06 +0000 (UTC) Date: Wed, 23 Aug 2017 11:46:02 +0300 From: Andrew Savchenko To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols Message-Id: <20170823114602.4b19ebe6b225f4a57af3448e@gentoo.org> In-Reply-To: <20170819082502.27716-2-mgorny@gentoo.org> References: <20170819082502.27716-1-mgorny@gentoo.org> <20170819082502.27716-2-mgorny@gentoo.org> X-Mailer: Sylpheed 3.6.0 (GTK+ 2.24.30; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA512"; boundary="Signature=_Wed__23_Aug_2017_11_46_02_+0300_e6aV=F9ieCvu63b3" X-Archives-Salt: f8b4db39-406e-4d19-b924-d8ec7b106395 X-Archives-Hash: cd434770949ed43eaa4d056929ac0988 --Signature=_Wed__23_Aug_2017_11_46_02_+0300_e6aV=F9ieCvu63b3 Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, 19 Aug 2017 10:25:02 +0200 Micha=C5=82 G=C3=B3rny wrote: > Explicitly warn about any URI that uses an unsecure protocol (git, http) > even if it's a fallback URI. This is necessary because an attacker may > block HTTPS connections, effectively forcing the fallback to > the unsecure protocol. [...] > + local r > + for r in "${repos[@]}"; do > + if [[ ${r} =3D=3D git:* || ${r} =3D=3D http:* ]]; then > + ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM= attacks" > + ewarn "(even if used only as fallback). Please use https instead." > + ewarn "[URI: ${r}]" > + fi > + done > + Sigh... https also makes MITM attacks possible, especially if SSL or TLS < 1.2 is used or are allowed and protocol version downgrade attack may be performed. Such messages create a false impression of a safety of https. Safety more or less can be gained by verifying GPG signatures and fingerprints of the upstream commits, if upstream supports this. Of course using https is better than using http or git, but better only by a bit. Best regards, Andrew Savchenko --Signature=_Wed__23_Aug_2017_11_46_02_+0300_e6aV=F9ieCvu63b3 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE63ZIHsdeM+1XgNer9lNaM7oe5I0FAlmdQMsACgkQ9lNaM7oe 5I0u2Q/+PLBA3b+8IW/3oSB9funbYWfmjy9LIQ8Te/t6LtlgSK+OM/4QdN/WG1P+ LGb62AUb/xPvI9Y8PqinuPnqGqxcNOcbUleLKfVWWVuI2dLdQqNLXmDbFCjeO6Bc YGNd6fLmEdlE2a2f0q3ZJRwMdlzDiKZjZopcvv0mnV6jTrm4I/EWltQgnT12QfYE ssDfO1dQvwnP5DwpqeYuVJclGkRuDj1pEs7oiQhmpIU55Y7gLXd+mPDYVHp5wkpk pj8LxteNPicK9WGhcM0pB3LCk8Z7xi/ObRqprPVXdw9jRMoBySPqTA6BebO9jtSU cas+pFLg2Aq8zQmDP01CR0OQCMl33gToQ1aM0ujnYMh0uzdbEi1rmV8VPDFNjshV Q6f/d9p9wQtNxs8OuoyRTy4Vuj5yJakhtwqXmW/8tbhmw7XC+O+6tD+ctsUYRtLy eplkqafFkxQODIL9U68P2j/K4cHErumB2s1/fbpatQdx3F5dPpQncbFoA3cQJEA2 CT15boHSS4e4l/Luf/4Ld8iTg4xWsLDWpQD0QsXD58OCpBwv5G6o5R4UHU/f3IEA BV6U8486aTSv2GQDsN7O9JenBUdiBY+YkXTWU+gexizjpYN1kkQ6GynvdfI/mG0N FZqD3Ca98eMmr/sJaDHLMclZdkBGjQhnwPZY9D4aW0b+Wh5DSfs= =IN9J -----END PGP SIGNATURE----- --Signature=_Wed__23_Aug_2017_11_46_02_+0300_e6aV=F9ieCvu63b3--