Re: [gentoo-dev] [PATCH 2/2] git-r3.eclass: Explicitly warn about unsecure protocols

[Andrew Savchenko <bircoph@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2174 bytes --]

On Fri, 25 Aug 2017 15:51:25 +0200 Michał Górny wrote:
> W dniu śro, 23.08.2017 o godzinie 11∶46 +0300, użytkownik Andrew
> Savchenko napisał:
> > On Sat, 19 Aug 2017 10:25:02 +0200 Michał Górny wrote:
> > > Explicitly warn about any URI that uses an unsecure protocol (git, http)
> > > even if it's a fallback URI. This is necessary because an attacker may
> > > block HTTPS connections, effectively forcing the fallback to
> > > the unsecure protocol.
> > 
> > [...]
> > > +	local r
> > > +	for r in "${repos[@]}"; do
> > > +		if [[ ${r} == git:* || ${r} == http:* ]]; then
> > > +			ewarn "git-r3: ${r%%:*} protocol in unsafe and may be subject to MITM attacks"
> > > +			ewarn "(even if used only as fallback). Please use https instead."
> > > +			ewarn "[URI: ${r}]"
> > > +		fi
> > > +	done
> > > +
> > 
> > Sigh... https also makes MITM attacks possible, especially if SSL
> > or TLS < 1.2 is used or are allowed and protocol version downgrade
> > attack may be performed.
> > 
> > Such messages create a false impression of a safety of https.
> > Safety more or less can be gained by verifying GPG signatures and
> > fingerprints of the upstream commits, if upstream supports this. Of
> > course using https is better than using http or git, but better
> > only by a bit.
> > 
> 
> Yes, we can do a whole long debate about problems with HTTPS. Yes, we
> can do an even longer debate about all those fancy solutions that solve
> all the problems in the world, except they're completely not applicable
> in practice. People will become a lot wiser and/or depressed.
> 
> However, I'd rather do what I can practically do to make a real
> difference. And I believe that making things a little safer is better
> than claiming that nothing is safe, so let's just abandon all hope
> and continue using completely unsecured protocols.

I agree that better to have some improvement rather than nothing.

> Nevertheless, I've changed the wording a bit to avoid giving this 'false
> impression' that https is entirely secure.

Thanks, that was my main intent: to have correct docs.


Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]