On Fri, 29 May 2015, Russ Allbery wrote: > Philipp Kern <pk...@debian.org> writes: > > Perfect is the enemy of good. Debian is already paying the protection > > money at this point and TBH I don't understand the resistance to add > > and promote the https:// variant of it. We can still switch to Let's > > Encrypt once it is available. > > I don't object to promoting https. I do think we should be careful about > what claims we make about MITM protection, since I believe https without
There is also traffic analysis. This is something that https and TLS in general *cannot fix*, depending on just what you are trying to hide. And git won't make it any easier for TLS to resist traffic analysis, either. It won't leak passords or other such low-level details, but trying to hide high level details such as the fact that it is a git session, or which repository you are working on out of a *known* set? Don't bet your life on it. > certificate pinning does not provide real MITM protection. It does, > however, raise the bar against casual eavesdropping if you're already > having to pay the CA cartel for other reasons, and that's worthwhile. That's correct, and for the *specific* case of git over https, most of the typical collateral damage of enabling https is not relevant: git is already quite hard to scale on the server side, and its network bandwidth usage is not relevant so making it impossible to cache is not going to matter. There is, however, the minor detail that you will be more vulnerable to being remotely exploited by a rogue server, rogue client or MITM attacker. This is no theory: we have fixed issues in openssl that would allow exactly that to happen. It is also likely to happen again because TLS is such an utter nightmare to implement safely. OTOH, it would only matter when attacking the TLS layer of a git connection would let an attacker into a system partition that makes no other use of TLS/https other than git-over-https... thus it is only a "minor detail". -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150530183614.ga30...@khazad-dum.debian.net
