From: mailings at hupie.com (Ferry Huberts)
Subject: Killing plaintext git:// in favor of https:// cloning
Date: Mon, 22 Feb 2016 20:59:32 +0100 [thread overview]
Message-ID: <56CB68A4.1010900@hupie.com> (raw)
In-Reply-To: <20160222195042.99D6C82323@gnosis.slac.com>
On 22/02/16 20:50, Joe Anakata wrote:
>
> On 22/02/16 19:16, Jason A. Donenfeld wrote:
>
>>> Now that git.zx2c4.com runs over HTTPS, I'm considering getting rid of
>>> the plaintext git:// endpoint for cloning.
>
> Ferry Huberts Proclaimed Thus:
>
>> Yes, why?
>> What's the point?
>>
>> The repos are public, so cloning them over https bring nothing, except
>> extra overhead and server load.
>
> While pretty unlikely, in theory someone could MITM a git:// clone and
> send the user a hax0red branch of cgit with integrated botnet which
> the user then compiles and installs on their server.
>
That is a pretty unlikely and sophisticated attack vector, for
admittedly little gain. Someone with an existing clone can immediately
see that thing are off.
It is a vector though, so if you really want to defend against it, then
just ignore my comments ;-)
> Not sure if the extra server load is worth it to defend against this
> case or not. (Also, presumably the server is using the cgit smart http
> endpoint so https clone is not much additional DATA, just the ssl
> handshake; but definitely additional cpu for crypto operations.)
>
> Thanks
> -Joe
> _______________________________________________
> CGit mailing list
> CGit at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/cgit
>
--
Ferry Huberts
next prev parent reply other threads:[~2016-02-22 19:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-22 19:50 jea-signup-cgit
2016-02-22 19:57 ` webmaster
2016-02-23 5:02 ` Jason
2016-02-22 19:59 ` mailings [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-02-22 20:43 jea-signup-cgit
2016-02-23 5:05 ` Jason
2016-02-22 18:16 Jason
2016-02-22 18:22 ` Jason
2016-02-22 19:18 ` mailings
2016-02-22 19:56 ` Jason
2016-02-23 1:19 ` normalperson
2016-02-23 1:28 ` Jason
2016-02-23 5:08 ` Jason
2016-02-23 6:21 ` normalperson
2016-02-24 19:00 ` hacking
2016-02-25 17:21 ` Jason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56CB68A4.1010900@hupie.com \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).