From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason at zx2c4.com (Jason A. Donenfeld) Date: Tue, 23 Feb 2016 06:05:12 +0100 Subject: Killing plaintext git:// in favor of https:// cloning In-Reply-To: <20160222204309.0C53882322@gnosis.slac.com> References: <20160222204309.0C53882322@gnosis.slac.com> Message-ID: On Mon, Feb 22, 2016 at 9:43 PM, Joe Anakata wrote: > (Also it was mentioned this would only work for people making a fresh > clone; anyone with an existing clone would almost certainly know > something was up.) No, definitely a MITM attack is feasible that would be fast forwardable just fine for a pull onto an existing repo. > Also there is the issue of the book reference, which is hard to > change. Though, for this, you could just have a dummy server which > redirects people, something which is essentially: > > nc -l -p 9418 -c "echo -n 002AERR please use https://foo.bar/foo.git" Right, this is exactly what I wound up doing, except much higher performance using epoll: https://git.zx2c4.com/git-daemon-dummy/about/ I haven't decided whether or not to deploy it, but the code is there. > (Of course, someone could still MITM *that*. Right. But the idea, anyhow, would just be to let the readers of the book know what's up, rather than leaving them in the dark.