Matt McCutchen <matt(a)mattmccutchen.net> wrote:
No. If the attacker MITMs the entire connection, they can lie about
the
values of the remote refs too, so there is no need to find a hash
collision.
And how would you then be allowed to push? The git server would see that
your history doesn't match the history it has and will refuse the
commits. If they MITM your SSH push connection, I believe you have
bigger fish to fry.
--Ben