Integrity protection of fetches (Re: The move to git!)
Matt McCutchen
matt at mattmccutchen.net
Wed Aug 4 08:33:51 UTC 2010
On Tue, 2010-08-03 at 22:09 +0000, Ben Boeckel wrote:
> Matt McCutchen <matt at mattmccutchen.net> wrote:
> > No. If the attacker MITMs the entire connection, they can lie about the
> > values of the remote refs too, so there is no need to find a hash
> > collision.
>
> And how would you then be allowed to push? The git server would see that
> your history doesn't match the history it has and will refuse the
> commits.
When the maintainer fetches, the attacker adds malicious commits on top
of the real remote ref value, and then the maintainer pushes those
commits as if he committed them himself. But IMNSHO, malicious
alteration of a fetch is something maintainers shouldn't have to deal
with, regardless of what the consequences might or might not be.
(I should have changed the subject two round trips ago. Oh well...)
--
Matt
More information about the devel
mailing list