Jeff King <peff@xxxxxxxx> writes: > On Sun, Feb 24, 2013 at 07:46:51PM +0100, Andreas Ericsson wrote: > >> The lack of certificate authority verification presents no attack vector >> for git imap-send. As such, it doesn't warrant a CVE. I'm sure you'll >> be credited with a "reported-by" line in the commit message if someone >> decides to fix it though. Personally, I'm not fussed. > > Sure it presents an attack vector. I can man-in-the-middle your > imap-send client and read your otherwise secret patches. Or your > otherwise secret imap password. Yes, the lack of verification alone will not hurt the victim; you would need to also be able to insert yourself in the middle, perhaps by poisoning the victim's DNS. But one of the points of using SSL/TLS is to resist such an attack, and it certainly is an attack surfce, even though it may be of a lessor kind than other kinds of attacks. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html