Re: Certificate validation vulnerability in Git

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff King <peff@xxxxxxxx> writes:

> On Sun, Feb 24, 2013 at 07:46:51PM +0100, Andreas Ericsson wrote:
>
>> The lack of certificate authority verification presents no attack vector
>> for git imap-send. As such, it doesn't warrant a CVE. I'm sure you'll
>> be credited with a "reported-by" line in the commit message if someone
>> decides to fix it though. Personally, I'm not fussed.
>
> Sure it presents an attack vector. I can man-in-the-middle your
> imap-send client and read your otherwise secret patches. Or your
> otherwise secret imap password.

Yes, the lack of verification alone will not hurt the victim; you
would need to also be able to insert yourself in the middle, perhaps
by poisoning the victim's DNS.  But one of the points of using
SSL/TLS is to resist such an attack, and it certainly is an attack
surfce, even though it may be of a lessor kind than other kinds of
attacks.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]