[SSL Observatory] Observatory source code available via git
Matt McCutchen
matt at mattmccutchen.net
Fri May 13 10:25:49 PDT 2011
On Fri, 2011-05-13 at 11:52 -0500, Chris Palmer wrote:
> On May 13, 2011, at 11:35 AM, Daniel Kahn Gillmor wrote:
> > As long as you are pulling (and properly verifying) signed tags, the
> > git:// scheme provides entirely reasonable integrity protection.
>
> As far as I know, we don't sign any tags.
And even if you did, signing does not guarantee that the ref is fresh or
the one the user wants, rather than some commit from some project that
you signed sometime in the past. As such, it is suitable for preventing
the injection of malware but does not constitute integrity protection of
a fetch operation.
> Is there a security analysis of Git anywhere?
I don't know, but in a few words: a git object ID is a SHA-1 hash over
the object data, which includes the IDs of any other objects it refers
to. Git verifies the hash before accepting an object into your
repository. So as long as SHA-1 remains collision-resistant, an object
ID completely determines all the transitively reachable content. All
the security is in the ref values. If you download
observatory.git/info/refs with TLS integrity protection and freshness,
you are safe no matter how you get the objects. If you download
observatory.git/info/refs insecurely, a MITM attacker can substitute any
desired ref values and corresponding objects.
--
Matt
More information about the Observatory
mailing list