[issue1174] https in hg less secure than expected

[Henryk Gerlach]

New submission from Henryk Gerlach <hgerlach at gmx.de>:

As far as I understand:
Using the https protocol in hg is less secure than users are used to (from
browsers), since it does not rule out a man in the middle attack.

Usually the client can check, that he really talks to the server by making sure,
that his certificate is signed by a trusted CA. Hg does not make these checks.

Https in hg is still "more secure", than plain http since a man in the middle
attack requires more effort (though it's usually feasable).

A short solution would be to save the fingerprint of the certificate in the
.hgrc the first time the server is contacted and check against it in future
tries (similar to what ssh does). Unfortunally the python httplib does not seem
to be able to produce these fingerprints (which is IMHO a serious shortcomming
that should be fixed upstream).

So for now, I personally would like to have a warning displayed when the user
uses https, along the lines:
 "the https implementation in hg is less secure than you might expect, please
consider using ssh".

I didn't try to do a proof of concept man in the middle attack, so I might be
missing something.

----------
messages: 6246
nosy: HenrykGerlach
priority: bug
status: unread
title: https in hg less secure than expected
topic: http_proto, security

____________________________________________________
Mercurial issue tracker <mercurial-bugs at selenic.com>
<http://www.selenic.com/mercurial/bts/issue1174>
____________________________________________________