Opposite of --insecure is what?

Steve Borho steve at borho.org
Sat Feb 5 21:34:52 CST 2011

On Sat, Feb 5, 2011 at 8:37 PM, Jason Harris <jason at jasonfharris.com> wrote:
>> On Feb 6, 2011, at 2:48 PM, Steve Borho wrote:
>> TortoiseHg 1.9.2 has a 'security' dialog that can be opened when an
>> https URL is selected.
>> https://bitbucket.org/tortoisehg/thg/src/7d1ab6d4151a/tortoisehg/hgqt/sync.py#cl-950
>> The dialog has two halves.  The top half is labeled 'Secure HTTPS
>> Connection' and has set of radio buttons that select CA certs, a
>> fingerprint, or --insecure.  The bottom half is labeled "User
>> Authentication" and provides a very simplified interface to the [auth]
>> section.
>> If the user selects the fingerprint option, they can query the
>> fingerprint from the host or they can paste a fingerprint from the
>> output log.  To support a per-host --insecure option, we define an
>> [insecurehosts] configuration section.  If the hostname is in that
>> section and has a "True" boolean value we add --insecure to all
>> command lines that talk to the host over https.
> Ahh... Thanks for the explanation!!
> I sort of understand this, but in permanent setup, whats the difference between just marking something --insecure in all traffic and just storing its host key which you can fetch automatically?
> I wanted the --insecure option so I could do discovery and other operations without worrying about security, and then only later actually worrying about security. But to a large extent storing the fingerprint which comes from the host and --insecure is the same, right?

The fingerprint is only stored after the user has verified they are
talking to the real host.  Presumably any MIM attack wouldn't be able
to reproduce the same host certificate and thus the fingerprint
wouldn't match (if not, I see little value in the whole scheme of
storing a fingerprint either).

Does anyone know if those fingerprints are spoof safe?

>> I've uploaded a snapshot of the dialog on Mac:
>> https://bitbucket.org/tortoisehg/thg/downloads/security.png
> How do you do the automatic detection and switch between real errors that can be detected if a spoofed certificate and a self signed certificate. I wouldn't want to get a spoofing error and still recommend to the user, the host could not be verified but has the following fingerprint would you like to use this fingerprint?

We're not making any suggestions.  By default Mercurial always tries
to use CA certificates to validate the host.  If those validations
fail the connection will fail. The user will have to open the security
dialog and switch modes and decide for themselves whether the host
fingerprint they query is valid.  It's impossible for us to know.

Steve Borho

More information about the Mercurial-devel mailing list