Opposite of --insecure is what?

Matt Mackall mpm at selenic.com
Mon Feb 14 17:41:33 CST 2011 

On Sat, 2011-02-05 at 21:34 -0600, Steve Borho wrote:
> On Sat, Feb 5, 2011 at 8:37 PM, Jason Harris <jason at jasonfharris.com> wrote:
> >> On Feb 6, 2011, at 2:48 PM, Steve Borho wrote:
> >> TortoiseHg 1.9.2 has a 'security' dialog that can be opened when an
> >> https URL is selected.
> >>
> >> https://bitbucket.org/tortoisehg/thg/src/7d1ab6d4151a/tortoisehg/hgqt/sync.py#cl-950
> >>
> >> The dialog has two halves.  The top half is labeled 'Secure HTTPS
> >> Connection' and has set of radio buttons that select CA certs, a
> >> fingerprint, or --insecure.  The bottom half is labeled "User
> >> Authentication" and provides a very simplified interface to the [auth]
> >> section.
> >>
> >> If the user selects the fingerprint option, they can query the
> >> fingerprint from the host or they can paste a fingerprint from the
> >> output log.  To support a per-host --insecure option, we define an
> >> [insecurehosts] configuration section.  If the hostname is in that
> >> section and has a "True" boolean value we add --insecure to all
> >> command lines that talk to the host over https.
> >
> > Ahh... Thanks for the explanation!!
> >
> > I sort of understand this, but in permanent setup, whats the difference between just marking something --insecure in all traffic and just storing its host key which you can fetch automatically?
> >
> > I wanted the --insecure option so I could do discovery and other operations without worrying about security, and then only later actually worrying about security. But to a large extent storing the fingerprint which comes from the host and --insecure is the same, right?
> 
> The fingerprint is only stored after the user has verified they are
> talking to the real host.  Presumably any MIM attack wouldn't be able
> to reproduce the same host certificate and thus the fingerprint
> wouldn't match (if not, I see little value in the whole scheme of
> storing a fingerprint either).
> 
> Does anyone know if those fingerprints are spoof safe?

Yes, they are, at least until someone can generate documents with
arbitrary SHA1 hashes. At that point basically -all- the security on the
web is nullified, so securing Mercurial pushes is the least of your
worries.

Note that a certificate with an independently, manually confirmed
fingerprint is more trustworthy than a certificate that's signed by a
recognized certificate authority. First, the signature is actually a
signature on the fingerprint, not the whole document. Second, there are
hundreds certificate authorities and the CA system is only as
trustworthy as the least reliable one.

-- 
Mathematics is the supreme nostalgia of our time.

More information about the Mercurial-devel mailing list