On Thu, Mar 09, 2017 at 01:37:35PM -0700, Warren Young wrote: > On Mar 9, 2017, at 1:03 PM, Richard Hipp <d...@sqlite.org> wrote: > > > > If a new artifact Y' which has the > > same SHA1 hash as Y comes along, it will be discarded, since an > > artifact with that same hash is already in the repository. > > That can be gotten around with a MITM attack, as I’ve already brought > up several times on the list. Many Fossil instances won’t have TLS > protection against MITM attacks, and those that do have it may be > weakened by some well-intentioned TLS-busting middlebox or antimalware > package.
It still only matters if you can *introduce* objects. MITM for a given repository with sensible content requires a second preimage attachk. Those are not possible on any kind of (un)realistic budget. Joerg _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
