Russ Allbery, 2015-05-27 22:23:02 -0700 : > Josh Triplett <[email protected]> writes: > >> https:// avoids MITM; > > If you aren't doing certificate pinning, I don't think you can really say > this with a straight face. > > It makes MITM moderately harder, at the cost of giving money to a bunch of > exploitative clowns who have no concept of what security means.
I understand that behemoths such as Iceweasel may take some time to move, but maybe Git could be made to use the TLSA records in DNSSEC? Postfix does make use of them, and SSH uses their SSHFP cousins, so it's not completely an abstract idea. Roland, who spent some time DNSSECing his infrastructure and hoping it'll be worth it in due time. -- Roland Mas Indépendant en informatique libre -- Free software freelance http://www.gnurandal.com/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
