Thus said Warren Young on Thu, 09 Mar 2017 13:37:35 -0700: > On Mar 9, 2017, at 1:03 PM, Richard Hipp <[email protected]> wrote: > > > > If a new artifact Y' which has the same SHA1 hash as Y comes along, > > it will be discarded, since an artifact with that same hash is > > already in the repository. > > That can be gotten around with a MITM attack, as I've already brought > up several times on the list. Many Fossil instances won't have TLS > protection against MITM attacks, and those that do have it may be > weakened by some well-intentioned TLS-busting middlebox or antimalware > package.
How? If the server to which the attacker tries to synchronize content already has Y, there is no way for the attacker to push Y' to the repository. Or are you suggesting that the attacker is not trying to push content into the repository, but is instead, trying to trick the client into pulling Y' when he wanted Y? Andy -- TAI64 timestamp: 4000000058c1bebc _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
