On Mar 9, 2017, at 1:44 PM, Andy Bradford <[email protected]> wrote: > > Thus said Warren Young on Thu, 09 Mar 2017 13:37:35 -0700: > >> That can be gotten around with a MITM attack > > How? If the server to which the attacker tries to synchronize content > already has Y, there is no way for the attacker to push Y' to the > repository.
Who said “push”? The attack is as follows: the remote peer has Y, the MITM attacker has Y’; the MITM waits for a sync to happen, and when it sees Y come through, it substitutes Y’. The MITM can substitute any content it wishes when the checksums and hashes match, which was part of the major premise. _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
