ok, thanks Ivar. I am not worried about the sysadmin at all. I would have been worried if the system is shut down by an attack that enters through my door, but I was advised to turn SSL checking off anyway. I agree that there seems little to gain from attacking a facility like that (pure research a.k.a. random guys software doing fun things :-) ). thanks for chipping in gael as well - it's beyond me judging those things, so good to hear from you guys.
florian On 1 August 2014 12:34, Ivar Nesje <iva...@gmail.com> wrote: > You are at a security level where it is acceptable to use random guys > software downloaded from the internet, that explicitly says in the licence > that you are offered NO guarantees for anything. The software is so complex > that it is impossible for you to review even a fraction of it for security > (or else you would have reported numerous bug reports when you discovered > unrelated things along the way). Stefan and Jeff seems to be following code > updates in the Julia repository closely, but I don't know how many others > review every commit. They have also given away Push access to lots of > random people, some whom he has never even met in person. > > I would not worry too much about the possibility that your sysadmin might > change something that might compromise your system. He has access anyway. > Large scale attackers (at the ISP layer) will probably attack protocols > that are more used than git over https with a fake certificate. They will > not know who verifies signatures and who does not. > > Ivar > > kl. 12:45:48 UTC+2 fredag 1. august 2014 skrev Florian Oswald følgende: >> >> that does sound worrying. I doubt the admin wants to know what I'm >> downloading but rather get (temporarily) rid of a problem. Does that >> compromise the security of the hpc system or does it mean someone could >> hack my github account? >> >> >> On 1 August 2014 08:02, <gael....@gmail.com> wrote: >> >>> Sounds like a bad idea. If the SSL cert is not correct in your >>> configuration (whereas it is in the outside world) it becomes clear that >>> your admin just want to know what you are downloading. >>> >>> Basically, he told you "Please let us perform MITM attack on your >>> connexion. To make our job easier, please desactivate all the SSL checks so >>> that our cert (and maybe others) are accepted". >>> >>> The extra downside is that now anyone can alter the data you are >>> downloading and you won't have the slightest idea this is happening (if >>> that happens). >>> >> >>