Hacker News new | comments | show | ask | jobs | submit login

Spoofing GitHub's SSL certificate is a step in the direction of inserting espionage-style backdoors, as GitHub permits HTTPS read-only checkouts of repositories.

I'm not suggesting that this will be free of problems, given how particular Git is about checksums, nor am I certain what methods they would use to acquire SSH commit access for altering repository contents to affect the rest of the world.

Still, it's absolutely a necessary prerequisite to altering data from GitHub - and, if they acquire SSH keys, altering data at GitHub. Both possibilities are terrifying.

GitHub now [allows HTTPS pushes][1], so a man-in-the-middle attack on a single connection would be sufficient to push backdoors. In any case, can't the intermediary just add another SSH key to the account?

[1]: https://help.github.com/articles/pushing-to-a-remote

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact