First good argument I see about why the GitHub acquisition is bad.https://twitter.com/ErrataRob/status/1003396869052141568 …
No, it's only possible if the client accepts your forged certificate. It's amazing how many people can't conceive of math/cryptography and think lack of MITM is a social convention.
-
-
Thus proving my point. It doesn’t need to be a valid certificate on the user’s end. If China were to force this you still wouldn’t be able to access it without accepting their forged certificate or bypassing the firewall with a VPN, etc. I didn’t say it needed to be invisible.
-
Modern browsers outright won't let you connect on certificate errors (HSTS). It's increasingly hard to "just ignore the warning".
-
Also, many command line tools don't even have a flag for that. I don't even know if there's any reasonably easy way of getting 'git clone' to ignore cert errors. Maybe there's a config option?
-
Looks like `git -c http.sslVerify=false`. Possible, but non-obvious enough you really don't want to be making *every* developer in your country do it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.