Mercurial over HTTPS - ouch, SSL isn't always secure · 2009-11-18 08:43 by Wladimir Palant
I set up my Mercurial server as HTTPS only. The idea behind it was that establishing a secure communication channel outweighs the disadvantages (server load, more traffic and somewhat slower pull operations) for a small server like that. But then I had second thoughts — I am using a StartCom certificate that isn’t yet accepted everywhere, what if somebody cannot pull the repository because of that?
So the question is which certificate store Mercurial is using to validate certificates. A quick Google search didn’t bring up anything relevant, I simply had to test it. And I discovered that Mercurial doesn’t validate server certificates at all! It doesn’t matter whether the server uses a self-signed certificate or whether the certificate is issued to a different server, Mercurial accepts them all. Which makes using HTTPS rather pointless, there are MITM tools that will easily intercept that connection if you are on a public WLAN network for example.
I originally planned to allow push via HTTPS if I need to give other people access, this is easier to set up. With what I learned now however I will better take the time and configure push via SSH. I just wished there would be a warning about this in the Mercurial documentation, as it is now the documentation suggests that publishing repositories via HTTPS is secure while the same thing over HTTP isn’t. And it is not like the developers aren’t aware of the problem (last two paragraphs).
Commenting is closed for this article.