From: Jeff King <peff@peff.net>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Martin Langhoff" <martin.langhoff@gmail.com>,
"Git Mailing List" <git@vger.kernel.org>
Subject: Re: Git ransom campaign incident report - May 2019
Date: Sun, 19 May 2019 01:07:24 -0400 [thread overview]
Message-ID: <20190519050724.GA26179@sigill.intra.peff.net> (raw)
In-Reply-To: <20190517222031.GA17966@sigill.intra.peff.net>
On Fri, May 17, 2019 at 06:20:31PM -0400, Jeff King wrote:
> What if we did this:
>
> 1. Do not ever write the password part of a URL into config.
>
> 2. When we extract the user/pass out of a URL, put them into the
> credential struct, so that when we successfully authenticate, we
> trigger storage. This _might_ actually happen already, but we
> should definitely confirm it.
>
> 3. If the user has no credential helper defined, then do one of:
>
> a. Warn them that the credential was not recorded, but that they
> can use "git clone -c credential.helper=store" as a fallback
> (but probably worded in a way to recommend using something
> stronger if possible).
>
> This is slightly annoying because following the advice requires
> re-cloning. Fixing it up from there is more like:
>
> git config credential.helper store
> git fetch
> [interactively input password]
>
> b. Just use credential-store. Optionally notify them of what
> happened (and that they might want to choose a better helper).
So here are patches to do that. Step 2 is indeed how things work
already, so nothing was needed there (there are still 3 patches because
there was a bit of prep-work ;) ).
I did 3b here: automagically enabling credential-store. I'm still on the
fence on whether that's a good idea or not.
I don't have any data on how many victims of this ransom campaign might
have been helped by this. But it certainly seems like a decent best
practice. I'd hope that _most_ people have moved on to using a
credential helper and supplying the initial password interactively these
days; this is really just aimed at people who don't know better. So the
goal is making them a bit more secure, but also educating them about the
other options. Hopefully without breaking any workflows. :)
-Peff
[1/3]: transport_anonymize_url(): support retaining username
[2/3]: clone: avoid storing URL passwords in config
[3/3]: clone: auto-enable git-credential-store when necessary
builtin/clone.c | 37 +++++++++++++++++++++++++++++++++++--
credential.c | 13 +++++++++++++
credential.h | 6 ++++++
t/t5550-http-fetch-dumb.sh | 12 ++++++++++++
transport.c | 21 ++++++++++++++-------
transport.h | 11 ++++++++++-
6 files changed, 90 insertions(+), 10 deletions(-)
next prev parent reply other threads:[~2019-05-19 18:34 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 17:49 Git ransom campaign incident report - May 2019 Martin Langhoff
2019-05-15 18:59 ` Ævar Arnfjörð Bjarmason
2019-05-16 4:27 ` Jeff King
2019-05-17 19:39 ` Johannes Schindelin
2019-05-17 22:20 ` Jeff King
2019-05-17 23:13 ` Martin Langhoff
2019-05-19 5:07 ` Jeff King [this message]
2019-05-19 5:10 ` [PATCH 1/3] transport_anonymize_url(): support retaining username Jeff King
2019-05-19 23:28 ` Eric Sunshine
2019-05-20 16:14 ` René Scharfe
2019-05-20 16:36 ` Johannes Schindelin
2019-05-20 16:43 ` Johannes Schindelin
2019-05-19 5:12 ` [PATCH 2/3] clone: avoid storing URL passwords in config Jeff King
2019-05-19 5:16 ` [PATCH 3/3] clone: auto-enable git-credential-store when necessary Jeff King
2019-05-20 11:28 ` Eric Sunshine
2019-05-20 12:31 ` Jeff King
2019-05-20 16:48 ` Johannes Schindelin
2019-05-20 13:56 ` Ævar Arnfjörð Bjarmason
2019-05-20 14:08 ` Jeff King
2019-05-20 15:17 ` Ævar Arnfjörð Bjarmason
2019-05-20 15:24 ` Jeff King
2019-05-20 17:08 ` Ævar Arnfjörð Bjarmason
2019-05-20 14:43 ` Git ransom campaign incident report - May 2019 Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190519050724.GA26179@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=martin.langhoff@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).