1

There are multiple questions regarding how to disable http ssl verfication for git (check How do I set GIT_SSL_NO_VERIFY for specific repos only? and Unable to set the sslVerify to false).

However, I have not been able to find a comprehensive description of the potential security implications of disabling verification.

How risky is this behavior? Why?

Simón Ramírez Amaya
  • 2,436
  • 2
  • 14
  • 31
  • 1
    Never disable verification. Otherwise you are as good as not using TLS at all. No verification means you are sending encrypted content (because of TLS) that is shielded from any onlooker but to an unknown third party. So the fact that they are encrypted is useless. – Patrick Mevzek May 13 '20 at 21:31

1 Answers1

6

If you disable TLS verification by using this option, you have no security. Any attacker who can intercept your communications can create a self-signed certificate with the same domain name, pretend to be the server in question, and snoop on and tamper with all your traffic; this is a classic man-in-the-middle attack. This is trivial for anyone who is on the same network as you or anyone who can announce a BGP feed. It is well known that packets can get routed elsewhere due to state actors or sometimes just mistakes.

Verifying TLS certificates against a set of trustworthy certificate authorities prevents this from happening because those certificate authorities will only issue certificates for a given domain name to someone who can prove that they control the domain in question. An attacker will not be able to acquire such a certificate since they cannot prove that control and hence any MITM attack would fail due to an invalid certificate.

The only time it is safe to disable TLS verification is if you're working with localhost on a trusted computer (e.g., your laptop), in which case an attacker would not be able to insert themselves. Otherwise, disabling TLS verification is equivalent to using no encryption at all, and permits almost anyone to inspect and tamper with your data at will without you noticing.

bk2204
  • 64,793
  • 6
  • 84
  • 100
  • This is true if you are hosting your site publicly. If you are hosting on an internal network, and you would like to use a self signed cert, then you can do that but you will need to understand that a man in the middle attack could happen if your local DNS server is compromised. You can avoid this by setting a local DNS override on your machine, and all machines connecting to this server. It is important to state this because if you want to host a GitLab server on your internal network for a single developer, it doesn't make sense to pay for a cert. – SORC_ Aug 17 '23 at 00:20
  • 1
    Let's Encrypt, as well as other CAs, offer publicly trusted certs for free. You can issue certificates for any domain that you control the DNS for, which means that you can issue for internal domain names. In general, many people have insecure local home networks (due to poor Wi-Fi passwords, compromised or insecure devices including phones, routers, and printers, or various other reasons) and using TLS even for internal networks is prudent and strongly recommended. – bk2204 Aug 17 '23 at 01:10