Certificate pinning for github.com

[Demi-Marie]

The problem I'm trying to solve:
hub should pin the either the certificate or certificate authority used by GitHub, and tell git processes it runs to do the same.

How I imagine hub could expose this functionality:
This should work out of the box for github.com. For GitHub Enterprise, configuring a certificate authority and/or certificate will be required.

[mislav]

Hi, thank you for writing in!

1. What does it min to "pin" a certificate or certificate authority?
2. Why should we do it?
3. How do we tell git processes to do the same?
4. What exactly would need to be configured for Enterprise?

[Demi-Marie]

Hi, thank you for writing in!

You’re welcome!

1. What does it min to "pin" a certificate or certificate authority?

“Pinning” refers to accepting only a specific certificate or certificate authority, rather than any certificate that can be validated against a root certificate trusted by the OS.

2. Why should we do it?

The purpose of pinning is to protect against credential leakage should a trusted certificate authority be fooled into issuing fraudulent certificates. This can happen either because the certificate authority is compromised, or because someone has managed to convince the certificate authority that they control a domain when in fact they do not. Both have happened in the past.

3. How do we tell git processes to do the same?

Not sure. There may be a way to do so via environment variables. If we make command-line calls to libgit2, we should be fine.

One alternative would be for GitHub to provide anonymous, read-only SSH access.

4. What exactly would need to be configured for Enterprise?

For Enterprise, a certificate authority would need to be specified.

[mislav]

Thanks for explaining. I'm not sure if I have the bandwidth to research/implement this, but I've found a golang library that is promising: https://github.com/tam7t/hpkp

For shelling out to git, this might be a git config option to look into: http.pinnedpubkey

However wants to take a stab at this is welcome!