MITM for GitHub or another code forge is one of the things I'm least concerned about, because GitHub to me is a place where things go to be made public. One of the security principles I live by is not to upload anything to the Internet that I wouldn't mind being shared completely in public.
The only exceptions I make are video conferencing and email. Jitsi provides great end-to-end encryption for the former (although the 8x8 server's recent prohibition of anonymous use is disappointing).
> MITM for GitHub or another code forge is one of the things I'm least concerned about, because GitHub to me is a place where things go to be made public.
This is not just about secrecy, but also about integrity. Someone who MITMs your connection could not only look at the code you published, but also modify it. Then later someone who was trusting you (or possibly even yourself on a new machine) will end up downloading and running the modified code.
In this particular case, I'm not sure it would be possible to modify the code in transit, because although you could trick the user into submitting the code into Fake GitHub, you wouldn't be able to authenticate as the user to submit your modified copy to Real GitHub.
More importantly, in my opinion, the end-user has no way of verifying the integrity of the code if authentication was the only security measure. By signing releases or the commits themselves (which can be done with both PGP and SSH keys currently) the end-user can verify the integrity themselves.
Same. I presume every company I have an account on will be compromised at some point, and all my account data will be out in the wild. This presumption hasn't disappointed so far ;)
The only exceptions I make are video conferencing and email. Jitsi provides great end-to-end encryption for the former (although the 8x8 server's recent prohibition of anonymous use is disappointing).