I recently read an article talking about the supply chain vulnerability of accessing Git using the
git:// protocol instead of
https://. Because the Git protocol is not encrypted, it would be possible for a well-positioned attacker to perform a Man In The Middle (MITM) attack when a client like F-Droid is cloning the repository. This would then cause F-Droid to build Privacy Browser with whatever modifications the MITM attacker inserted into the source code.
The solution to this problem is to use HTTPS, which isn’t as efficient a protocol when it comes to Git repositories, but it is encrypted, which thwarts a MITM attack unless the attacker is also able to acquire a valid SSL certificate for my domain.
Making this change requires modifying the URLs used to clone Privacy Browser’s repository. Previously the command was:
git clone git://git.stoutner.com/git/PrivacyBrowser.git
Now it is:
git clone https://git.stoutner.com/PrivacyBrowser.git
Similarly the new command to clone the repository for the Privacy Browser ROM Integration is:
git clone https://git.stoutner.com/PrivacyBrowserROMIntegration.git
git clone https://git.stoutner.com/UltraList.git
git clone https://git.stoutner.com/UltraPrivacy.git
Making this change also requires changing the URL used for GitWeb to avoid a collision. Previously, the URL for GitWab used the
Now it has changed to the
This means that old links in redmine.stoutner.com will not work unless updated. If I ever need to look at an old issue I will update the URL. Otherwise, if you want to follow one of the links, you can modify it yourself to switch to the new domain.