From owner-freebsd-security@freebsd.org  Tue Dec  5 20:59:27 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E617E81575
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue,  5 Dec 2017 20:59:27 +0000 (UTC) (envelope-from yuri@rawbw.com)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by mx1.freebsd.org (Postfix) with ESMTP id 3F0E26F417
 for <freebsd-security@freebsd.org>; Tue,  5 Dec 2017 20:59:26 +0000 (UTC)
 (envelope-from yuri@rawbw.com)
Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56])
 (authenticated bits=0)
 by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB5KxQ3P023480
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-security@freebsd.org>; Tue, 5 Dec 2017 12:59:26 -0800 (PST)
 (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me
To: freebsd-security@freebsd.org
From: Yuri <yuri@rawbw.com>
Subject: http subversion URLs should be discontinued in favor of https URLs
Message-ID: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
Date: Tue, 5 Dec 2017 12:59:25 -0800
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2017 20:59:27 -0000

I suggested this PR, but it got rejected: 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097


http is insecure in its nature, and is an easy target for MITM. This is 
why https should be preferred. http needs to be discontinued and shut 
down because as long as it exists somebody will keep using it and will 
be in danger.


Few years ago Wikimedia Foundation switched to https and discontinued 
http entirely: 
https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https 
I think this makes a lot of sense, and FreeBSD should do the same.


It's understood that a lot of arguments can be made for and against 
this, like with any other issue, but security argument should outweigh 
most or all other arguments.



Regards,

Yuri