From owner-freebsd-security@freebsd.org Thu Dec 7 17:06:35 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21E2DE8C8D7 for ; Thu, 7 Dec 2017 17:06:35 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id DE9936D97E for ; Thu, 7 Dec 2017 17:06:34 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB7H6S7j022282 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 7 Dec 2017 09:06:28 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> From: Yuri Message-ID: <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> Date: Thu, 7 Dec 2017 09:06:27 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 17:06:35 -0000 On 12/05/17 12:59, Yuri wrote: > I suggested this PR, but it got rejected: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097 > > > http is insecure in its nature, and is an easy target for MITM. This > is why https should be preferred. http needs to be discontinued and > shut down because as long as it exists somebody will keep using it and > will be in danger. > > > Few years ago Wikimedia Foundation switched to https and discontinued > http entirely: > https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https > I think this makes a lot of sense, and FreeBSD should do the same. > > > It's understood that a lot of arguments can be made for and against > this, like with any other issue, but security argument should outweigh > most or all other arguments. Let's forget about all the abstract arguments and considerations, and consider this concrete scenario: Let's assume there is the malicious hacker who runs the malicious Tor exit node. In his attempt to spread malware, he watches all outbound http traffic for subversion requests to the domain FreeBSD.org. Once he detects such request, he serves the maliciously patched versions of popular ports and kernel in a hope that they will be rebuilt locally and run. The unfortunate FreeBSD user who updated his source tree through Tor got infected. This can't possibly happen if https protocol was in use, because the hacker is just a private person and doesn't have access to any CA authorities, and doesn't impersonate anybody. Please justify the use of the http protocol in the face of this scenario. Yuri