From owner-freebsd-security@freebsd.org Sun Dec 10 19:53:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4321CE992DB for ; Sun, 10 Dec 2017 19:53:15 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BAA027FB28 for ; Sun, 10 Dec 2017 19:53:14 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x234.google.com with SMTP id o2so15501554wro.5 for ; Sun, 10 Dec 2017 11:53:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0zZbWu3iUhOnKuffGrQjXgW3sewd+Y3Z3kYMrTQ5LfA=; b=L5poAU/vH7yoxUn54rXQ8jFnzm+b5iEXyS+tMpUBaSD/iz1EAKAcl+e4RTI4SHc+tC SJTjZPp78w5jQ8M/fRQ7xoBA/hW7Lql69bBwuZ94tVpIJJGAT3mUdZFnhtHhOlJkzz8R aO8053Gcd4J/FEq6xJPTyZiGmp79kOE5Xhh0hXOSDTr8+C1kHqythoBYgbxqv36jxv7e pbqtwlE0KWLrKpfGwa+Ov2tVmogDoROK+h00TRxzCM4FEVyQkga2TNvhTuJUW103FZf7 fKVLoB7fLwmtPOv2bAeytRa3JxDjXqmtF6z/x9BeVt1Vu1b2oNqnTj8P2iCyYS8bbXOq iqvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0zZbWu3iUhOnKuffGrQjXgW3sewd+Y3Z3kYMrTQ5LfA=; b=kTBIHs+rMuyWLl8v6Gnm3dgnJ25gWDcGG6p3ZzbOgGRwLTtgOG6StSMyPzezZvNryq qpxj5JsqBjjSxP+9RsAKGzvHz7GbD3khEa9PraP+u/bAGxOUe3V3D/u4ieQ5RdjVPMnP dv1K46fq1aessr9zkEMA6GfddtfLORBba9bpcTCNMvBCTYZ6VD1EApE16WqVFK5bkQUD 2eh4aJz05Eihw1mARiMC1XrCtzyvQKYDvdN9Iarf51Id6ihX+s+Bb+0GT1xWUEBciOUT B/BMytdr7AkGQ43i78zmGIMFJfZgyJuul/vpYPKmPwq30RMM1Mw/E5VXqMOu6weR1/Ds tLLw== X-Gm-Message-State: AJaThX4gUBUxYTw5rVfuT4PGfaNMptKBWn8sXfKs4wNu3oN4tJBsQcIk KXPqpEK6kDj2VVh0abJFCPS4neTsZdTu7PFIEHk= X-Google-Smtp-Source: AGs4zMbFAkNwUmLz2sbUX1KG/Jp57asjUpQnSAsZ8Psc53Yo3uUk2Ia41d0SnZWu4QUeTqPIXERbq6QHl3p8q8GaYbc= X-Received: by 10.223.139.199 with SMTP id w7mr29840116wra.282.1512935593144; Sun, 10 Dec 2017 11:53:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 11:52:32 -0800 (PST) In-Reply-To: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 19:52:32 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri Cc: freebsd security , RW Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:53:15 -0000 On 10 December 2017 at 19:47, Yuri wrote: > On 12/10/17 11:36, Igor Mozolevsky wrote: > > If I give my bank card and PIN to someone who I don't trust, I can't > complain that my bank doesn't take adequate precautions if that person > drains my bank account! You choose to go down a route that **you** know is > compromised! > > > 1. The user has set up the subversion source trees based on the *current > advice* here for anonymous checkout: https://wiki.freebsd.org/ > PortsSubversionPrimer > > > % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? > > > The fact that this page https://wiki.freebsd.org/PortsSubversionPrimer still recommends http is appalling! > > The freebsd wiki doesn't recommend Tor, does it?! If the user was so badly educated about Tor, why is it FreeBSD's problem, honestly? What you're saying is no different, than "Alice" doesn't want to download FreeBSD herself, so she asks "Eve" to get her a CD with the source code. Unbeknownst to Alice, Eve replaces a bunch of files on the CD and present the CD to Alice as a bona fide copy. The problem in the chain is Eve (or Tor, in your case) not where Eve got the CD from! This discussion is turning circular and, quite frankly, ridiculous! -- Igor M.