From owner-freebsd-security@freebsd.org Sun Dec 10 19:57:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 782E8E995EC for ; Sun, 10 Dec 2017 19:57:34 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 33B897FF40 for ; Sun, 10 Dec 2017 19:57:33 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 5AC7E2736D; Sun, 10 Dec 2017 19:57:31 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBAJvF95024469 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 19:57:15 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBAJvEit024468; Sun, 10 Dec 2017 19:57:14 GMT (envelope-from phk) To: Yuri cc: Igor Mozolevsky , freebsd security , RW Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24466.1512935834.1@critter.freebsd.dk> Date: Sun, 10 Dec 2017 19:57:14 +0000 Message-ID: <24467.1512935834@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:57:34 -0000 -------- In message <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com>, Yuri writes: >3. The user updated the sources through Tor and got hacked. > >Where did this user go wrong, or where has he been irresponsible? He trusted Tor? In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed that a LOT of the Tor network is on a longitude compatible with a "Bandit of The Beltway" location. If you still, elleven years later, seriously belive that Tor is trustworthy, you shouldn't be allowed near any kind of security decision. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.