From owner-freebsd-security@freebsd.org Sun Dec 10 20:08:52 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77EC4E99E20 for ; Sun, 10 Dec 2017 20:08:52 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B2848098F for ; Sun, 10 Dec 2017 20:08:51 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBAK8jPa098429 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 10 Dec 2017 21:08:48 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBAJb8M5042012 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Dec 2017 02:37:08 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A2D8CDF.80903@grosbein.net> Date: Mon, 11 Dec 2017 02:37:03 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:08:52 -0000 11.12.2017 2:23, Yuri wrote: > On 12/10/17 10:15, Igor Mozolevsky wrote: >> They are not "hypothetical characters," they are invented characters that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. > > > This is a very real threat model. There are a lot of malicious Tor exit node operators, > and a lot of FreeBSD users update their system over subversion. The > only thing that the Tor node operator needs to do is to detect relevant requests and serve malware. Hmm, you should not pass your traffic through the network operated by lots of malicious operators in first place. No matter encrypted or not. There are plenty of alternative ways.