From owner-freebsd-security@freebsd.org Fri Dec 8 08:25:46 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15B85E9D930 for ; Fri, 8 Dec 2017 08:25:46 +0000 (UTC) (envelope-from tj@tjvarghese.com) Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C669168F93 for ; Fri, 8 Dec 2017 08:25:45 +0000 (UTC) (envelope-from tj@tjvarghese.com) Received: by mail-it0-x232.google.com with SMTP id t1so3268422ite.5 for ; Fri, 08 Dec 2017 00:25:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tjvarghese-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=I9C/KEjkxDHfSZkPaZhHp10KP3nYHDfVxUg+Gfjj36A=; b=1nDR+S+9ARTjCiV1hS95S50ehetH6u09whfPNf+abFdo2CydFj+LyTjpCptvHeGk7L vZKMyFvhdX5qbXOCXV2k1oDx1desSlbyMd/xfmU6FiqBv6iwSZ7K8eg2Cajo8oq6f+YL ppjX5i8ZmZ+chKUVuGFWCHtMJmwkq+as2Z1ytRX8xpl4ICox+M/rl29ZxZxwHTHkgIox YU49WzaJvkdDIUzy8uheLJf6bWjyxbcfkxKueG2CVNuPYEKMXb0Hl8t1Y9A8NOqWIXlo sdII6LtvUDnCMQFCR3d8B7ob+5DiSaxNkrowq8VkosJpsdOMekYZWoShs5/3uw+vSVG6 HQAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=I9C/KEjkxDHfSZkPaZhHp10KP3nYHDfVxUg+Gfjj36A=; b=Xmi7XPoLZ9b7UU1isFysSgCRo1SSMdWEL7chvmnQ+W5zziNVJi8vNdKdqsF9pzPaIq ykWkGV7K36cWg8fX7XmyDv2PHTwkMhxjuWQHEdl6wC+ew4L6k9raT3tzvbBFSN7zs/F/ GWPn9to34KZT24BpaLRQrPXU0Xq/1EcYyhxV1w4BZaaaa1HfZRBD7IbODklS3u052eyN wDzF7iv6ATIawuEs8co/dAKVq20wSDEosizsjcBgvi3zpFtx2zVQQ9rrWgBZKSO0Dtne 39nXUbvlAOjOhQagBSt8u66v9TICxGp7p1x/aFOGyqp1j/lQiPwo4fo+H3q5h2VgJ42+ tKrg== X-Gm-Message-State: AKGB3mISk67Kk0RPHZgyyr1d2t72y2zSJb9/8WzS9n47MjDDOHTMx39M 1cWetzr3lmoQxFLrQsl4L4xrZkBQ X-Google-Smtp-Source: AGs4zMYnm8uT4Dfxwkty1A1zQ+pxx+tQHCLmIhzf/snkaUdddw2n/aoITaAtypLtWStxEG8w0IA7BA== X-Received: by 10.36.147.193 with SMTP id y184mr4542190itd.64.1512721544928; Fri, 08 Dec 2017 00:25:44 -0800 (PST) Received: from [192.168.10.201] ([175.136.175.51]) by smtp.googlemail.com with ESMTPSA id f68sm3394955iod.36.2017.12.08.00.25.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Dec 2017 00:25:43 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Poul-Henning Kamp , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgr?= =?UTF-8?Q?av?= Cc: freebsd-security@freebsd.org, Dewayne Geraghty , Gordon Tetlow References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> From: TJ Varghese Message-ID: <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> Date: Fri, 8 Dec 2017 16:25:39 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <1291.1512658230@critter.freebsd.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 08:25:46 -0000 On 12/07/2017 10:50 PM, Poul-Henning Kamp wrote: > >> You can't have the latter without the former. Assertion of identity is >> the only protection against MITM eavesdropping or tampering. > Or more generally: > > If you dont/cant trust the other end, why would you trust them to > keep the communication secret ? > I'm curious as to your take on electronic banking. Should they all merely use HTTP since HTTPS is hopelessly compromised by design? If your objection is that HTTPS bring nothing to the security table, then it really doesn't make a difference where it's used and we should all just stop using it, no?