From owner-freebsd-security@freebsd.org Fri Dec 8 10:31:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06403EA08AF for ; Fri, 8 Dec 2017 10:31:36 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id DCC716CAD2 for ; Fri, 8 Dec 2017 10:31:35 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0N0017Q1MTZE00@hades.sorbs.net> for freebsd-security@freebsd.org; Fri, 08 Dec 2017 02:40:08 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Jason Hellenthal , Poul-Henning Kamp Cc: "freebsd-security@freebsd.org" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> From: Michelle Sullivan Message-id: <5A2A6985.3070202@sorbs.net> Date: Fri, 08 Dec 2017 21:29:25 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 10:31:36 -0000 Yuri wrote: > On 12/07/17 15:16, Jason Hellenthal wrote: >> The truly paranoid types that don’t want anyone to know they are >> using FreeBSD apparently. >> >> Honestly if they are that worried about http then get a private vpn >> tunnel and run through that instead ! > > > Some people aren't aware that they use http, and enable Tor because > they think that it improves privacy. It's very easy to use such setup > inadvertently. Ding! Ding! Ding! we have a winner! This is about privacy and anonymity rather than security then... Sorry you want to ensure a secure (trusted) connection you do it yourself. You go through other nodes (switches and routers of the normal internet) you make a choice... do I trust them to deliver my packets untampered with or not? I know there are nodes out there that are doing monitoring and filtering and even returning bad data (accessing a certain 58 servers/IPs in Australia will have all HTTP spoofed to return a static message that has nothing to do with those 58 servers... I now run a proxy on a network I trust and a VPN to that network (all of which are in Australia) and don't have my packets intercepted.) If you're running your connection over Tor, you're running over a second layer with people out there that are not even necessarily trustworthy, many are people that they themselves use Tor for legally questionable actions, many for perfectly valid (though legally questionable) reasons.. (think: penetration testers - even commissioned ones).. but by using Tor you are accepting the risks in the knowledge that your data is traversing a network where people with questionable legal motives/positions... So basically you want everyone to double their resources so that you can risk using an inherently untrustable network in the name of privacy... which in many cases you won't have anyway (because if the person doesn't know they are using http, then there is a pretty good chance they haven't secured their browser so it's spewing tracking cookies and other privacy defeating headers anyhow!) Enough please! Michelle