From owner-freebsd-security@freebsd.org Sun Dec 10 21:03:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50254E9CA6E for ; Sun, 10 Dec 2017 21:03:15 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B76BE3F53 for ; Sun, 10 Dec 2017 21:03:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBAL39N0098892 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 10 Dec 2017 22:03:10 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBAL36LZ067229 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Dec 2017 04:03:06 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> <2fde7b1e-7174-00d1-5fd0-65c385bdcdef@rawbw.com> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A2DA105.9030501@grosbein.net> Date: Mon, 11 Dec 2017 04:03:01 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <2fde7b1e-7174-00d1-5fd0-65c385bdcdef@rawbw.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 21:03:15 -0000 11.12.2017 3:54, Yuri wrote: >>> Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? >> No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway >> or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. > > There's no MITMing with https unless you are a state actor. There are very few state actors, they are special case. > Regular hackers can't MITM https, but can MITM http. You either have no idea, or missed the point. In fact, anyone can do MITM (ssl bump) for https running through its system. It is only question of making it undetected and then you have a choice described in the quote above.