From owner-freebsd-security@freebsd.org Sun Dec 10 22:51:37 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2AB5E9FC89 for ; Sun, 10 Dec 2017 22:51:37 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 85478669B7 for ; Sun, 10 Dec 2017 22:51:37 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0R00BDPP8GB500@hades.sorbs.net> for freebsd-security@freebsd.org; Sun, 10 Dec 2017 15:00:18 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky Cc: freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> From: Michelle Sullivan Message-id: <5A2DB9F8.1040301@sorbs.net> Date: Mon, 11 Dec 2017 09:49:28 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 22:51:37 -0000 Yuri wrote: > On 12/10/17 11:36, Igor Mozolevsky wrote: >> If I give my bank card and PIN to someone who I don't trust, I can't >> complain that my bank doesn't take adequate precautions if that person >> drains my bank account! You choose to go down a route that*you* know is >> compromised! > > > 1. The user has set up the subversion source trees based on the > *current advice* here for anonymous checkout: > https://wiki.freebsd.org/PortsSubversionPrimer > >> % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? > User gets an email saying his banking details are compromised, and to update them now. User clicks the link and gives banking details to phishing site as well as having a keylogger and rootkit installed during the process. User has bank account hacked. Where did the bank go wrong? Bank installs secondary security to prevent phishing/user realises the site is phishing and puts in false details or aborts the input... Keylogger is still on their system though because that was installed on the first click before the page was updated because of a compromised Microsoft code signing certificate... Where did the bank or the user go wrong? Maybe instead, user takes their phone into the local Maccas and uses the hotspot there, as part of the sign-in they get a compromised app from a local hacker that has been stalking the hotspot... Ding ding ding we have a winner... can't trust the network, just like the Tor case... etc etc etc Michelle