Date: Mon, 11 Dec 2017 10:05:12 +1100 From: Michelle Sullivan <michelle@sorbs.net> To: Igor Mozolevsky <mozolevsky@gmail.com>, freebsd security <freebsd-security@freebsd.org> Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <5A2DBDA8.7030703@sorbs.net> In-Reply-To: <20171210194234.GJ5901@funkthat.com> References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <20171210190257.GH5901@funkthat.com> <CADWvR2jxCH=-VTY1W3wzFhzo8mWSjZqeVpVrCQFNobZepWbqKg@mail.gmail.com> <20171210194234.GJ5901@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
John-Mark Gurney wrote: > Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 19:17 +0000: >> On 10 December 2017 at 19:02, John-Mark Gurney <jmg@funkthat.com> wrote: >> >> >>> So, you require an exploit in the wild before you'll patch? >> No, I'm saying it's not a realistic threat model! If the threat is the >> integrity of the source code in transit, then it'd be way cheaper and way >> more reasonable to implement a Merkle Tree-like verification with each >> revision. > Then you should be fine w/ http for banking sites, since it's not realistic > that your ISP will MITM your connection to steal money from you, right? > I don't know of a single instance of an ISP MITM'ing banking transactions > to steal money. > Invalid analogy... You probably shouldn't go there... so I will. I have in the past (long time ago - well past that statute of limitations - so can share now) compromised an FTP server on a certain European ISPs network, on there I put a password sniffer looking for a very specific user/connection/password combination... 4 hours it took to get the password I then had "root" across their entire network and in particular to their IRC server... needless to say I have grown up since those days. However, at the time there was very little online banking, and all the banking I knew about was pretty much read only (checking balances, authorising payments to pre-existing arrangements etc)... but using this 'well you might as well use HTTP' would have left me with the opportunity to make a lot of illegal money real quick if you apply it now. Here's a tip, you come to my street and find my open wifi, I'll compromise your arse (just the same as these hypothetical 'malicious Tor node operators') you want a secure connection, one that won't leave you with a hacked android device, don't use my open wifi network. Come and ask me to use my secure network, or use another network. Michelle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A2DBDA8.7030703>