From owner-freebsd-security@freebsd.org  Mon Dec 11 16:34:53 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B3FFE970B8
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 11 Dec 2017 16:34:53 +0000 (UTC)
 (envelope-from freebsd.lists@whitewinterwolf.com)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [IPv6:2001:4b98:c:538::197])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 255FE6D864
 for <freebsd-security@freebsd.org>; Mon, 11 Dec 2017 16:34:53 +0000 (UTC)
 (envelope-from freebsd.lists@whitewinterwolf.com)
X-Originating-IP: 93.26.153.77
Received: from [10.137.2.15] (77.153.26.93.rev.sfr.net [93.26.153.77])
 (Authenticated sender: lists@whitewinterwolf.com)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 2773841C09B;
 Mon, 11 Dec 2017 17:34:49 +0100 (CET)
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
To: Christian Weisgerber <naddy@mips.inka.de>, freebsd-security@freebsd.org,
 karl@denninger.net
References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
 <5A2709F6.8030106@grosbein.net>
 <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com>
 <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
 <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk>
 <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org>
 <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk>
 <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com>
 <CAC0r6X94N4Dv=droSC=B8ri-sH2eb9gJgdvpVqwPt0pSenXfog@mail.gmail.com>
 <slrnp2t7rl.nqg.naddy@lorvorc.mips.inka.de>
From: WhiteWinterWolf <freebsd.lists@whitewinterwolf.com>
Message-ID: <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com>
Date: Mon, 11 Dec 2017 17:34:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <slrnp2t7rl.nqg.naddy@lorvorc.mips.inka.de>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 16:34:53 -0000

Hi,

Le 11/12/2017 à 16:08, Christian Weisgerber a écrit :
> Do users actually exist who have access to http but not to https?

I don't know about users, but caching is not possible anymore as soon
you use end-to-end HTTPS.

This is a reason why I personally like software and system updates to be
served through HTTP instead of HTTPS. You don't need to fetch the same
update for each environment each time from the remote vendor's system,
you just need them to be somehow signed by him to ensure their authenticity.

This was just to give an example of why one would prefer to use HTTP
over HTTPS, and how as highlighted by Karl Denninger a system which does
too much may actually be harmful.

When you need signature, then apply signature, don't add encryption,
tunneling, dynamic cipher suites negotiation, session keys exchange and
so on as overhead.

Regards,
Simon.

-- 
WhiteWinterWolf
https://www.whitewinterwolf.com