From owner-freebsd-security@freebsd.org Mon Dec 11 18:20:35 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13E4CE99AAE for ; Mon, 11 Dec 2017 18:20:35 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B4A9E71B6F for ; Mon, 11 Dec 2017 18:20:34 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x22f.google.com with SMTP id 33so40954952qtv.1 for ; Mon, 11 Dec 2017 10:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=mtW+blZmH0vVDJxhE8gvS0CRDo+tldz/b+By2PQvLQU=; b=N4wlPmyjLqb4PEnB+7rdormo15ojVznRBdfOU3hG5wMjTyy27vqCgpK2cCijWsCSpN cLPgfFIjYozqtavd1wv4vFFRxBR+rxn4qyeMkWoBtW1UgvSvWG/OerDFagEsRA/aS/jL +VpG3XWLOWbd6SnSMD3sP8rVbRL9IXQhPi90WSKIOUa1DW/lwCNJFEupMmRRy++1DUZn VikvPtSqcqIcE0F0KW3v2EYRFD0fMyT+oNKaXWAsz7FMwiS90uHTW1zO0+OLz3DchRvb HAacth5NTPjzNUNg/DeqPQdSS3KVE8GWfbh095N/2o/XzMwxhMpbeMPl5HQgdbdly/CG NIfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=mtW+blZmH0vVDJxhE8gvS0CRDo+tldz/b+By2PQvLQU=; b=s9ekPtKvs7wT/l6BtOb1MqzOmVjGbazQn7E8rRzBFcAcf7IKOdKtTHB8QEpP+abhfx 7bkqsAOMCFrV2hiQDHZEd6fAmab82UA6u23N/uRNx+CXFnrNbtKCoEzoXve8BmQnRlKG kvrFMfJLzUouN+2G4i2hPYIOuwhNN8DM5jnpw6A8NpgDyoRiN4x0qhBWSOa9nIMH/Vtx 5pyCUJxF1H7ZZNbFC8uysbTUw3VAmwxftid2AbyBQ29/2+xgi7Mn1wxzc7O/BFXhcSAn 0UEAMQkf9UrCXJdZ3kaeDi0SUOI468sHcJhZa7hiWQohI8SlLwhctaPz11MILDBxsksX grXQ== X-Gm-Message-State: AKGB3mKHcZW60f03uqn5JRSZS9sQjoV8Y+t5S9YCgNDvombsCxBr6oOI xapJ01hP4tjPa6oXlGxSJLo= X-Google-Smtp-Source: ACJfBoteBvinLRq59jQYgBv8SAqIhsKdqq/xEtSoeBNmITMMhxqSHyZ5P5LTRCeNT9yvsmDCX7HvPw== X-Received: by 10.55.197.133 with SMTP id k5mr1693476qkl.223.1513016433623; Mon, 11 Dec 2017 10:20:33 -0800 (PST) Received: from localhost (ool-18e477b0.dyn.optonline.net. [24.228.119.176]) by smtp.gmail.com with ESMTPSA id f5sm4818685qte.87.2017.12.11.10.20.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 10:20:33 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Mon, 11 Dec 2017 18:20:31 +0000 To: Poul-Henning Kamp Cc: Yuri , freebsd security , RW , Igor Mozolevsky Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171211182031.jhgansyyw7xrk4il@localhost> References: <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <24467.1512935834@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <24467.1512935834@critter.freebsd.dk> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 18:20:35 -0000 On Sun, Dec 10, 2017 at 07:57:14PM +0000, Poul-Henning Kamp wrote: > -------- > In message <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com>, Yuri writes: > > >3. The user updated the sources through Tor and got hacked. > > > >Where did this user go wrong, or where has he been irresponsible? > > He trusted Tor? > > In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed > that a LOT of the Tor network is on a longitude compatible with a > "Bandit of The Beltway" location. Are you really referencing a paper from 11 years ago specifically about a hidden service confirmation attack? This is not within Tor's threat model. Yes, it is a real attack, and yes, this could and should be prevented, but this says absolutely nothing about the security or "trustworthiness" of the Tor network or the protection it provides 99% of all users. > > If you still, elleven years later, seriously belive that Tor is > trustworthy, you shouldn't be allowed near any kind of security > decision. *head scratch* Most of the relays are in Europe now, just FYI. Tor is not perfect, but it offers by-far a better method of connecting two machines than using the Internet alone. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"