From owner-freebsd-security@freebsd.org Fri Sep 18 13:30:49 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 914849CF186 for ; Fri, 18 Sep 2015 13:30:49 +0000 (UTC) (envelope-from freebsd@spam.lifeforms.nl) Received: from tau.lfms.nl (tau.lfms.nl [IPv6:2a00:f320:0:3::30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A3A91EA6 for ; Fri, 18 Sep 2015 13:30:49 +0000 (UTC) (envelope-from freebsd@spam.lifeforms.nl) Received: from sim.dt.lfms.nl (sim.dt.lfms.nl [IPv6:2001:1af8:fe00:8414::30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by tau.lfms.nl (Postfix) with ESMTPS id 23433892C8 for ; Fri, 18 Sep 2015 15:30:46 +0200 (CEST) Received: from borax.dt.lfms.nl (borax.dt.lfms.nl [IPv6:2001:1af8:fe00:8414::112]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sim.dt.lfms.nl (Postfix) with ESMTPS id A8F689C09099 for ; Fri, 18 Sep 2015 15:30:45 +0200 (CEST) From: Walter Hop Message-Id: <7BAECC2B-5001-47D6-9199-8549697E7807@spam.lifeforms.nl> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: HTTPS on freebsd.org, git, reproducible builds Date: Fri, 18 Sep 2015 15:30:45 +0200 References: To: freebsd-security@freebsd.org In-Reply-To: X-Mailer: Apple Mail (2.2104) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2015 13:30:49 -0000 >=20 >> Is there some reason "freebsd.org" and all it's >> subdomains don't immediately 302 over to >> https foreverafter? >=20 > Is there a reason to encrypt something that is completely public? = Perhaps to allow the visitor to conceal the fact that they are = interested in FreeBSD? That won't work, since the IP address of the = server can't be encrypted. I feel like I am missing something. Privacy is often important, but authentication (i.e. not having content = tampered with) may be more important in many cases. The US and UK governments are owning sysadmins who browse non-HTTPS = sites: = http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake= -linkedin-pages-a-932821.html = = https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-sy= stem-administrators/ = The Chinese government hijacked non-HTTPS sessions to inject DDoS = javascript: = https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-h= ijack-browsers-in-github-attack = If often-used sites migrate to HTTPS (together with HSTS) these attacks = will become a lot harder. I=E2=80=99m also seeing more demand for HTTPS from customers. In Europe = there has been a lot of mainstream coverage of tech privacy issues, and = various non-technical people now distrust sites that don=E2=80=99t have = =E2=80=9Ca lock=E2=80=9D. So it also has credibility/PR benefits to use = it by default. There is always effort involved in making the switch, but for most sites = and applications this is probably not an unreasonable amount given the = benefits. --=20 Walter Hop | PGP key: https://lifeforms.nl/pgp