From owner-freebsd-security@freebsd.org  Mon Dec 11 19:34:51 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB4C9E9BF93
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Mon, 11 Dec 2017 19:34:51 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C8F51754A2
 for <freebsd-security@freebsd.org>; Mon, 11 Dec 2017 19:34:51 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 6283C3D685;
 Mon, 11 Dec 2017 11:34:45 -0800 (PST)
Date: Mon, 11 Dec 2017 11:34:45 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: Karl Denninger <karl@denninger.net>
cc: freebsd-security@freebsd.org
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
In-Reply-To: <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net>
Message-ID: <nycvar.OFS.7.76.1712111123460.79239@mx.roble.com>
References: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
 <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk>
 <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org>
 <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk>
 <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com>
 <CAC0r6X94N4Dv=droSC=B8ri-sH2eb9gJgdvpVqwPt0pSenXfog@mail.gmail.com>
 <slrnp2t7rl.nqg.naddy@lorvorc.mips.inka.de>
 <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com>
 <20171211180839.ycc7es5ekstq44gn@localhost>
 <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 19:34:52 -0000

Karl Denninger wrote:
> Advocating the FORCING of https is IMHO utterly ridiculous for the
> reasons I pointed out.

This is an important point.  Given the differences of opinion noted here
there is no good reason not to allow sites to sync over the protocol of
their choosing.  Of course signed datasets would be excellent, as would
verifiable builds, but (also IMO) not good enough to justify forcing of
non-encrypted updates.

> The issue of potentially-tampered-with source code not only can't be dealt
> with correctly through the use of https (at least not with the public CA
> infrastructure that "everyone" relies on for "pedestrian" https) there ARE
> other means of dealing with it correctly that do not require using https.
> That's where attention should be focused.

Would have to disagree with this assertion, at least until it can be
demonstrated that an alternative signature presharing mechanism would be
more secure (than the CA maintained by EFF/LetsEncrypt at least).

IMO,
Roger Marquis