From owner-freebsd-security@freebsd.org Sun Dec 10 17:40:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 620F6E921D2 for ; Sun, 10 Dec 2017 17:40:15 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC25B78FED for ; Sun, 10 Dec 2017 17:40:14 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wm0-x232.google.com with SMTP id b76so10416490wmg.1 for ; Sun, 10 Dec 2017 09:40:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Ar90Xu99k8d0Ht4X2W3+ylCu51W50JPUNhLiagFhiiU=; b=e7UPfgQpqCTJutqLKnb1Tq76isvSqHwnjpCtKr9vezKQM2sqHeAsjFJ53b1wJCCy8W M3fAipwf7+242KbIFm5+5Fx7GIRNKlS8JW+UWLoLneqMAp06KoAghri7irp5PsjUji6G WJTPUzOV/WF80/Rud2kqXtaFJCt83NgSLJxUydO1G0Q/AFe24rrX828YqAAR0/AMMfmp EaraoyLet5JFAUl1uaW4Z7blPIbSxa+E0sMB0qCneV70xOHlTXsIKN1EgCTa1PGzaml/ ILs5xTInxKfJ1+rKWh4XB92cbz8o+8b/tfuBBaFKkNtA8HrnBXugZr5JnOqYKXmjp/M6 YNKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Ar90Xu99k8d0Ht4X2W3+ylCu51W50JPUNhLiagFhiiU=; b=JpO8qPLktloO6bKoovKDI/T3l+oXglMU8YlX2AwbDXEDEPvdYJod3pW3GfLfri1RuH gHJ1/KbCGn4zfA/56icJ5BPQCqJ6WuDgaCAqCkOUWwR/jgekE2Ljijktw7/QEfTtHCqp qjMny+xyOn5Znj/nNhV8crSRvo7tM/ZLU+qnQSHY8bwjcVm/lOJ/Ksysiniq4C/b6NYO 3OND1/zB04eX6tbAhul7zuqLQyHjH5V6vjzEWKV0zHUlCjuVgI8P5xDz3Kg0F7HwYKYF ebY7fAbIrhp9tKrhYl4sjO3N8Ewptmthu3pnRvXj5ZGi6VKyUUnix3GrVG5rHJI1zvOo 7IQA== X-Gm-Message-State: AKGB3mKb7661qykx3n1V4rkOl6YIAaYxlh7MhUIxawohLS1zxXc4qw5b fFNgvkXLNOmzqgHt2HCH2kgrZ6SHDfUo6Cd8I70= X-Google-Smtp-Source: AGs4zMayESku36n7ZchUfxvDEVlAOdKZ1b0Xw4jlHsiyYxD+gFKp7r34lJ0L/yzonPyL0gnApIsSLQjTRuBCbw483GY= X-Received: by 10.28.105.14 with SMTP id e14mr8136959wmc.74.1512927612674; Sun, 10 Dec 2017 09:40:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 09:39:31 -0800 (PST) In-Reply-To: <20171210173222.GF5901@funkthat.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 17:39:31 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , RW , freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:40:15 -0000 On 10 December 2017 at 17:32, John-Mark Gurney wrote: > > The discussion has been for svn updates over http, not for freebsd-update > updates which are independantly signed and verified.. There is currently > no signatures provided via SVN to validate any source received via http. > > There has been no instance of in-transit compromise reported since SVN was introduced. Even when the back-end was compromised, there was not detectable compromise of the codebase [1]. So even if the codebase was compromised, unless people *really knew* what they were doing, HTTPS would seed a false sense of security. There is a number of organisation that your computer is told to trust by default who have the know-how and capability to mount MITM without one even knowing unless that one were to manually verify CAs used for host certs, again, HTTPS doesn't buy anything in that regards. 1. https://www.freebsd.org/news/2012-compromise.html -- Igor M.