From owner-freebsd-security@freebsd.org  Wed Dec 13 00:13:57 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB415E8A691
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed, 13 Dec 2017 00:13:57 +0000 (UTC) (envelope-from yuri@rawbw.com)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by mx1.freebsd.org (Postfix) with ESMTP id A1E517A00F
 for <freebsd-security@freebsd.org>; Wed, 13 Dec 2017 00:13:57 +0000 (UTC)
 (envelope-from yuri@rawbw.com)
Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56])
 (authenticated bits=0)
 by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBD0DnDD067756
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Tue, 12 Dec 2017 16:13:50 -0800 (PST) (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
To: Eugene Grosbein <eugen@grosbein.net>,
 Igor Mozolevsky <mozolevsky@gmail.com>
Cc: freebsd security <freebsd-security@freebsd.org>,
 RW <rwmaillists@googlemail.com>
References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
 <5A2709F6.8030106@grosbein.net>
 <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com>
 <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
 <20171205220849.GH9701@gmail.com>
 <20171205231845.5028d01d@gumby.homeunix.com>
 <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com>
 <20171210173222.GF5901@funkthat.com>
 <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws+33V8VzX1Q@mail.gmail.com>
 <5c810101-9092-7665-d623-275c15d4612b@rawbw.com>
 <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg+7vSh=iuJ=JU09Q@mail.gmail.com>
 <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com>
 <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com>
 <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com>
 <5A2D8CDF.80903@grosbein.net>
 <f374ad86-f69c-115d-60f0-5251fba4b6d6@rawbw.com>
 <5A2D9CEF.9020404@grosbein.net>
 <0df2f769-3700-0cfd-591e-d8b8906cf4e7@rawbw.com>
 <5A303453.9050705@grosbein.net>
From: Yuri <yuri@rawbw.com>
Message-ID: <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com>
Date: Tue, 12 Dec 2017 16:13:48 -0800
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <5A303453.9050705@grosbein.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 00:13:57 -0000

On 12/12/17 11:56, Eugene Grosbein wrote:
> https://wiki.squid-cache.org/Features/SslPeekAndSplice
>
> You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all.


When the user sees that SSL/TLS is stripped, this isn't a vulnerability 
of the protocol. User can make a choice to use such connection anyway. 
There are command line options like this for some commands, and the 
choice in the browser.

Compare this with https using compromised by government CA, when the 
user doesn't have any way of knowing about MITM. So https+private CA 
stands secure.


Yuri