Date: Wed, 13 Dec 2017 13:29:26 -0800 From: Peter Wemm <peter@wemm.org> To: Yuri <yuri@rawbw.com>, freebsd-security@freebsd.org Cc: RW <rwmaillists@googlemail.com>, Igor Mozolevsky <mozolevsky@gmail.com> Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> In-Reply-To: <b581be6f-45da-224b-3f68-a27aa43eba14@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> <b581be6f-45da-224b-3f68-a27aa43eba14@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/12/17 5:38 PM, Yuri wrote: > On 12/12/17 16:37, Peter Wemm wrote: >> I think you're missing the point. It is a sad reality that SSL/TLS >> corporate >> (and ISP) MITM exists and is enforced on a larger scale than we'd like. But >> it is there, and when mandated/enforced you have to go through the MITM >> appliance, or not connect at all. Private CA's generally break those >> appliances - an unfortunate FreeBSD user in this situation is cut off. >> How is >> this better? > > > This is certainly better for users because it informs the user. Now he has > a choice to use a special override key to use MITMed https anyway or > refuse, vs. with http he is not informed. You misunderstand the problem. A well-behaving corporate with TLS MITM will *block* connections to the freebsd-ca signed services as they will fail it's validation. The user is left with: * can't connect on 443 (proxy blocks failed validations), or * can't connect on 80 (because you don't like people having options). .. which leads to stop using FreeBSD. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?34c748a4-acc5-f80b-29b7-7554389fa44c>