From owner-freebsd-security@freebsd.org Wed Dec 6 00:11:00 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0DD4E8839E for ; Wed, 6 Dec 2017 00:11:00 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt0-x243.google.com (mail-qt0-x243.google.com [IPv6:2607:f8b0:400d:c0d::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57B8279F3C for ; Wed, 6 Dec 2017 00:11:00 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt0-x243.google.com with SMTP id e2so5173613qti.0 for ; Tue, 05 Dec 2017 16:11:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=gShVi16mSLm6AdrHdngjuFHLrfQfMlmoZLRwkOFtAbI=; b=RONDz2nXR+9p5nTh65H1BOOU9RTHxrlu3+M/xGxHUE2wPdV+SrdwtSq6IXLNVfeemx 0jd3KboReI56MMXFAvSsj/6XvAtbyXedMqVN9WfsLYB6t0v0NsdkK1DEftJZA1TgPWDv LG6lRBYBah3ZHdeDZhvRqGdPWdHrGUbWhLNqc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=gShVi16mSLm6AdrHdngjuFHLrfQfMlmoZLRwkOFtAbI=; b=feHg0JXs9ABcBiMkI4S59JHP3o9VVr1cEQEhYfbgIEA1QHQ84CgT1cGwxMFKAIJkCy qCW6TmxTRHxraks/0RN4oZYQcoPAVEZvC2tzO4hBYS8MuHoqFBNEQ/KCSepgD2kSffgP y8uAQ2SpzpIj8D5GO/RsnWvNeSPgVzihEotq4stzJ2ItBQ00iLts22fGrD05BW9XpAmy DjsNLUt9di/c85IFZdr19n3+8qHmdYNEq685oY+CKWslR/M5Why1ANj4dbxinHb22O64 WO0n+KY5oy9jaTAbwvlxlmRYF1Qz0smixTRogNG10Apr68/aXo6lUn25j8Orjgc/XXPS TLGA== X-Gm-Message-State: AKGB3mKeTG+sXLMLH0xGyNs186rTrBl+h/07DwzI7pe5jiqQp31hwIH0 8ZxBWdMu6CCt8cTO65BxfMFe X-Google-Smtp-Source: AGs4zMZyMpiqTERSJJuXsqTBhFrEAYUlUjYDfUBNMaz2r2qoBMC1iFj5eWinFyPHJXUQJoHtB2iOTw== X-Received: by 10.55.31.3 with SMTP id f3mr21673592qkf.20.1512519059319; Tue, 05 Dec 2017 16:10:59 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v58sm866033qtk.18.2017.12.05.16.10.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 16:10:58 -0800 (PST) Date: Tue, 5 Dec 2017 16:10:56 -0800 From: Gordon Tetlow To: RW Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171206001056.GI9701@gmail.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171205231845.5028d01d@gumby.homeunix.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 00:11:00 -0000 On Tue, Dec 05, 2017 at 11:18:45PM +0000, RW via freebsd-security wrote: > On Tue, 5 Dec 2017 14:08:49 -0800 > Gordon Tetlow wrote: > > > > Using this as a reason to not move to HTTPS is a fallacy. We should do > > everything we can to help our end-users get FreeBSD in the most secure > > way. > > I think it's more a question of whether all users should be forced onto > https even if it might prevent some users from getting security updates. I agree with this sentiment. I would like https to be the default with http being an explicit decision on the user's end to use. This way, the naive user can get the benefits of encryption in transit while a knowledgable user can accept the risk of getting updates via http. Best, Gordon