Date: Wed, 06 Dec 2017 13:00:59 +1100 From: Michelle Sullivan <michelle@sorbs.net> To: Yonas Yanfa <yonas@fizk.net>, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <5A274F5B.9030902@sorbs.net> In-Reply-To: <35656451-afff-7e56-ea9b-1f9658101255@fizk.net> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <35656451-afff-7e56-ea9b-1f9658101255@fizk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Yonas Yanfa wrote: > > I wholeheartedly agree with Gordon. Let's do more, not less. > > I believe it was fallacies like this that mislead many websites, > including freebsd.org, to remain in HTTP for far too long. Oh good God! What is 'in the name of security' is this crusade making all - plain text, publicly accessible, static content sites 'HTTPS' instead of 'HTTP' ....? Bearing in mind its trivial to block anyhow, using a modern up to date browser if I block (send back resets - ie "connection refused") a connection to a client making a secure request to the web and the user has not explicitly set https:// as the start of the URL it (the browser) will automatically try port 80 (http) for the connection, I am now quite easily able to MITM attack the user by proxying (and re-writing) the http:// requests into https:// requests to the real webserver which might have disabled http:// connections "in the name of security" ... Now not saying that this is an issue on subversion requests as usually they are specific in their requests to use a secure layer or not but lets get real here, the protocol allows secure and insecure, you should use the secure by default. You should not automatically not use any insecure, or worse restrict access to secure only in the name of progress because those sites secured with their own project certificates (self-signed) will see people just turning off checking of the signers, and therefore will turn off checking of CRLs and you will lower overall security.... Its like making passwords change every week and have to be >20 characters with upper lower and special... result is security is lowered because people write them down. Michelle
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A274F5B.9030902>