From owner-freebsd-security@freebsd.org Wed Dec 6 02:02:59 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B501E8BB1B for ; Wed, 6 Dec 2017 02:02:59 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6D26A7DEC0 for ; Wed, 6 Dec 2017 02:02:59 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0I00F1HOR8RR00@hades.sorbs.net> for freebsd-security@freebsd.org; Tue, 05 Dec 2017 18:11:35 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yonas Yanfa , freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <35656451-afff-7e56-ea9b-1f9658101255@fizk.net> From: Michelle Sullivan Message-id: <5A274F5B.9030902@sorbs.net> Date: Wed, 06 Dec 2017 13:00:59 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <35656451-afff-7e56-ea9b-1f9658101255@fizk.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 02:02:59 -0000 Yonas Yanfa wrote: > > I wholeheartedly agree with Gordon. Let's do more, not less. > > I believe it was fallacies like this that mislead many websites, > including freebsd.org, to remain in HTTP for far too long. Oh good God! What is 'in the name of security' is this crusade making all - plain text, publicly accessible, static content sites 'HTTPS' instead of 'HTTP' ....? Bearing in mind its trivial to block anyhow, using a modern up to date browser if I block (send back resets - ie "connection refused") a connection to a client making a secure request to the web and the user has not explicitly set https:// as the start of the URL it (the browser) will automatically try port 80 (http) for the connection, I am now quite easily able to MITM attack the user by proxying (and re-writing) the http:// requests into https:// requests to the real webserver which might have disabled http:// connections "in the name of security" ... Now not saying that this is an issue on subversion requests as usually they are specific in their requests to use a secure layer or not but lets get real here, the protocol allows secure and insecure, you should use the secure by default. You should not automatically not use any insecure, or worse restrict access to secure only in the name of progress because those sites secured with their own project certificates (self-signed) will see people just turning off checking of the signers, and therefore will turn off checking of CRLs and you will lower overall security.... Its like making passwords change every week and have to be >20 characters with upper lower and special... result is security is lowered because people write them down. Michelle