From owner-freebsd-security@freebsd.org  Tue Dec  5 21:13:27 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67CE3E82688
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Tue,  5 Dec 2017 21:13:27 +0000 (UTC) (envelope-from yuri@rawbw.com)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by mx1.freebsd.org (Postfix) with ESMTP id 55FC370AC3
 for <freebsd-security@freebsd.org>; Tue,  5 Dec 2017 21:13:27 +0000 (UTC)
 (envelope-from yuri@rawbw.com)
Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56])
 (authenticated bits=0)
 by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB5LDQRE025266
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-security@freebsd.org>; Tue, 5 Dec 2017 13:13:26 -0800 (PST)
 (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
To: freebsd-security@freebsd.org
References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
 <5A2709F6.8030106@grosbein.net>
From: Yuri <yuri@rawbw.com>
Message-ID: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com>
Date: Tue, 5 Dec 2017 13:13:25 -0800
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <5A2709F6.8030106@grosbein.net>
Content-Language: en-US
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2017 21:13:27 -0000

On 12/05/17 13:04, Eugene Grosbein wrote:
> It is illusion that https is more secure than unencrypted http in a sense of MITM
> just because of encryption, it is not.


It *is* more secure. In order to break it, you have to have compromized 
https authorities. Some state actors have plausibly done this. http, on 
the contrary, can be altered by anybody who has access to the wire, 
which is generally a much wider set.


Yuri