From owner-freebsd-security@freebsd.org Tue Dec 5 21:13:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67CE3E82688 for ; Tue, 5 Dec 2017 21:13:27 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 55FC370AC3 for ; Tue, 5 Dec 2017 21:13:27 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB5LDQRE025266 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 5 Dec 2017 13:13:26 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> From: Yuri Message-ID: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> Date: Tue, 5 Dec 2017 13:13:25 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <5A2709F6.8030106@grosbein.net> Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 21:13:27 -0000 On 12/05/17 13:04, Eugene Grosbein wrote: > It is illusion that https is more secure than unencrypted http in a sense of MITM > just because of encryption, it is not. It *is* more secure. In order to break it, you have to have compromized https authorities. Some state actors have plausibly done this. http, on the contrary, can be altered by anybody who has access to the wire, which is generally a much wider set. Yuri