From owner-freebsd-security@freebsd.org Wed Dec 6 09:44:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C3BAE9AAFE for ; Wed, 6 Dec 2017 09:44:27 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 113B46AA8E for ; Wed, 6 Dec 2017 09:44:25 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 9B5CE32032; Wed, 6 Dec 2017 10:36:48 +0100 (CET) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 8CF5E32053; Wed, 6 Dec 2017 10:36:48 +0100 (CET) Received: from localhost (pda57-1-82-231-116-233.fbx.proxad.net [82.231.116.233]) by mail2.mbox.lu (Postfix) with ESMTPSA id 4D63932032; Wed, 6 Dec 2017 10:36:48 +0100 (CET) Date: Tue, 5 Dec 2017 23:33:42 +0100 From: Steve Clement To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171205223342.r63xkbn4tiy6we3q@localhost.lu> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zcolw2bkobq3gyyd" Content-Disposition: inline In-Reply-To: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> OpenPGP: url=https://localhost.lu/0x9BE4AEE9.asc; id=9BE4AEE9 X-PGP-Fingerprint: 3F4D 8CF6 08F9 4F88 2815 2CB1 69A2 0F50 9BE4 AEE9 X-Operating-System: Darwin User-Agent: NeoMutt/20171027 X-Mailman-Approved-At: Wed, 06 Dec 2017 11:29:14 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 09:44:27 -0000 --zcolw2bkobq3gyyd Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > Dear all, Is it really wise suggesting that http is not that bad? While you are at it, perhaps reviving telnet is a good idea. (Yes it is a bad comparison) If your answer is to just not use it, good luck for the past. > It can be illusory. =C2=A0 My last job was as Sec Mgr for a large bank.= =C2=A0 They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.=C2=A0 An alternative > approach to advocate is dnssec.=C2=A0 :) And you just let this happen under your watch? > You also need to ensure integrity, to ensure that the numbers are > flipped in transit...=C2=A0 ;) As a security person you do have responsibilities. Of course if you (as a security person) gave up on all that, you might as well go to the beach and use your CB to talk to your Dr. I cannot believe these attitudes, can perhaps other people weigh-in, especially to the issue at hand? Looking forward to the first person brining up performance issues, in end-of-2017=E2=80=A6 Sincerely yours, Steve --zcolw2bkobq3gyyd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEP02M9gj5T4goFSyxaaIPUJvkrukFAlonHsYACgkQaaIPUJvk rul30xAA3V/re7IAdwjZctURcbruiczj2UpqGrI4+31OsfG3zUfQW7PcU97K3iwp 6wugzWOSdm0t5vjEDpFfOhrvE3hcHO4viF1cgdC7cGWbay20t27MSapHHFfnhHhh lKAeun3iHmio23OJt66IC5wsAMBzHdHqGFRVwU8xohbIKTwV5hHe/521RyYVCqGO GS74NT0fUfe5V8wyK0B0JC1VrDAji6egJMy9S3+C6iFkNpS+GULvHwU44Wgvb4+0 BttDJAZ3FEjOInMvYyhBZXWUV+BebXZDhnnOjQLQ7TqiXULEqI9H/qvpmW1+nnK0 ltLesGH7MRNwOzM+ifxOk67p2T8q6vP/scznk8CHtgYFIvR8d/BUfzDNslD222b6 PZhaa4iLnMJljbGMqpmBGB2260Y1YbGqonyMqgOfk6RqpXE4vKED/+1qZCAYLqiZ UNypLCsb7bKBleho2EThDvKpQoeY5jc7QLpp8CjYJp8k7D7civc6Uv1VgcEzhZG7 NmYjsxIocVgLrPqRVyQ8qvFrw+jy5sfmdSuoV25WY6b9OSCSJB/BZz38SJtpdA5c 0Bz/AmoCBGS8A1J5/Zek8pJ/7HVKQfoE2g2aMH/qFaO5cA9eoPl6Vv7yXAulfUV6 8zyRb4+PAU3r4fGH5EEkigqrTalYCnlsn95Si/dUjvXD9PzyGN4= =eoHU -----END PGP SIGNATURE----- --zcolw2bkobq3gyyd--