From owner-freebsd-security@freebsd.org  Wed Dec  6 12:35:54 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25460E9F2D1
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Wed,  6 Dec 2017 12:35:54 +0000 (UTC) (envelope-from dan@obluda.cz)
Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz
 [IPv6:2001:718:1e03:801::4])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "submission.mff.cuni.cz", Issuer "TERENA SSL CA 3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BAB977089B
 for <freebsd-security@freebsd.org>; Wed,  6 Dec 2017 12:35:53 +0000 (UTC)
 (envelope-from dan@obluda.cz)
X-SubmittedBy: id 100000045929 subject
 /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University/CN=Dan+20Lukes+20100000045929
 issued by
 /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203
 auth type TLS.MFF
Received: from [172.20.1.21] (fw.ax.cz [77.240.102.126]) (authenticated)
 by smtp1.ms.mff.cuni.cz (8.15.2/8.15.2) with ESMTPS id vB6CZj8r005477
 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
 for <freebsd-security@freebsd.org>; Wed, 6 Dec 2017 13:35:50 +0100 (CET)
 (envelope-from dan@obluda.cz)
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
To: freebsd-security@freebsd.org
References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
 <5A2709F6.8030106@grosbein.net>
 <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com>
 <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
 <20171205223342.r63xkbn4tiy6we3q@localhost.lu>
From: Dan Lukes <dan@obluda.cz>
Message-ID: <cd3eb8df-d9f9-09aa-f6db-1ed0a66a9251@obluda.cz>
Date: Wed, 6 Dec 2017 13:35:45 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101
 Firefox/51.0 SeaMonkey/2.48
MIME-Version: 1.0
In-Reply-To: <20171205223342.r63xkbn4tiy6we3q@localhost.lu>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2017 12:35:54 -0000

>>>> It is illusion
> As a security person you do have responsibilities

Lets calm down, guys. Anyone can claim "I'm skilled security officer".

But true professional will define the risk to mitigate *first*.
We can discuss possible solutions *then*.

Flamewars "https will save our souls" v.s. "https is illusion of 
security" with fuzzy goal helps to no one.

Just my $0.02

Dan