From owner-freebsd-security@freebsd.org  Sun Dec 10 19:23:31 2017
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D05CE97C70
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Sun, 10 Dec 2017 19:23:31 +0000 (UTC) (envelope-from yuri@rawbw.com)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by mx1.freebsd.org (Postfix) with ESMTP id 245667E03B
 for <freebsd-security@freebsd.org>; Sun, 10 Dec 2017 19:23:31 +0000 (UTC)
 (envelope-from yuri@rawbw.com)
Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56])
 (authenticated bits=0)
 by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAJN615003551
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Sun, 10 Dec 2017 11:23:25 -0800 (PST) (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me
Subject: Re: http subversion URLs should be discontinued in favor of https URLs
To: Igor Mozolevsky <mozolevsky@gmail.com>
Cc: freebsd security <freebsd-security@freebsd.org>,
 RW <rwmaillists@googlemail.com>
References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com>
 <5A2709F6.8030106@grosbein.net>
 <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com>
 <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
 <20171205220849.GH9701@gmail.com>
 <20171205231845.5028d01d@gumby.homeunix.com>
 <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com>
 <20171210173222.GF5901@funkthat.com>
 <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws+33V8VzX1Q@mail.gmail.com>
 <5c810101-9092-7665-d623-275c15d4612b@rawbw.com>
 <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg+7vSh=iuJ=JU09Q@mail.gmail.com>
 <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com>
 <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com>
From: Yuri <yuri@rawbw.com>
Message-ID: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com>
Date: Sun, 10 Dec 2017 11:23:05 -0800
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Dec 2017 19:23:31 -0000

On 12/10/17 10:15, Igor Mozolevsky wrote:
> They are not "hypothetical characters," they are invented characters that
> are used in a threat model. But that's reframing the problem- a
> hypothetical threat model is very different to a real threat model.


This is a very real threat model. There are a lot of malicious Tor exit 
node operators, and a lot of FreeBSD users update their system over 
subversion. The only thing that the Tor node operator needs to do is to 
detect relevant requests and serve malware.

How is this not real?


Yuri