From owner-freebsd-security@freebsd.org Wed Dec 6 14:17:21 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04975E8118F for ; Wed, 6 Dec 2017 14:17:21 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CF1EE73CE9 for ; Wed, 6 Dec 2017 14:17:20 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id MaVgeVEFZRDG7MaVhewMOc; Wed, 06 Dec 2017 07:17:19 -0700 X-Authority-Analysis: v=2.2 cv=b+PC2pOx c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=ocR9PWop10UA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=GHIR_BbyAAAA:8 a=ajU_7a0nljQ5Yhy2RT0A:9 a=u2vpVO8HYZHNcfrC:21 a=sWldImV9-Zwx40IZ:21 a=QEXdDO2ut3YA:10 a=lQ3YJXd79goAsAJAFL0A:9 a=BS9Fj-vsZuJ_oiHK:21 a=CPUNCbDgYe2kMJVR:21 a=h9Wtxjfbzfob-Isi:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=uDbYcKmYiSQROLH8bhgx:22 Received: from [25.81.45.55] (unknown [72.143.226.12]) by spqr.komquats.com (Postfix) with ESMTPSA id 1ECC3110; Wed, 6 Dec 2017 06:17:16 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: http subversion URLs should be discontinued in favor of https URLs Date: Wed, 6 Dec 2017 06:17:18 -0800 To: Steve Clement , Dewayne Geraghty CC: "freebsd-security@freebsd.org" Message-Id: <20171206141716.1ECC3110@spqr.komquats.com> X-CMAE-Envelope: MS4wfO+uC/6qa3ExmOwFWcVFtz4Ay7iU4LUHaEA76nY0YvBzYM5ngXvZZXYjYJeAz3cUBKeqNOI4MMbCY7lJ049o0NenGMI2kpD99nCFGyPTUHg+u0KLZ1n7 w62EmYu3CRP38h8rFbfPkkpppURWxOc3IiqvIrm5Co3pKo6EsxvDMe3I5o+dHtebI+kY/0fVVq6NWIWNRiU3aukkzMIGsHzKLs6uIN/OO4bzSRYU0eErFGuN 3W3p4pWYw3b+/A1J15t0OwvS+Y2fLgmMCpoxkFUCXDM= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 14:17:21 -0000 No worries, telnet and ftp are in my sights. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. This old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: Steve Clement Sent: 06/12/2017 03:29 To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https = URLs * On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > Dear all, Is it really wise suggesting that http is not that bad? While you are at it, perhaps reviving telnet is a good idea. (Yes it is a bad comparison) If your answer is to just not use it, good luck for the past. > It can be illusory. =C2=A0 My last job was as Sec Mgr for a large bank.= =C2=A0 They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.=C2=A0 An alternativ= e > approach to advocate is dnssec.=C2=A0 :) And you just let this happen under your watch? > You also need to ensure integrity, to ensure that the numbers are > flipped in transit...=C2=A0 ;) As a security person you do have responsibilities. Of course if you (as a security person) gave up on all that, you might as well go to the beach and use your CB to talk to your Dr. I cannot believe these attitudes, can perhaps other people weigh-in, especially to the issue at hand? Looking forward to the first person brining up performance issues, in end-of-2017=E2=80=A6 Sincerely yours, Steve