Date: Fri, 18 Sep 2015 08:44:04 -0600 From: Brett Glass <brett@lariat.org> To: Ben Bailess <ben.bailess@gmail.com>, freebsd-security@freebsd.org Subject: Re: HTTPS on freebsd.org, git, reproducible builds Message-ID: <201509181444.IAA15072@mail.lariat.net> In-Reply-To: <CACf9JSXsEBBMmo57OB_cqgRM7SvbW%2Bdh7n0ybDg2kX4EGyMVjw@mail.g mail.com> References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com> <alpine.LRH.2.11.1509180646470.14490@nber4.nber.org> <7BAECC2B-5001-47D6-9199-8549697E7807@spam.lifeforms.nl> <CACf9JSXsEBBMmo57OB_cqgRM7SvbW%2Bdh7n0ybDg2kX4EGyMVjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 08:07 AM 9/18/2015, Ben Bailess wrote: >I have to echo this sentiment -- authentication is important, and so is >integrity. HTTPS would provide both -- to be sure you're talking to the >"real" FreeBSD and give you confidence that your page content has not been >altered in transit by a network adversary (e.g. if you are using Tor)*. I'd mainly be concerned about downloads of distros or updates being tampered with. Worms are appearing that infect not only PCs but also routers (e.g. the "Moon" worm, which affected most Linksys models available at the time), setting up a perfect scenario for an MITM attack that could substitute an infected file AND a forged checksum for the originals. If an HTTPS download site were available, I would absolutely prefer it to an HTTP one. Just my $0.02 USD. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509181444.IAA15072>