Date: Sun, 10 Dec 2017 09:15:31 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: Eugene Grosbein <eugen@grosbein.net> Cc: Yuri <yuri@rawbw.com>, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210171531.GC5901@funkthat.com> In-Reply-To: <5A2709F6.8030106@grosbein.net> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene Grosbein wrote this message on Wed, Dec 06, 2017 at 04:04 +0700: > 06.12.2017 3:59, Yuri wrote: > > > It's understood that a lot of arguments can be made for and against this, > > like with any other issue, but security argument should outweigh most or all other arguments. > > It is illusion that https is more secure than unencrypted http in a sense of MITM > just because of encryption, it is not. Correct, because https doesn't just bring encryption, it also bring authentication.. https is more secure because of authentication, not because of encryption... There are many encryption only protocols that are broken because there is no authentication provided, allowing MITM.. Which is why self signed certs that are not pinned are also bad... IMO, the fact that we are even having this discussion to allow our users to be MITM like Comcast loves to do[1], is rediculous... If FreeBSD wants to be viewed as a secure OS, we need to go https (or other tech), and drop any unauthenticated methods of distribution of content... We don't allow freebsd-updates to be distributed w/o being authenticated, why are we allowing svn updates to be done so? The arguments that it takes up resources is true, but it is NOT significant... End users are often bandwidth limited, NOT CPU limited... [1] https://www.techdirt.com/articles/20161123/10554936126/comcast-takes-heat-injecting-messages-into-internet-traffic.shtml -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171210171531.GC5901>