Date: Tue, 5 Dec 2017 14:08:49 -0800 From: Gordon Tetlow <gordon@tetlows.org> To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171205220849.GH9701@gmail.com> In-Reply-To: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > > > It *is* more secure. In order to break it, you have to have > > compromized https authorities. Some state actors have plausibly done > > this. http, on the contrary, can be altered by anybody who has access > > to the wire, which is generally a much wider set. > > > > > > Yuri > > Yuri, > It can be illusory. My last job was as Sec Mgr for a large bank. They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted. An alternative > approach to advocate is dnssec. :) That's a specific decision made by a business as to how they are going to run their end-points. We can never help in that scenario. Using this as a reason to not move to HTTPS is a fallacy. We should do everything we can to help our end-users get FreeBSD in the most secure way. Regards, Gordon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171205220849.GH9701>