http subversion URLs should be discontinued in favor of https URLs
Gordon Tetlow
gordon at tetlows.org
Tue Dec 5 22:08:53 UTC 2017
On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote:
> On 6/12/2017 8:13 AM, Yuri wrote:
> > On 12/05/17 13:04, Eugene Grosbein wrote:
> >> It is illusion that https is more secure than unencrypted http in a
> >> sense of MITM
> >> just because of encryption, it is not.
> >
> >
> > It *is* more secure. In order to break it, you have to have
> > compromized https authorities. Some state actors have plausibly done
> > this. http, on the contrary, can be altered by anybody who has access
> > to the wire, which is generally a much wider set.
> >
> >
> > Yuri
>
> Yuri,
> It can be illusory. My last job was as Sec Mgr for a large bank. They
> disabled cert checking on client devices, placed a wildcard cert at the
> internet boundary and captured all https unencrypted. An alternative
> approach to advocate is dnssec. :)
That's a specific decision made by a business as to how they are going
to run their end-points. We can never help in that scenario.
Using this as a reason to not move to HTTPS is a fallacy. We should do
everything we can to help our end-users get FreeBSD in the most secure
way.
Regards,
Gordon
More information about the freebsd-security
mailing list