http subversion URLs should be discontinued in favor of https URLs

Yonas Yanfa yonas at fizk.net
Tue Dec 5 22:26:08 UTC 2017


On 12/05/2017 17:08, Gordon Tetlow wrote:
> On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote:
>> On 6/12/2017 8:13 AM, Yuri wrote:
>>> On 12/05/17 13:04, Eugene Grosbein wrote:
>>>> It is illusion that https is more secure than unencrypted http in a
>>>> sense of MITM
>>>> just because of encryption, it is not.
>>>
>>> It *is* more secure. In order to break it, you have to have
>>> compromized https authorities. Some state actors have plausibly done
>>> this. http, on the contrary, can be altered by anybody who has access
>>> to the wire, which is generally a much wider set.
>>>
>>>
>>> Yuri
>> Yuri,
>> It can be illusory.   My last job was as Sec Mgr for a large bank.  They
>> disabled cert checking on client devices, placed a wildcard cert at the
>> internet boundary and captured all https unencrypted.  An alternative
>> approach to advocate is dnssec.  :)
> That's a specific decision made by a business as to how they are going
> to run their end-points. We can never help in that scenario.
>
> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.
>
> Regards,
> Gordon

I wholeheartedly agree with Gordon. Let's do more, not less.

I believe it was fallacies like this that mislead many websites, 
including freebsd.org, to remain in HTTP for far too long.

Cheers,

-- 

Yonas Yanfa
In Love With Open Source
Drupal <http://drupal.org/user/473174> :: GitHub 
<http://github.com/yonas> :: Mozilla 
<https://addons.mozilla.org/en-US/thunderbird/user/4614995/>
fizk.net | yonas at fizk.net



More information about the freebsd-security mailing list