http subversion URLs should be discontinued in favor of https URLs
Yonas Yanfa
yonas at fizk.net
Tue Dec 5 22:26:08 UTC 2017
On 12/05/2017 17:08, Gordon Tetlow wrote:
> On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote:
>> On 6/12/2017 8:13 AM, Yuri wrote:
>>> On 12/05/17 13:04, Eugene Grosbein wrote:
>>>> It is illusion that https is more secure than unencrypted http in a
>>>> sense of MITM
>>>> just because of encryption, it is not.
>>>
>>> It *is* more secure. In order to break it, you have to have
>>> compromized https authorities. Some state actors have plausibly done
>>> this. http, on the contrary, can be altered by anybody who has access
>>> to the wire, which is generally a much wider set.
>>>
>>>
>>> Yuri
>> Yuri,
>> It can be illusory. My last job was as Sec Mgr for a large bank. They
>> disabled cert checking on client devices, placed a wildcard cert at the
>> internet boundary and captured all https unencrypted. An alternative
>> approach to advocate is dnssec. :)
> That's a specific decision made by a business as to how they are going
> to run their end-points. We can never help in that scenario.
>
> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.
>
> Regards,
> Gordon
I wholeheartedly agree with Gordon. Let's do more, not less.
I believe it was fallacies like this that mislead many websites,
including freebsd.org, to remain in HTTP for far too long.
Cheers,
--
Yonas Yanfa
In Love With Open Source
Drupal <http://drupal.org/user/473174> :: GitHub
<http://github.com/yonas> :: Mozilla
<https://addons.mozilla.org/en-US/thunderbird/user/4614995/>
fizk.net | yonas at fizk.net
More information about the freebsd-security
mailing list