http subversion URLs should be discontinued in favor of https URLs
Steve Clement
steve at localhost.lu
Wed Dec 6 09:44:27 UTC 2017
* On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au> wrote:
> On 6/12/2017 8:13 AM, Yuri wrote:
> > On 12/05/17 13:04, Eugene Grosbein wrote:
> >> It is illusion that https is more secure than unencrypted http in a
> >> sense of MITM
> >> just because of encryption, it is not.
> >
> >
Dear all,
Is it really wise suggesting that http is not that bad?
While you are at it, perhaps reviving telnet is a good idea. (Yes it is a
bad comparison)
If your answer is to just not use it, good luck for the past.
> It can be illusory. My last job was as Sec Mgr for a large bank. They
> disabled cert checking on client devices, placed a wildcard cert at the
> internet boundary and captured all https unencrypted. An alternative
> approach to advocate is dnssec. :)
And you just let this happen under your watch?
> You also need to ensure integrity, to ensure that the numbers are
> flipped in transit... ;)
As a security person you do have responsibilities. Of course if you (as a
security person) gave up on all that, you might as well go to the beach and
use your CB to talk to your Dr.
I cannot believe these attitudes, can perhaps other people weigh-in,
especially to the issue at hand?
Looking forward to the first person brining up performance issues, in
end-of-2017…
Sincerely yours,
Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171205/e76bcd18/attachment.sig>
More information about the freebsd-security
mailing list