http subversion URLs should be discontinued in favor of https URLs
John-Mark Gurney
jmg at funkthat.com
Sun Dec 10 17:15:39 UTC 2017
Eugene Grosbein wrote this message on Wed, Dec 06, 2017 at 04:04 +0700:
> 06.12.2017 3:59, Yuri wrote:
>
> > It's understood that a lot of arguments can be made for and against this,
> > like with any other issue, but security argument should outweigh most or all other arguments.
>
> It is illusion that https is more secure than unencrypted http in a sense of MITM
> just because of encryption, it is not.
Correct, because https doesn't just bring encryption, it also bring
authentication.. https is more secure because of authentication, not
because of encryption...
There are many encryption only protocols that are broken because there
is no authentication provided, allowing MITM.. Which is why self
signed certs that are not pinned are also bad...
IMO, the fact that we are even having this discussion to allow our users
to be MITM like Comcast loves to do[1], is rediculous... If FreeBSD
wants to be viewed as a secure OS, we need to go https (or other tech),
and drop any unauthenticated methods of distribution of content...
We don't allow freebsd-updates to be distributed w/o being authenticated,
why are we allowing svn updates to be done so?
The arguments that it takes up resources is true, but it is NOT
significant... End users are often bandwidth limited, NOT CPU
limited...
[1] https://www.techdirt.com/articles/20161123/10554936126/comcast-takes-heat-injecting-messages-into-internet-traffic.shtml
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-security
mailing list