http subversion URLs should be discontinued in favor of https URLs
Michelle Sullivan
michelle at sorbs.net
Sun Dec 10 23:07:22 UTC 2017
John-Mark Gurney wrote:
> Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 19:17 +0000:
>> On 10 December 2017 at 19:02, John-Mark Gurney <jmg at funkthat.com> wrote:
>>
>>
>>> So, you require an exploit in the wild before you'll patch?
>> No, I'm saying it's not a realistic threat model! If the threat is the
>> integrity of the source code in transit, then it'd be way cheaper and way
>> more reasonable to implement a Merkle Tree-like verification with each
>> revision.
> Then you should be fine w/ http for banking sites, since it's not realistic
> that your ISP will MITM your connection to steal money from you, right?
> I don't know of a single instance of an ISP MITM'ing banking transactions
> to steal money.
>
Invalid analogy... You probably shouldn't go there... so I will.
I have in the past (long time ago - well past that statute of
limitations - so can share now) compromised an FTP server on a certain
European ISPs network, on there I put a password sniffer looking for a
very specific user/connection/password combination... 4 hours it took to
get the password I then had "root" across their entire network and in
particular to their IRC server... needless to say I have grown up since
those days. However, at the time there was very little online banking,
and all the banking I knew about was pretty much read only (checking
balances, authorising payments to pre-existing arrangements etc)... but
using this 'well you might as well use HTTP' would have left me with the
opportunity to make a lot of illegal money real quick if you apply it now.
Here's a tip, you come to my street and find my open wifi, I'll
compromise your arse (just the same as these hypothetical 'malicious Tor
node operators') you want a secure connection, one that won't leave you
with a hacked android device, don't use my open wifi network. Come and
ask me to use my secure network, or use another network.
Michelle
More information about the freebsd-security
mailing list