http subversion URLs should be discontinued in favor of https URLs

Michelle Sullivan michelle at sorbs.net
Sun Dec 10 23:07:22 UTC 2017


John-Mark Gurney wrote:
> Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 19:17 +0000:
>> On 10 December 2017 at 19:02, John-Mark Gurney <jmg at funkthat.com> wrote:
>>
>>
>>> So, you require an exploit in the wild before you'll patch?
>> No, I'm saying it's not a realistic threat model! If the threat is the
>> integrity of the source code in transit, then it'd be way cheaper and way
>> more reasonable to implement a Merkle Tree-like verification with each
>> revision.
> Then you should be fine w/ http for banking sites, since it's not realistic
> that your ISP will MITM your connection to steal money from you, right?
> I don't know of a single instance of an ISP MITM'ing banking transactions
> to steal money.
>
Invalid analogy... You probably shouldn't go there... so I will.

I have in the past (long time ago - well past that statute of 
limitations - so can share now) compromised an FTP server on a certain 
European ISPs network, on there I put a password sniffer looking for a 
very specific user/connection/password combination... 4 hours it took to 
get the password I then had "root" across their entire network and in 
particular to their IRC server... needless to say I have grown up since 
those days.  However, at the time there was very little online banking, 
and all the banking I knew about was pretty much read only (checking 
balances, authorising payments to pre-existing arrangements etc)... but 
using this 'well you might as well use HTTP' would have left me with the 
opportunity to make a lot of illegal money real quick if you apply it now.

Here's a tip, you come to my street and find my open wifi, I'll 
compromise your arse (just the same as these hypothetical 'malicious Tor 
node operators') you want a secure connection, one that won't leave you 
with a hacked android device, don't use my open wifi network.  Come and 
ask me to use my secure network, or use another network.

Michelle




More information about the freebsd-security mailing list