http subversion URLs should be discontinued in favor of https URLs
Roger Marquis
marquis at roble.com
Mon Dec 11 19:34:52 UTC 2017
Karl Denninger wrote:
> Advocating the FORCING of https is IMHO utterly ridiculous for the
> reasons I pointed out.
This is an important point. Given the differences of opinion noted here
there is no good reason not to allow sites to sync over the protocol of
their choosing. Of course signed datasets would be excellent, as would
verifiable builds, but (also IMO) not good enough to justify forcing of
non-encrypted updates.
> The issue of potentially-tampered-with source code not only can't be dealt
> with correctly through the use of https (at least not with the public CA
> infrastructure that "everyone" relies on for "pedestrian" https) there ARE
> other means of dealing with it correctly that do not require using https.
> That's where attention should be focused.
Would have to disagree with this assertion, at least until it can be
demonstrated that an alternative signature presharing mechanism would be
more secure (than the CA maintained by EFF/LetsEncrypt at least).
IMO,
Roger Marquis
More information about the freebsd-security
mailing list