http subversion URLs should be discontinued in favor of https URLs

Peter Wemm peter at wemm.org
Wed Dec 13 00:37:17 UTC 2017


On Tuesday, December 12, 2017 04:13:48 PM Yuri wrote:
> On 12/12/17 11:56, Eugene Grosbein wrote:
> > https://wiki.squid-cache.org/Features/SslPeekAndSplice
> > 
> > You either ignore MITM and proceed with connection anyway or have no
> > connectivity via this channel at all.
> When the user sees that SSL/TLS is stripped, this isn't a vulnerability
> of the protocol. User can make a choice to use such connection anyway.
> There are command line options like this for some commands, and the
> choice in the browser.
> 
> Compare this with https using compromised by government CA, when the
> user doesn't have any way of knowing about MITM. So https+private CA
> stands secure.

I think you're missing the point.  It is a sad reality that SSL/TLS corporate 
(and ISP) MITM exists and is enforced on a larger scale than we'd like.  But 
it is there, and when mandated/enforced you have to go through the MITM 
appliance, or not connect at all.  Private CA's generally break those 
appliances - an unfortunate FreeBSD user in this situation is cut off.  How is 
this better?

-- 
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171212/f10f5e22/attachment.sig>


More information about the freebsd-security mailing list