http subversion URLs should be discontinued in favor of https URLs
Peter Wemm
peter at wemm.org
Wed Dec 13 21:29:28 UTC 2017
On 12/12/17 5:38 PM, Yuri wrote:
> On 12/12/17 16:37, Peter Wemm wrote:
>> I think you're missing the point. It is a sad reality that SSL/TLS
>> corporate
>> (and ISP) MITM exists and is enforced on a larger scale than we'd like. But
>> it is there, and when mandated/enforced you have to go through the MITM
>> appliance, or not connect at all. Private CA's generally break those
>> appliances - an unfortunate FreeBSD user in this situation is cut off.
>> How is
>> this better?
>
>
> This is certainly better for users because it informs the user. Now he has
> a choice to use a special override key to use MITMed https anyway or
> refuse, vs. with http he is not informed.
You misunderstand the problem.
A well-behaving corporate with TLS MITM will *block* connections to the
freebsd-ca signed services as they will fail it's validation.
The user is left with:
* can't connect on 443 (proxy blocks failed validations), or
* can't connect on 80 (because you don't like people having options).
.. which leads to stop using FreeBSD.
--
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
More information about the freebsd-security
mailing list