http subversion URLs should be discontinued in favor of https URLs

Peter Wemm peter at wemm.org
Wed Dec 13 21:29:28 UTC 2017


On 12/12/17 5:38 PM, Yuri wrote:
> On 12/12/17 16:37, Peter Wemm wrote:
>> I think you're missing the point.  It is a sad reality that SSL/TLS 
>> corporate
>> (and ISP) MITM exists and is enforced on a larger scale than we'd like.  But
>> it is there, and when mandated/enforced you have to go through the MITM
>> appliance, or not connect at all.  Private CA's generally break those
>> appliances - an unfortunate FreeBSD user in this situation is cut off.  
>> How is
>> this better?
> 
> 
> This is certainly better for users because it informs the user. Now he has 
> a choice to use a special override key to use MITMed https anyway or 
> refuse, vs. with http he is not informed.

You misunderstand the problem.

A well-behaving corporate with TLS MITM will *block* connections to the 
freebsd-ca signed services as they will fail it's validation.

The user is left with:
  * can't connect on 443 (proxy blocks failed validations), or
  * can't connect on 80 (because you don't like people having options).
.. which leads to stop using FreeBSD.

-- 
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV


More information about the freebsd-security mailing list