Dewayne Geraghty
2017-Dec-05 21:55 UTC
http subversion URLs should be discontinued in favor of https URLs
On 6/12/2017 8:13 AM, Yuri wrote:> On 12/05/17 13:04, Eugene Grosbein wrote: >> It is illusion that https is more secure than unencrypted http in a >> sense of MITM >> just because of encryption, it is not. > > > It *is* more secure. In order to break it, you have to have > compromized https authorities. Some state actors have plausibly done > this. http, on the contrary, can be altered by anybody who has access > to the wire, which is generally a much wider set. > > > YuriYuri, It can be illusory. ? My last job was as Sec Mgr for a large bank.? They disabled cert checking on client devices, placed a wildcard cert at the internet boundary and captured all https unencrypted.? An alternative approach to advocate is dnssec.? :) You also need to ensure integrity, to ensure that the numbers are flipped in transit...? ;)
Gordon Tetlow
2017-Dec-05 22:08 UTC
http subversion URLs should be discontinued in favor of https URLs
On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote:> On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > > > It *is* more secure. In order to break it, you have to have > > compromized https authorities. Some state actors have plausibly done > > this. http, on the contrary, can be altered by anybody who has access > > to the wire, which is generally a much wider set. > > > > > > Yuri > > Yuri, > It can be illusory. ? My last job was as Sec Mgr for a large bank.? They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.? An alternative > approach to advocate is dnssec.? :)That's a specific decision made by a business as to how they are going to run their end-points. We can never help in that scenario. Using this as a reason to not move to HTTPS is a fallacy. We should do everything we can to help our end-users get FreeBSD in the most secure way. Regards, Gordon
Steve Clement
2017-Dec-05 22:33 UTC
http subversion URLs should be discontinued in favor of https URLs
* On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au> wrote:> On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > >Dear all, Is it really wise suggesting that http is not that bad? While you are at it, perhaps reviving telnet is a good idea. (Yes it is a bad comparison) If your answer is to just not use it, good luck for the past.> It can be illusory. ? My last job was as Sec Mgr for a large bank.? They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.? An alternative > approach to advocate is dnssec.? :)And you just let this happen under your watch?> You also need to ensure integrity, to ensure that the numbers are > flipped in transit...? ;)As a security person you do have responsibilities. Of course if you (as a security person) gave up on all that, you might as well go to the beach and use your CB to talk to your Dr. I cannot believe these attitudes, can perhaps other people weigh-in, especially to the issue at hand? Looking forward to the first person brining up performance issues, in end-of-2017? Sincerely yours, Steve -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171205/e76bcd18/attachment.sig>