freebsd security - Dec 2017 - http subversion URLs should be discontinued in favor of https URLs

On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty
wrote:
> On 6/12/2017 8:13 AM, Yuri wrote:
> > On 12/05/17 13:04, Eugene Grosbein wrote:
> >> It is illusion that https is more secure than unencrypted http in
a
> >> sense of MITM
> >> just because of encryption, it is not.
> >
> >
> > It *is* more secure. In order to break it, you have to have
> > compromized https authorities. Some state actors have plausibly done
> > this. http, on the contrary, can be altered by anybody who has access
> > to the wire, which is generally a much wider set.
> >
> >
> > Yuri 
> 
> Yuri,
> It can be illusory. ? My last job was as Sec Mgr for a large bank.? They
> disabled cert checking on client devices, placed a wildcard cert at the
> internet boundary and captured all https unencrypted.? An alternative
> approach to advocate is dnssec.? :)
That's a specific decision made by a business as to how they are going
to run their end-points. We can never help in that scenario.

Using this as a reason to not move to HTTPS is a fallacy. We should do
everything we can to help our end-users get FreeBSD in the most secure
way.

Regards,
Gordon

On 12/05/2017 17:08, Gordon Tetlow wrote:
> On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote:
>> On 6/12/2017 8:13 AM, Yuri wrote:
>>> On 12/05/17 13:04, Eugene Grosbein wrote:
>>>> It is illusion that https is more secure than unencrypted http
in a
>>>> sense of MITM
>>>> just because of encryption, it is not.
>>>
>>> It *is* more secure. In order to break it, you have to have
>>> compromized https authorities. Some state actors have plausibly
done
>>> this. http, on the contrary, can be altered by anybody who has
access
>>> to the wire, which is generally a much wider set.
>>>
>>>
>>> Yuri
>> Yuri,
>> It can be illusory. ? My last job was as Sec Mgr for a large bank.?
They
>> disabled cert checking on client devices, placed a wildcard cert at the
>> internet boundary and captured all https unencrypted.? An alternative
>> approach to advocate is dnssec.? :)
> That's a specific decision made by a business as to how they are going
> to run their end-points. We can never help in that scenario.
>
> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.
>
> Regards,
> Gordon
I wholeheartedly agree with Gordon. Let's do more, not less.

I believe it was fallacies like this that mislead many websites, 
including freebsd.org, to remain in HTTP for far too long.

Cheers,

-- 

Yonas Yanfa
In Love With Open Source
Drupal <http://drupal.org/user/473174> :: GitHub 
<http://github.com/yonas> :: Mozilla 
<https://addons.mozilla.org/en-US/thunderbird/user/4614995/>
fizk.net | yonas at fizk.net

--------
In message <20171205220849.GH9701 at gmail.com>, Gordon Tetlow writes:
>Using this as a reason to not move to HTTPS is a fallacy. We should do
>everything we can to help our end-users get FreeBSD in the most secure
>way.
The vastly oversold "security" of HTTPS is entirely borrowed from
a confederation of root-CA's which no non-deluded person can ever
seriously trust.

Only if you trust *everybody* on this list, is HTTPS "secure":

	grep '^ *Subject:' /usr/local/share/certs/ca-root-nss.crt

And as if that delusion wasn't bad enough, the misguided and
simple-minded IT-liberalistic "Encrypt everything" campaign is,
100% as predicted, pushing governments to neuter encryption in
order to keep the court systems working.

"IETF and what army?"

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

On Tue, 5 Dec 2017 14:08:49 -0800
Gordon Tetlow wrote:

> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.
I think it's more a question of whether all users should be forced onto
https even if it might prevent some users from getting security updates.

On 06.12.2017 05:08, Gordon Tetlow wrote:
> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.
Please do not mix opportunity with enforcement.