Cy Schubert
2017-Dec-06 14:17 UTC
http subversion URLs should be discontinued in favor of https URLs
No worries, telnet and ftp are in my sights. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. This old phone only supports top post. Apologies. Cy Schubert <Cy.Schubert at cschubert.com> or <cy at freebsd.org> The need of the many outweighs the greed of the few. --- -----Original Message----- From: Steve Clement Sent: 06/12/2017 03:29 To: Dewayne Geraghty Cc: freebsd-security at freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs * On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au> wrote:> On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > >Dear all, Is it really wise suggesting that http is not that bad? While you are at it, perhaps reviving telnet is a good idea. (Yes it is a bad comparison) If your answer is to just not use it, good luck for the past.> It can be illusory. ? My last job was as Sec Mgr for a large bank.? They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.? An alternative > approach to advocate is dnssec.? :)And you just let this happen under your watch?> You also need to ensure integrity, to ensure that the numbers are > flipped in transit...? ;)As a security person you do have responsibilities. Of course if you (as a security person) gave up on all that, you might as well go to the beach and use your CB to talk to your Dr. I cannot believe these attitudes, can perhaps other people weigh-in, especially to the issue at hand? Looking forward to the first person brining up performance issues, in end-of-2017? Sincerely yours, Steve
Karl Denninger
2017-Dec-06 14:36 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/6/2017 08:17, Cy Schubert wrote:> >> It can be illusory. ? My last job was as Sec Mgr for a large bank.? They >> disabled cert checking on client devices, placed a wildcard cert at the >> internet boundary and captured all https unencrypted.? An alternative >> approach to advocate is dnssec.? :) > And you just let this happen under your watch?The reason such is done is that the IT people /have /thought about it and determined that being able to /scan and archive /all traffic going in and out is worth more than the "security" afforded by allowing HTTPS originated beyond their border in.? Oh by the way in some lines of business said ability to scan and archive is a matter//of regulatory compliance....... I'm not, by the way, opining on whether this is a correct analysis or not. But I will note for the record that Avast's anti-virus products will, by default, do exactly this sort of intentional interception on IMAP server traffic aimed at port 993 in an attempt to detect trojans and viruses that are attached to email messages. -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4897 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171206/5ab25c20/attachment.bin>