Poul-Henning Kamp
2017-Dec-05 22:43 UTC
http subversion URLs should be discontinued in favor of https URLs
-------- In message <20171205220849.GH9701 at gmail.com>, Gordon Tetlow writes:>Using this as a reason to not move to HTTPS is a fallacy. We should do >everything we can to help our end-users get FreeBSD in the most secure >way.The vastly oversold "security" of HTTPS is entirely borrowed from a confederation of root-CA's which no non-deluded person can ever seriously trust. Only if you trust *everybody* on this list, is HTTPS "secure": grep '^ *Subject:' /usr/local/share/certs/ca-root-nss.crt And as if that delusion wasn't bad enough, the misguided and simple-minded IT-liberalistic "Encrypt everything" campaign is, 100% as predicted, pushing governments to neuter encryption in order to keep the court systems working. "IETF and what army?" -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Yuri
2017-Dec-05 23:06 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/05/17 14:43, Poul-Henning Kamp wrote:> The vastly oversold "security" of HTTPS is entirely borrowed from > a confederation of root-CA's which no non-deluded person can ever > seriously trust.Your argument goes like this: https potentially suffers from some vulnerabilities too, so we better dismiss it and go with the weakest solution. Sorry, but this doesn't make any sense. Yuri
Gordon Tetlow
2017-Dec-05 23:18 UTC
http subversion URLs should be discontinued in favor of https URLs
> On Dec 5, 2017, at 14:43, Poul-Henning Kamp <phk at phk.freebsd.dk> wrote: > > -------- > In message <20171205220849.GH9701 at gmail.com>, Gordon Tetlow writes: > >> Using this as a reason to not move to HTTPS is a fallacy. We should do >> everything we can to help our end-users get FreeBSD in the most secure >> way. > > The vastly oversold "security" of HTTPS is entirely borrowed from > a confederation of root-CA's which no non-deluded person can ever > seriously trust.Assertion of identity and encryption in transit are separate issues. I do agree that identity is fundamentally broken with the existing CA system. I?m more interested in preventing tampering of data in transit. HTTPS is an easy way to do that. Gordon
Jamie Landeg-Jones
2017-Dec-06 00:06 UTC
http subversion URLs should be discontinued in favor of https URLs
"Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:> simple-minded IT-liberalistic "Encrypt everything" campaign is, > 100% as predicted, pushing governments to neuter encryption in > order to keep the court systems working.I agree. Unfortunately forums.freebsd.org not only went down the 'encrypt everything' route, they did so before TLS was ubiquitous (disabling SSL2 & SSL3 way before most places) Not directed personally at you, phk - it's just strange that forum questions are considered more important to secure than source files! cheers, Jamie