freebsd security - Dec 2017 - http subversion URLs should be discontinued in favor of https URLs

On 12/07/2017 10:50 PM, Poul-Henning Kamp wrote:
>
>> You can't have the latter without the former.  Assertion of
identity is
>> the only protection against MITM eavesdropping or tampering.
> Or more generally:
>
> If you dont/cant trust the other end, why would you trust them to
> keep the communication secret ?
>
I'm curious as to your take on electronic banking. Should they all 
merely use HTTP since HTTPS is hopelessly compromised by design? If your 
objection is that HTTPS bring nothing to the security table, then it 
really doesn't make a difference where it's used and we should all just 
stop using it, no?

The pull request was rejected for a valid reason, offering http allows
users with limited network access chance to clone or download freebsd where
https is not possible. We all have differences of option on the matter and
having a flame war on a mailing list just gives the project a bad
reputation.


Regards,
--
Luke Crooks
Solent Wholesale Carpets
www.solentwholesale.com

On Fri, Dec 8, 2017 at 8:25 AM, TJ Varghese <tj at tjvarghese.com> wrote:
> On 12/07/2017 10:50 PM, Poul-Henning Kamp wrote:
>
>>
>> You can't have the latter without the former.  Assertion of
identity is
>>> the only protection against MITM eavesdropping or tampering.
>>>
>> Or more generally:
>>
>> If you dont/cant trust the other end, why would you trust them to
>> keep the communication secret ?
>>
>>
> I'm curious as to your take on electronic banking. Should they all
merely
> use HTTP since HTTPS is hopelessly compromised by design? If your objection
> is that HTTPS bring nothing to the security table, then it really
doesn't
> make a difference where it's used and we should all just stop using it,
no?
>
>
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org
> "
>

--------
In message <2a8d9a0a-7a64-2dde-4e53-77ee52632846 at tjvarghese.com>, TJ
Varghese w
rites:
>I'm curious as to your take on electronic banking.
Good security is not "all or nothing", it is a carefully calibrated
application of security measures to the problem at hand.

By forcing all web-traffic onto HTTPS, the rabid IT-liberalist has
put governments in a position where they either have to break HTTPS
traffic open or give up on having a working criminal justice system.

Anybody with a daughter knows what that dice will roll.

If you've ever read Clausewitz, you will recognize this strategy
as really stupid:  *Never* put your enemy in a position where their
only option is to defeat you.

Various governments are going about this in different ways, some
force a trojan root-cert on all their citzens, others pass law
where you can be jailed indefinitely until you hand over your
passwords, others again try force the IT-industry to "ensure
legal access".

Unfortunately this happens with little or no intelligent and
cooperative input from the IT-community, who seem hell-bent
on their "all or nothing" strategy.

I personally preferred it back when HTTPS was tolerated by governments,
because everybody could see that banking and e-commerce needed it,
over the situation now, where HTTPS is so trojaned, that my webbank
is no longer trustworthy via HTTPS.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.