freebsd security - Dec 2017 - http subversion URLs should be discontinued in favor of https URLs

On Tue, 5 Dec 2017 14:08:49 -0800
Gordon Tetlow wrote:

> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.
I think it's more a question of whether all users should be forced onto
https even if it might prevent some users from getting security updates.

On Tue, Dec 05, 2017 at 11:18:45PM +0000, RW via freebsd-security
wrote:
> On Tue, 5 Dec 2017 14:08:49 -0800
> Gordon Tetlow wrote:
> 
> 
> > Using this as a reason to not move to HTTPS is a fallacy. We should do
> > everything we can to help our end-users get FreeBSD in the most secure
> > way.
> 
> I think it's more a question of whether all users should be forced onto
> https even if it might prevent some users from getting security updates.
I agree with this sentiment. I would like https to be the default with
http being an explicit decision on the user's end to use. This way, the
naive user can get the benefits of encryption in transit while a
knowledgable user can accept the risk of getting updates via http.

Best,
Gordon

On 5 December 2017 at 23:18, RW via freebsd-security <
freebsd-security at freebsd.org> wrote:
> On Tue, 5 Dec 2017 14:08:49 -0800
> Gordon Tetlow wrote:
>
>
> > Using this as a reason to not move to HTTPS is a fallacy. We should do
> > everything we can to help our end-users get FreeBSD in the most secure
> > way.
>
> I think it's more a question of whether all users should be forced onto
> https even if it might prevent some users from getting security updates.


If updates are signed, then I don't see what can be gained by using
relatively expensive HTTPS over HTTP.

People screaming for HTTPS without justifying a specific threat model (cf.
a generic "MITM"-bogeyman), don't understand HTTPS nor general
security (to
paraphrase the famous phrase).

-- 
Igor M.