Christian Weisgerber
2017-Dec-11 15:08 UTC
http subversion URLs should be discontinued in favor of https URLs
On 2017-12-08, Luke Crooks <luke at solentwholesale.com> wrote:> The pull request was rejected for a valid reason, offering http allows > users with limited network access chance to clone or download freebsd where > https is not possible.Do users actually exist who have access to http but not to https? Or is this a myth? And how do these users access popular sites like Wikipedia, or www.FreeBSD.org for that matter? This is also of interest for the choice of master sites in ports. -- Christian "naddy" Weisgerber naddy at mips.inka.de
Shawn Webb
2017-Dec-11 15:16 UTC
http subversion URLs should be discontinued in favor of https URLs
On Mon, Dec 11, 2017 at 03:08:37PM -0000, Christian Weisgerber wrote:> On 2017-12-08, Luke Crooks <luke at solentwholesale.com> wrote: > > > The pull request was rejected for a valid reason, offering http allows > > users with limited network access chance to clone or download freebsd where > > https is not possible. > > Do users actually exist who have access to http but not to https? > Or is this a myth? And how do these users access popular sites > like Wikipedia, or www.FreeBSD.org for that matter?In an effort to enforce encrypted comms, my network is the inverse: TCP:80 is disallowed, but TCP:443 is accepted. Thanks, -- Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171211/f24a89ba/attachment.sig>
WhiteWinterWolf
2017-Dec-11 16:34 UTC
http subversion URLs should be discontinued in favor of https URLs
Hi, Le 11/12/2017 ? 16:08, Christian Weisgerber a ?crit?:> Do users actually exist who have access to http but not to https?I don't know about users, but caching is not possible anymore as soon you use end-to-end HTTPS. This is a reason why I personally like software and system updates to be served through HTTP instead of HTTPS. You don't need to fetch the same update for each environment each time from the remote vendor's system, you just need them to be somehow signed by him to ensure their authenticity. This was just to give an example of why one would prefer to use HTTP over HTTPS, and how as highlighted by Karl Denninger a system which does too much may actually be harmful. When you need signature, then apply signature, don't add encryption, tunneling, dynamic cipher suites negotiation, session keys exchange and so on as overhead. Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com