Eugene Grosbein
2017-Dec-12 19:56 UTC
http subversion URLs should be discontinued in favor of https URLs
On 13.12.2017 01:52, Yuri wrote:> On 12/10/17 12:45, Eugene Grosbein wrote: >> No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway >> or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. > > > No, MITM of https with the private CA isn't possible. Please provide > references if you believe that the opposite is true.https://wiki.squid-cache.org/Features/SslPeekAndSplice You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all.
Yuri
2017-Dec-13 00:13 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/12/17 11:56, Eugene Grosbein wrote:> https://wiki.squid-cache.org/Features/SslPeekAndSplice > > You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all.When the user sees that SSL/TLS is stripped, this isn't a vulnerability of the protocol. User can make a choice to use such connection anyway. There are command line options like this for some commands, and the choice in the browser. Compare this with https using compromised by government CA, when the user doesn't have any way of knowing about MITM. So https+private CA stands secure. Yuri