Yuri
2017-Dec-13 01:38 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/12/17 16:37, Peter Wemm wrote:> I think you're missing the point. It is a sad reality that SSL/TLS corporate > (and ISP) MITM exists and is enforced on a larger scale than we'd like. But > it is there, and when mandated/enforced you have to go through the MITM > appliance, or not connect at all. Private CA's generally break those > appliances - an unfortunate FreeBSD user in this situation is cut off. How is > this better?This is certainly better for users because it informs the user. Now he has a choice to use a special override key to use MITMed https anyway or refuse, vs. with http he is not informed. Yuri
Peter Wemm
2017-Dec-13 21:29 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/12/17 5:38 PM, Yuri wrote:> On 12/12/17 16:37, Peter Wemm wrote: >> I think you're missing the point.? It is a sad reality that SSL/TLS >> corporate >> (and ISP) MITM exists and is enforced on a larger scale than we'd like.? But >> it is there, and when mandated/enforced you have to go through the MITM >> appliance, or not connect at all.? Private CA's generally break those >> appliances - an unfortunate FreeBSD user in this situation is cut off. >> How is >> this better? > > > This is certainly better for users because it informs the user. Now he has > a choice to use a special override key to use MITMed https anyway or > refuse, vs. with http he is not informed.You misunderstand the problem. A well-behaving corporate with TLS MITM will *block* connections to the freebsd-ca signed services as they will fail it's validation. The user is left with: * can't connect on 443 (proxy blocks failed validations), or * can't connect on 80 (because you don't like people having options). .. which leads to stop using FreeBSD. -- Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV