I have to echo this sentiment -- authentication is important, and so is
integrity. HTTPS would provide both -- to be sure you're talking to the
"real" FreeBSD and give you confidence that your page content has not
been
altered in transit by a network adversary (e.g. if you are using Tor)*.
*I honestly don't see that being a realistic defense against NSA/GCHQ-level
attackers, though... the coercive power they have over CAs would probably
be the weak point there, in my opinion.
HTTPS isn't a magic bullet by any means (which should be obvious), but
it's
also not worthless and would protect against at least some
less-than-TLA-level network adversaries.
On Fri, Sep 18, 2015 at 9:30 AM, Walter Hop <freebsd at spam.lifeforms.nl>
wrote:
> >
> >> Is there some reason "freebsd.org" and all it's
> >> subdomains don't immediately 302 over to
> >> https foreverafter?
> >
> > Is there a reason to encrypt something that is completely public?
> Perhaps to allow the visitor to conceal the fact that they are interested
> in FreeBSD? That won't work, since the IP address of the server
can't be
> encrypted. I feel like I am missing something.
>
> Privacy is often important, but authentication (i.e. not having content
> tampered with) may be more important in many cases.
>
> The US and UK governments are owning sysadmins who browse non-HTTPS sites:
>
>
http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html
> <
>
http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html
> >
>
>
https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
> <
>
https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/
> >
>
> The Chinese government hijacked non-HTTPS sessions to inject DDoS
> javascript:
>
>
https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack
> <
>
https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack
> >
>
> If often-used sites migrate to HTTPS (together with HSTS) these attacks
> will become a lot harder.
>
> I?m also seeing more demand for HTTPS from customers. In Europe there has
> been a lot of mainstream coverage of tech privacy issues, and various
> non-technical people now distrust sites that don?t have ?a lock?. So it
> also has credibility/PR benefits to use it by default.
>
> There is always effort involved in making the switch, but for most sites
> and applications this is probably not an unreasonable amount given the
> benefits.
>
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org
> "
>