Eugene Grosbein
2017-Dec-10 20:45 UTC
http subversion URLs should be discontinued in favor of https URLs
11.12.2017 3:37, Yuri wrote:> On 12/10/17 11:37, Eugene Grosbein wrote: >> Hmm, you should not pass your traffic through the network operated >> by lots of malicious operators in first place. No matter encrypted or not. >> There are plenty of alternative ways. > > > Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not?No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning.
Franco Fichtner
2017-Dec-10 20:52 UTC
http subversion URLs should be discontinued in favor of https URLs
> On 10. Dec 2017, at 9:45 PM, Eugene Grosbein <eugen at grosbein.net> wrote: > > 11.12.2017 3:37, Yuri wrote: > >> On 12/10/17 11:37, Eugene Grosbein wrote: >>> Hmm, you should not pass your traffic through the network operated >>> by lots of malicious operators in first place. No matter encrypted or not. >>> There are plenty of alternative ways. >> >> >> Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? > > No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway > or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning.You deconstructed the point you tried to make: With HTTP MITM you don't have a choice. ;) Cheers, Franco
Yuri
2017-Dec-10 20:54 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/10/17 12:45, Eugene Grosbein wrote:> 11.12.2017 3:37, Yuri wrote: > >> On 12/10/17 11:37, Eugene Grosbein wrote: >>> Hmm, you should not pass your traffic through the network operated >>> by lots of malicious operators in first place. No matter encrypted or not. >>> There are plenty of alternative ways. >> >> Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? > No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway > or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning.There's no MITMing with https unless you are a state actor. There are very few state actors, they are special case. Regular hackers can't MITM https, but can MITM http. Yuri
Yuri
2017-Dec-12 18:52 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/10/17 12:45, Eugene Grosbein wrote:> No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway > or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning.No, MITM of https with the private CA isn't possible. Please provide references if you believe that the opposite is true. Yuri