Yuri
2017-Dec-13 00:13 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/12/17 11:56, Eugene Grosbein wrote:> https://wiki.squid-cache.org/Features/SslPeekAndSplice > > You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all.When the user sees that SSL/TLS is stripped, this isn't a vulnerability of the protocol. User can make a choice to use such connection anyway. There are command line options like this for some commands, and the choice in the browser. Compare this with https using compromised by government CA, when the user doesn't have any way of knowing about MITM. So https+private CA stands secure. Yuri
Peter Wemm
2017-Dec-13 00:37 UTC
http subversion URLs should be discontinued in favor of https URLs
On Tuesday, December 12, 2017 04:13:48 PM Yuri wrote:> On 12/12/17 11:56, Eugene Grosbein wrote: > > https://wiki.squid-cache.org/Features/SslPeekAndSplice > > > > You either ignore MITM and proceed with connection anyway or have no > > connectivity via this channel at all. > When the user sees that SSL/TLS is stripped, this isn't a vulnerability > of the protocol. User can make a choice to use such connection anyway. > There are command line options like this for some commands, and the > choice in the browser. > > Compare this with https using compromised by government CA, when the > user doesn't have any way of knowing about MITM. So https+private CA > stands secure.I think you're missing the point. It is a sad reality that SSL/TLS corporate (and ISP) MITM exists and is enforced on a larger scale than we'd like. But it is there, and when mandated/enforced you have to go through the MITM appliance, or not connect at all. Private CA's generally break those appliances - an unfortunate FreeBSD user in this situation is cut off. How is this better? -- Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: This is a digitally signed message part. URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171212/f10f5e22/attachment.sig>
Eugene Grosbein
2017-Dec-13 11:28 UTC
http subversion URLs should be discontinued in favor of https URLs
13.12.2017 7:13, Yuri ?????:> On 12/12/17 11:56, Eugene Grosbein wrote: >> https://wiki.squid-cache.org/Features/SslPeekAndSplice >> >> You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all. > > > When the user sees that SSL/TLS is stripped, this isn't a vulnerability of the protocol.I never said it is vulnerability.