On 12/12/17 5:38 PM, Yuri wrote:
On 12/12/17 16:37, Peter Wemm wrote:
I think you're missing the point. It is a sad reality that SSL/TLS
corporate
(and ISP) MITM exists and is enforced on a larger scale than we'd like. But
it is there, and when mandated/enforced you have to go through the MITM
appliance, or not connect at all. Private CA's generally break those
appliances - an unfortunate FreeBSD user in this situation is cut off.
How is
this better?
This is certainly better for users because it informs the user. Now he has
a choice to use a special override key to use MITMed https anyway or
refuse, vs. with http he is not informed.
You misunderstand the problem.
A well-behaving corporate with TLS MITM will *block* connections to the
freebsd-ca signed services as they will fail it's validation.
The user is left with:
* can't connect on 443 (proxy blocks failed validations), or
* can't connect on 80 (because you don't like people having options).
.. which leads to stop using FreeBSD.
--
Peter Wemm - pe...@wemm.org; pe...@freebsd.org; pe...@yahoo-inc.com; KI6FJV
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
