Re: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Igor Mozolevsky 
On 5 December 2017 at 23:18, RW via freebsd-security <
freebsd-security@freebsd.org> wrote:

> On Tue, 5 Dec 2017 14:08:49 -0800
> Gordon Tetlow wrote:
>
>
> > Using this as a reason to not move to HTTPS is a fallacy. We should do
> > everything we can to help our end-users get FreeBSD in the most secure
> > way.
>
> I think it's more a question of whether all users should be forced onto
> https even if it might prevent some users from getting security updates.



If updates are signed, then I don't see what can be gained by using
relatively expensive HTTPS over HTTP.

People screaming for HTTPS without justifying a specific threat model (cf.
a generic "MITM"-bogeyman), don't understand HTTPS nor general security (to
paraphrase the famous phrase).

-- 
Igor M.
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Karl Denninger 
On 12/6/2017 08:17, Cy Schubert wrote:
>
>> It can be illusory.   My last job was as Sec Mgr for a large bank.  They
>> disabled cert checking on client devices, placed a wildcard cert at the
>> internet boundary and captured all https unencrypted.  An alternative
>> approach to advocate is dnssec.  :)
> And you just let this happen under your watch?

The reason such is done is that the IT people /have /thought about it
and determined that being able to /scan and archive /all traffic going
in and out is worth more than the "security" afforded by allowing HTTPS
originated beyond their border in.  Oh by the way in some lines of
business said ability to scan and archive is a matter//of regulatory
compliance...

I'm not, by the way, opining on whether this is a correct analysis or
not. But I will note for the record that Avast's anti-virus products
will, by default, do exactly this sort of intentional interception on
IMAP server traffic aimed at port 993 in an attempt to detect trojans
and viruses that are attached to email messages.

-- 
Karl Denninger
k...@denninger.net 
/The Market Ticker/
/[S/MIME encrypted email preferred]/


smime.p7s
Description: S/MIME Cryptographic Signature

RE: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Cy Schubert 
No worries, telnet and ftp are in my sights.

---
Sent using a tiny phone keyboard.
Apologies for any typos and autocorrect.
This old phone only supports top post. Apologies.

Cy Schubert
 or 
The need of the many outweighs the greed of the few.
---

-Original Message-
From: Steve Clement
Sent: 06/12/2017 03:29
To: Dewayne Geraghty
Cc: freebsd-security@freebsd.org
Subject: Re: http subversion URLs should be discontinued in favor of https URLs

* On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty 
 wrote:
> On 6/12/2017 8:13 AM, Yuri wrote:
> > On 12/05/17 13:04, Eugene Grosbein wrote:
> >> It is illusion that https is more secure than unencrypted http in a
> >> sense of MITM
> >> just because of encryption, it is not.
> >
> >

Dear all,

Is it really wise suggesting that http is not that bad?

While you are at it, perhaps reviving telnet is a good idea. (Yes it is a
bad comparison)

If your answer is to just not use it, good luck for the past.

> It can be illusory.   My last job was as Sec Mgr for a large bank.  They
> disabled cert checking on client devices, placed a wildcard cert at the
> internet boundary and captured all https unencrypted.  An alternative
> approach to advocate is dnssec.  :)

And you just let this happen under your watch?

> You also need to ensure integrity, to ensure that the numbers are
> flipped in transit...  ;)

As a security person you do have responsibilities. Of course if you (as a
security person) gave up on all that, you might as well go to the beach and
use your CB to talk to your Dr.

I cannot believe these attitudes, can perhaps other people weigh-in,
especially to the issue at hand?

Looking forward to the first person brining up performance issues, in
end-of-2017…

Sincerely yours,

Steve
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Eugene Grosbein 
On 06.12.2017 05:08, Gordon Tetlow wrote:

> Using this as a reason to not move to HTTPS is a fallacy. We should do
> everything we can to help our end-users get FreeBSD in the most secure
> way.

Please do not mix opportunity with enforcement.


___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Slawa Olhovchenkov 
On Tue, Dec 05, 2017 at 01:13:25PM -0800, Yuri wrote:

> On 12/05/17 13:04, Eugene Grosbein wrote:
> > It is illusion that https is more secure than unencrypted http in a sense 
> > of MITM
> > just because of encryption, it is not.
> 
> 
> It *is* more secure.

https don't work frequent than http and this is not secure.
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Dan Lukes 

It is illusion

As a security person you do have responsibilities


Lets calm down, guys. Anyone can claim "I'm skilled security officer".

But true professional will define the risk to mitigate *first*.
We can discuss possible solutions *then*.

Flamewars "https will save our souls" v.s. "https is illusion of 
security" with fuzzy goal helps to no one.


Just my $0.02

Dan

___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Re: http subversion URLs should be discontinued in favor of https URLs

2017-12-06 Thread Steve Clement 
* On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty 
 wrote:
> On 6/12/2017 8:13 AM, Yuri wrote:
> > On 12/05/17 13:04, Eugene Grosbein wrote:
> >> It is illusion that https is more secure than unencrypted http in a
> >> sense of MITM
> >> just because of encryption, it is not.
> >
> >

Dear all,

Is it really wise suggesting that http is not that bad?

While you are at it, perhaps reviving telnet is a good idea. (Yes it is a
bad comparison)

If your answer is to just not use it, good luck for the past.

> It can be illusory.   My last job was as Sec Mgr for a large bank.  They
> disabled cert checking on client devices, placed a wildcard cert at the
> internet boundary and captured all https unencrypted.  An alternative
> approach to advocate is dnssec.  :)

And you just let this happen under your watch?

> You also need to ensure integrity, to ensure that the numbers are
> flipped in transit...  ;)

As a security person you do have responsibilities. Of course if you (as a
security person) gave up on all that, you might as well go to the beach and
use your CB to talk to your Dr.

I cannot believe these attitudes, can perhaps other people weigh-in,
especially to the issue at hand?

Looking forward to the first person brining up performance issues, in
end-of-2017…

Sincerely yours,

Steve


signature.asc
Description: PGP signature