Re: http subversion URLs should be discontinued in favor of https URLs
On 12/12/17 5:38 PM, Yuri wrote: On 12/12/17 16:37, Peter Wemm wrote: I think you're missing the point. It is a sad reality that SSL/TLS corporate (and ISP) MITM exists and is enforced on a larger scale than we'd like. But it is there, and when mandated/enforced you have to go through the MITM appliance, or not connect at all. Private CA's generally break those appliances - an unfortunate FreeBSD user in this situation is cut off. How is this better? This is certainly better for users because it informs the user. Now he has a choice to use a special override key to use MITMed https anyway or refuse, vs. with http he is not informed. You misunderstand the problem. A well-behaving corporate with TLS MITM will *block* connections to the freebsd-ca signed services as they will fail it's validation. The user is left with: * can't connect on 443 (proxy blocks failed validations), or * can't connect on 80 (because you don't like people having options). .. which leads to stop using FreeBSD. -- Peter Wemm - pe...@wemm.org; pe...@freebsd.org; pe...@yahoo-inc.com; KI6FJV ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: http subversion URLs should be discontinued in favor of https URLs
On Tuesday, December 12, 2017 04:13:48 PM Yuri wrote: > On 12/12/17 11:56, Eugene Grosbein wrote: > > https://wiki.squid-cache.org/Features/SslPeekAndSplice > > > > You either ignore MITM and proceed with connection anyway or have no > > connectivity via this channel at all. > When the user sees that SSL/TLS is stripped, this isn't a vulnerability > of the protocol. User can make a choice to use such connection anyway. > There are command line options like this for some commands, and the > choice in the browser. > > Compare this with https using compromised by government CA, when the > user doesn't have any way of knowing about MITM. So https+private CA > stands secure. I think you're missing the point. It is a sad reality that SSL/TLS corporate (and ISP) MITM exists and is enforced on a larger scale than we'd like. But it is there, and when mandated/enforced you have to go through the MITM appliance, or not connect at all. Private CA's generally break those appliances - an unfortunate FreeBSD user in this situation is cut off. How is this better? -- Peter Wemm - pe...@wemm.org; pe...@freebsd.org; pe...@yahoo-inc.com; KI6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 signature.asc Description: This is a digitally signed message part.