I'm just a random person that follows savannah-hackers-gnu but I'd like
to add the nature of the SSLstrip attack to this discussion. Since I
did perform the attack myself a handful of times (no, I did not do
anything bad, I'm a security researcher).
There is one important point about SSLstrip
On Fri, 2016-10-07 at 22:16 -0400, Mike Gerwitz wrote:
> On Mon, Sep 19, 2016 at 12:30:03 +0200, Hanno Böck wrote:
> > *The code repositories*
> >
> > Now all of the above can be aleviated a bit if a user carefully uses
> > https all the time manually or uses a plugin like https everywhere. But
>
On Mon, Oct 10, 2016 at 05:00:52 -0400, Richard Stallman wrote:
> > Richard: unless there's a compelling reason not to, I think the
> > sysadmins or Savannah hackers (whomever has the ablity) should just add
> > a webserver rule to redirect all requests on port 80 to 443.
>
> Would this, by
On Mon, Oct 10, 2016 at 05:01:05 -0400, Richard Stallman wrote:
> I don't understand those words. I can only say that the conclusion,
> "Security requres discontinuing support for HTTP," is an extraordinary
> claim and requires extraordinary proof. I am extremely skeptical.
It depends on what
[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> It says to support HTTPS properly and *securely*. The current variant
> is not
[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> In the case of Savannah, if the user loads the page over HTTPS, they
> will be
On Mon, 10 Oct 2016 05:01:05 -0400
Richard Stallman wrote:
> > It says to support HTTPS properly and *securely*. The current
> > variant is not secure, it is vulnerable to SSL Stripping attacks.
> > That's why HSTS was invented in the first place.
>
> I don't know what you
On Mon, Oct 10, 2016 at 11:12:00AM +, Michal Grochmal wrote:
> As far as I am aware, that is the philosophy of the FSF: always give the
> user the choice, do not limit the user in anyway. Even more if we are
> limiting the user because of security reasons.
>
> Although I would in several