On Mon, Oct 10, 2016 at 05:01:05 -0400, Richard Stallman wrote:
> I don't understand those words. I can only say that the conclusion,
> "Security requres discontinuing support for HTTP," is an extraordinary
> claim and requires extraordinary proof. I am extremely skeptical.
It depends on what
On Mon, Oct 10, 2016 at 05:00:52 -0400, Richard Stallman wrote:
> > Richard: unless there's a compelling reason not to, I think the
> > sysadmins or Savannah hackers (whomever has the ablity) should just add
> > a webserver rule to redirect all requests on port 80 to 443.
>
> Would this, by
On Fri, 2016-10-07 at 22:16 -0400, Mike Gerwitz wrote:
> On Mon, Sep 19, 2016 at 12:30:03 +0200, Hanno Böck wrote:
> > *The code repositories*
> >
> > Now all of the above can be aleviated a bit if a user carefully uses
> > https all the time manually or uses a plugin like https everywhere. But
>
On Mon, Oct 10, 2016 at 11:12:00AM +, Michal Grochmal wrote:
> As far as I am aware, that is the philosophy of the FSF: always give the
> user the choice, do not limit the user in anyway. Even more if we are
> limiting the user because of security reasons.
>
> Although I would in several
I'm just a random person that follows savannah-hackers-gnu but I'd like
to add the nature of the SSLstrip attack to this discussion. Since I
did perform the attack myself a handful of times (no, I did not do
anything bad, I'm a security researcher).
There is one important point about SSLstrip
On Mon, 10 Oct 2016 05:01:05 -0400
Richard Stallman wrote:
> > It says to support HTTPS properly and *securely*. The current
> > variant is not secure, it is vulnerable to SSL Stripping attacks.
> > That's why HSTS was invented in the first place.
>
> I don't know what you
[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> In the case of Savannah, if the user loads the page over HTTPS, they
> will be
[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> It says to support HTTPS properly and *securely*. The current variant
> is not
On Sun, Oct 09, 2016 at 11:01:33 +, Juuso Lapinlampi wrote:
> I still don't like the idea of having login pages (or login session
> cookies) reachable over HTTP.
It is also worth noting that Firefox will soon display websites that
serve login forms over HTTP as insecure:
On Sun, Oct 09, 2016 at 11:37:12AM +0200, Hanno Böck wrote:
> It says to support HTTPS properly and *securely*. The current variant
> is not secure, it is vulnerable to SSL Stripping attacks. That's why
> HSTS was invented in the first place.
Just letting you know about CSP
On Sat, 08 Oct 2016 16:58:28 -0400
Richard Stallman wrote:
> > A couple people have raised concerns about Savannah and whether
> > it meets criteria C6, which states: "Support HTTPS properly and
> > securely, including the site's certificates."
>
> The first one seems to
[[[ To any NSA and FBI agents reading my email: please consider]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> A couple people have raised concerns about Savannah and whether it meets
>
Richard:
A couple people have raised concerns about Savannah and whether it meets
criteria C6, which states: "Support HTTPS properly and securely,
including the site's certificates."
I'm not entirely sure how to intended "properly and securely" to be
interpreted, but from a security standpoint,
13 matches
Mail list logo