Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Mike Gerwitz
On Mon, Oct 10, 2016 at 05:01:05 -0400, Richard Stallman wrote: > I don't understand those words. I can only say that the conclusion, > "Security requres discontinuing support for HTTP," is an extraordinary > claim and requires extraordinary proof. I am extremely skeptical. It depends on what

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Mike Gerwitz
On Mon, Oct 10, 2016 at 05:00:52 -0400, Richard Stallman wrote: > > Richard: unless there's a compelling reason not to, I think the > > sysadmins or Savannah hackers (whomever has the ablity) should just add > > a webserver rule to redirect all requests on port 80 to 443. > > Would this, by

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Paul Smith
On Fri, 2016-10-07 at 22:16 -0400, Mike Gerwitz wrote: > On Mon, Sep 19, 2016 at 12:30:03 +0200, Hanno Böck wrote: > > *The code repositories* > > > > Now all of the above can be aleviated a bit if a user carefully uses > > https all the time manually or uses a plugin like https everywhere. But >

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Juuso Lapinlampi
On Mon, Oct 10, 2016 at 11:12:00AM +, Michal Grochmal wrote: > As far as I am aware, that is the philosophy of the FSF: always give the > user the choice, do not limit the user in anyway. Even more if we are > limiting the user because of security reasons. > > Although I would in several

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Michal Grochmal
I'm just a random person that follows savannah-hackers-gnu but I'd like to add the nature of the SSLstrip attack to this discussion. Since I did perform the attack myself a handful of times (no, I did not do anything bad, I'm a security researcher). There is one important point about SSLstrip

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Hanno Böck
On Mon, 10 Oct 2016 05:01:05 -0400 Richard Stallman wrote: > > It says to support HTTPS properly and *securely*. The current > > variant is not secure, it is vulnerable to SSL Stripping attacks. > > That's why HSTS was invented in the first place. > > I don't know what you

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Richard Stallman
[[[ To any NSA and FBI agents reading my email: please consider]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > In the case of Savannah, if the user loads the page over HTTPS, they > will be

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-10 Thread Richard Stallman
[[[ To any NSA and FBI agents reading my email: please consider]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > It says to support HTTPS properly and *securely*. The current variant > is not

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-09 Thread Mike Gerwitz
On Sun, Oct 09, 2016 at 11:01:33 +, Juuso Lapinlampi wrote: > I still don't like the idea of having login pages (or login session > cookies) reachable over HTTP. It is also worth noting that Firefox will soon display websites that serve login forms over HTTP as insecure:

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-09 Thread Juuso Lapinlampi
On Sun, Oct 09, 2016 at 11:37:12AM +0200, Hanno Böck wrote: > It says to support HTTPS properly and *securely*. The current variant > is not secure, it is vulnerable to SSL Stripping attacks. That's why > HSTS was invented in the first place. Just letting you know about CSP

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-09 Thread Hanno Böck
On Sat, 08 Oct 2016 16:58:28 -0400 Richard Stallman wrote: > > A couple people have raised concerns about Savannah and whether > > it meets criteria C6, which states: "Support HTTPS properly and > > securely, including the site's certificates." > > The first one seems to

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-08 Thread Richard Stallman
[[[ To any NSA and FBI agents reading my email: please consider]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > A couple people have raised concerns about Savannah and whether it meets >

Re: [Savannah-hackers-public] [Repo-criteria-discuss] Savannah and HTTPS

2016-10-07 Thread Mike Gerwitz
Richard: A couple people have raised concerns about Savannah and whether it meets criteria C6, which states: "Support HTTPS properly and securely, including the site's certificates." I'm not entirely sure how to intended "properly and securely" to be interpreted, but from a security standpoint,