On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > > > It *is* more secure. In order to break it, you have to have > > compromized https authorities. Some state actors have plausibly done > > this. http, on the contrary, can be altered by anybody who has access > > to the wire, which is generally a much wider set. > > > > > > Yuri > > Yuri, > It can be illusory. My last job was as Sec Mgr for a large bank. They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted. An alternative > approach to advocate is dnssec. :)
That's a specific decision made by a business as to how they are going to run their end-points. We can never help in that scenario. Using this as a reason to not move to HTTPS is a fallacy. We should do everything we can to help our end-users get FreeBSD in the most secure way. Regards, Gordon _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
