On 12/05/2017 17:08, Gordon Tetlow wrote:
On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote:
On 6/12/2017 8:13 AM, Yuri wrote:
On 12/05/17 13:04, Eugene Grosbein wrote:
It is illusion that https is more secure than unencrypted http in a
sense of MITM
just because of encryption, it is not.
It *is* more secure. In order to break it, you have to have
compromized https authorities. Some state actors have plausibly done
this. http, on the contrary, can be altered by anybody who has access
to the wire, which is generally a much wider set.
Yuri
Yuri,
It can be illusory. My last job was as Sec Mgr for a large bank. They
disabled cert checking on client devices, placed a wildcard cert at the
internet boundary and captured all https unencrypted. An alternative
approach to advocate is dnssec. :)
That's a specific decision made by a business as to how they are going
to run their end-points. We can never help in that scenario.
Using this as a reason to not move to HTTPS is a fallacy. We should do
everything we can to help our end-users get FreeBSD in the most secure
way.
Regards,
Gordon
I wholeheartedly agree with Gordon. Let's do more, not less.
I believe it was fallacies like this that mislead many websites,
including freebsd.org, to remain in HTTP for far too long.
Cheers,
--
Yonas Yanfa
In Love With Open Source
Drupal <http://drupal.org/user/473174> :: GitHub
<http://github.com/yonas> :: Mozilla
<https://addons.mozilla.org/en-US/thunderbird/user/4614995/>
fizk.net | yo...@fizk.net
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
