http subversion URLs should be discontinued in favor of https URLs
Karl Denninger
karl at denninger.net
Wed Dec 6 14:36:38 UTC 2017
On 12/6/2017 08:17, Cy Schubert wrote:
>
>> It can be illusory. My last job was as Sec Mgr for a large bank. They
>> disabled cert checking on client devices, placed a wildcard cert at the
>> internet boundary and captured all https unencrypted. An alternative
>> approach to advocate is dnssec. :)
> And you just let this happen under your watch?
The reason such is done is that the IT people /have /thought about it
and determined that being able to /scan and archive /all traffic going
in and out is worth more than the "security" afforded by allowing HTTPS
originated beyond their border in. Oh by the way in some lines of
business said ability to scan and archive is a matter//of regulatory
compliance.......
I'm not, by the way, opining on whether this is a correct analysis or
not. But I will note for the record that Avast's anti-virus products
will, by default, do exactly this sort of intentional interception on
IMAP server traffic aimed at port 993 in an attempt to detect trojans
and viruses that are attached to email messages.
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171206/5ab25c20/attachment.bin>
More information about the freebsd-security
mailing list