http subversion URLs should be discontinued in favor of https URLs

Michelle Sullivan michelle at sorbs.net
Fri Dec 8 10:31:36 UTC 2017 

Yuri wrote:
> On 12/07/17 15:16, Jason Hellenthal wrote:
>> The truly paranoid types that don’t want anyone to know they are 
>> using FreeBSD apparently.
>>
>> Honestly if they are that worried about http then get a private vpn 
>> tunnel and run through that instead !
>
>
> Some people aren't aware that they use http, and enable Tor because 
> they think that it improves privacy. It's very easy to use such setup 
> inadvertently.


Ding! Ding! Ding! we have a winner!

This is about privacy and anonymity rather than security then...

Sorry you want to ensure a secure (trusted) connection you do it 
yourself.  You go through other nodes (switches and routers of the 
normal internet) you make a choice... do I trust them to deliver my 
packets untampered with or not?  I know there are nodes out there that 
are doing monitoring and filtering and even returning bad data 
(accessing a certain 58 servers/IPs in Australia will have all HTTP 
spoofed to return a static message that has nothing to do with those 58 
servers... I now run a proxy on a network I trust and a VPN to that 
network (all of which are in Australia) and don't have my packets 
intercepted.)

If you're running your connection over Tor, you're running over a second 
layer with people out there that are not even necessarily trustworthy, 
many are people that they themselves use Tor for legally questionable 
actions, many for perfectly valid (though legally questionable) 
reasons.. (think: penetration testers - even commissioned ones).. but by 
using Tor you are accepting the risks in the knowledge that your data is 
traversing a network where people with questionable legal 
motives/positions...

So basically you want everyone to double their resources so that you can 
risk using an inherently untrustable network in the name of privacy... 
which in many cases you won't have anyway (because if the person doesn't 
know they are using http, then there is a pretty good chance they 
haven't secured their browser so it's spewing tracking cookies and other 
privacy defeating headers anyhow!)

Enough please!

Michelle

More information about the freebsd-security mailing list