http subversion URLs should be discontinued in favor of https URLs
Igor Mozolevsky
mozolevsky at gmail.com
Sun Dec 10 17:52:09 UTC 2017
On 10 December 2017 at 17:46, Yuri <yuri at rawbw.com> wrote:
> On 12/10/17 09:39, Igor Mozolevsky wrote:
>
> There has been no instance of in-transit compromise reported since SVN was
> introduced.
>
> Even when the back-end was compromised, there was not detectable compromise
> of the codebase [1]. So even if the codebase was compromised, unless people**really knew** what they were doing, HTTPS would seed a false sense of
> security.
>
>
> This is another incarnation of the bogus argument: https also has some
> vulnerabilities, so let's just stay with a completely insecure http until
> some ideal solution will be found in the future.
>
Hypothetical MITM-bogeyman and "suits not knowing that I use FreeBSD"
doesn't make SVN over HTTP insecure.
--
Igor M.
More information about the freebsd-security
mailing list