Date: Fri, 18 Sep 2015 14:11:57 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Ben Bailess <ben.bailess@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: HTTPS on freebsd.org, git, reproducible builds Message-ID: <20150918211157.GQ33167@funkthat.com> In-Reply-To: <CACf9JSXsEBBMmo57OB_cqgRM7SvbW%2Bdh7n0ybDg2kX4EGyMVjw@mail.gmail.com> References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com> <alpine.LRH.2.11.1509180646470.14490@nber4.nber.org> <7BAECC2B-5001-47D6-9199-8549697E7807@spam.lifeforms.nl> <CACf9JSXsEBBMmo57OB_cqgRM7SvbW%2Bdh7n0ybDg2kX4EGyMVjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ben Bailess wrote this message on Fri, Sep 18, 2015 at 10:07 -0400:
> I have to echo this sentiment -- authentication is important, and so is
> integrity. HTTPS would provide both -- to be sure you're talking to the
> "real" FreeBSD and give you confidence that your page content has not been
> altered in transit by a network adversary (e.g. if you are using Tor)*.
>
> *I honestly don't see that being a realistic defense against NSA/GCHQ-level
> attackers, though... the coercive power they have over CAs would probably
> be the weak point there, in my opinion.
Then you get projects like certificate pinning and SSL Observatory that
helps ensure that the cert that is presented is also presented to others...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150918211157.GQ33167>