oss-sec mailing list archives
Re: HTTPS (was: rubygems insecure download (and other problems))
From: gremlin () gremlin ru
Date: Thu, 15 Aug 2013 10:38:09 +0400
On 14-Aug-2013 14:59:12 -0600, Kurt Seifried wrote:
everyone should be enabling HTTPS where possible,
Very dangerous mistake. HTTPS should be used only for non-anonymous access, otherwise plain HTTP is preferred. In any case, let the users choose whether they want to use it. Compare to FTP vs SCP/SFTP: first is for getting files from anyone (into /incoming) and giving files for everyone (from /pub), second is for transferring your own files. Obviously, I presume FTP daemon to be configured for anonymous-only access.
intercepting and modifying HTTP is trivial.
Yes. But intercepting and modifying HTTPS requires just an ability to issue client-trusted certificates (sufficient for 99% of HTTPS applications), so the content signing should always be preferred over distributor validation. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- rubygems insecure download (and other problems) Kurt Seifried (Aug 14)
- Re: rubygems insecure download (and other problems) Donald Stufft (Aug 14)
- Re: rubygems insecure download (and other problems) Marcus Meissner (Aug 15)
- Re: rubygems insecure download (and other problems) Henri Salo (Aug 15)
- Re: rubygems insecure download (and other problems) Kurt Seifried (Aug 15)
- RE: rubygems insecure download (and other problems) Christey, Steven M. (Aug 15)
- Re: rubygems insecure download (and other problems) Marcus Meissner (Aug 15)
- Re: rubygems insecure download (and other problems) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) gremlin (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
- Message not available
- Re: HTTPS Kurt Seifried (Aug 21)
- Re: HTTPS Pavel Labushev (Aug 22)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Donald Stufft (Aug 14)