oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTPS (was: rubygems insecure download (and other problems))

From: gremlin () gremlin ru
Date: Thu, 15 Aug 2013 10:38:09 +0400
On 14-Aug-2013 14:59:12 -0600, Kurt Seifried wrote:


everyone should be enabling HTTPS where possible,


Very dangerous mistake. HTTPS should be used only for non-anonymous
access, otherwise plain HTTP is preferred. In any case, let the users
choose whether they want to use it.

Compare to FTP vs SCP/SFTP: first is for getting files from anyone
(into /incoming) and giving files for everyone (from /pub), second
is for transferring your own files. Obviously, I presume FTP daemon
to be configured for anonymous-only access.


intercepting and modifying HTTP is trivial.


Yes. But intercepting and modifying HTTPS requires just an ability
to issue client-trusted certificates (sufficient for 99% of HTTPS
applications), so the content signing should always be preferred
over distributor validation.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Previous By Date Next
Previous By Thread Next

Current thread: