"Constantine A. Murenin" writes: > On 8 December 2015 at 19:26, Anthony J. Bentley <anth...@anjbe.name> wrote: > > Giancarlo Razzolini writes: > >> One of the main benefits of the TLS wouldn't only be to render > >> impossible for anyone to know which pages you're accessing on the site, > >> but also the fact that we would get a little more security getting the > >> SSH fingerprints for the anoncvs servers. Having them in clear text as > >> they are today, isn't very secure. > > > > Another attack currently possible against www.openbsd.org is changing > > the https://openbsdstore.com links to http://openbsdstore.com, and > > running sslstrip on that. Or the PayPal links... > > For real! And yet another attack currently possible against > www.openbsd.org is being able to view the web-site from any OpenBSD > release, even the early ones that did include lynx in base > (http://mdoc.su/OpenBSD-2.3/lynx.1), yet are surely missing not only > TLSv1.2 (if not OpenSSL in the first place!), but the requisite CA > entries in their corresponding cert.pem file as well (that is, if such > file was even present).
Why even bring up OpenBSD 2.3? Anyone running that 19 years after its release has much bigger problems than not being able to connect to www.openbsd.org. > And if you're in Kazakhstan, it's also possible to view > www.openbsd.org without any issues or security warnings, and will > continue being so even after 2016-01-01 when the new telecommunication > directive takes force. (Or was the feature to ignore invalid > certificates already added to lynx nowadays?) I can't tell if you're saying it's a *good* thing that http provides no notice that your connection is compromised. Are you serious? Look, the whole CA model comes with a lot of baggage. Let's Encrypt has elements of a new approach but is still tied to that way of thinking. Talking on misc@ won't make www.openbsd.org more secure. But you're defending telnet in 2015.
