Richard Stallman wrote: > Bob Proulx wrote: > > And also for example would the FSF shutdown anonymous ftp access for > > ftp.gnu.org too? Anonymous ftp, the anonymous cvs pserver, git > > server, others, all will be on the chopping block. I fear the pursuit > > of perfect will injure those not capable of being perfect. > > I don't follow you. The question is about HTTP, but you seem to have > changed the subject and I don't get it. Would you please explain?
I'm sorry but I bring along previous discussion baggage. Let me explain. You were asking about removing HTTP access due to the arguments of the problem of MITM attacks. And specifically "What do you think about the issue?" I can only say what I think, and that means some discussion. Which is going to be a gray scale without extreme absolutes. I am pragmatic. Plus I want to also say that I can't speak for "Savannah". I am just one of the caretakers priviledged with contributing to it at this time. With that, here is my explanation: MITM attacks are of ultimate concern, so goes the usual discussion, therefore unencrypted access must be actively blocked in order to protect everyone from all MITM security threats. Unencrypted protocols are all subject to MITM attacks. HTTP is one unencrypted protocol. But so is anonymous FTP access. And so on with every other unencrypted protocol such as cvs pserver. Every argument that HTTP must be blocked is also the exact same argument that all other unencrypted protocols must be blocked too. If we decide that HTTP must be blocked in order to protect users from MITM attacks then it seems required that we must also block all other unencrypted protocols too, in order to protect users from MITM attacks against anonymous FTP and the others as well. Bob
