Re: [savannah-help-public] address@hidden: Re: [Repo-criteria-discuss] Savannah and HTTPS]

[Bob Proulx]

Richard Stallman wrote:
> Bob Proulx wrote:
> > And also for example would the FSF shutdown anonymous ftp access for
> > ftp.gnu.org too?  Anonymous ftp, the anonymous cvs pserver, git
> > server, others, all will be on the chopping block.  I fear the pursuit
> > of perfect will injure those not capable of being perfect.
> 
> I don't follow you.  The question is about HTTP, but you seem to have
> changed the subject and I don't get it.  Would you please explain?

I'm sorry but I bring along previous discussion baggage.  Let me
explain.  You were asking about removing HTTP access due to the
arguments of the problem of MITM attacks.  And specifically "What do
you think about the issue?"  I can only say what I think, and that
means some discussion.  Which is going to be a gray scale without
extreme absolutes.  I am pragmatic.  Plus I want to also say that I
can't speak for "Savannah".  I am just one of the caretakers
priviledged with contributing to it at this time.  With that, here is
my explanation:

MITM attacks are of ultimate concern, so goes the usual discussion,
therefore unencrypted access must be actively blocked in order to
protect everyone from all MITM security threats.  Unencrypted
protocols are all subject to MITM attacks.  HTTP is one unencrypted
protocol.  But so is anonymous FTP access.  And so on with every other
unencrypted protocol such as cvs pserver.  Every argument that HTTP
must be blocked is also the exact same argument that all other
unencrypted protocols must be blocked too.  If we decide that HTTP
must be blocked in order to protect users from MITM attacks then it
seems required that we must also block all other unencrypted protocols
too, in order to protect users from MITM attacks against anonymous FTP
and the others as well.

Bob