Excerpts from Russ Allbery's message of 2015-05-27 22:23:02 -0700: > Josh Triplett <j...@joshtriplett.org> writes: > > > https:// avoids MITM; > > If you aren't doing certificate pinning, I don't think you can really say > this with a straight face. >
The word is "avoids", it is not "eliminates". What ever happened to defense in depth? There's no such thing as a perfect solution, but we can at least lock the doors, right? > It makes MITM moderately harder, at the cost of giving money to a bunch of > exploitative clowns who have no concept of what security means. > In the specific case where we'd recommend using https:// instead of git:// _for Debian's git services_, the cost noted above would not apply for any Debian users because in theory we can use the Debian-specific CA. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1432852719-sup-2...@fewbar.com
