From owner-freebsd-security@freebsd.org Sun Dec 10 05:55:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9510AE832F9 for ; Sun, 10 Dec 2017 05:55:32 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5A53C64D8B for ; Sun, 10 Dec 2017 05:55:32 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id vBA5tTht031823; Sun, 10 Dec 2017 00:55:29 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id vBA5tTnh031822; Sun, 10 Dec 2017 00:55:29 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <23084.52304.918811.943377@hergotha.csail.mit.edu> Date: Sun, 10 Dec 2017 00:55:28 -0500 From: Garrett Wollman To: Franco Fichtner Cc: freebsd-security Subject: Re: [FreeBSD-Announce] FreeBSD 11.0 end-of-life In-Reply-To: References: <20171208192538.C5C4D1C234@freefall.freebsd.org> X-Mailer: VM 8.2.0b under 25.3.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (hergotha.csail.mit.edu [127.0.0.1]); Sun, 10 Dec 2017 00:55:29 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sun, 10 Dec 2017 12:20:41 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 05:55:32 -0000 < said: > Hi, >> On 8. Dec 2017, at 8:25 PM, FreeBSD Security Officer wrote: >> >> +--------------------------------------------------+-----------------------+ >> |releng/11.1|11.1-RELEASE|n/a |July 26, 2017 |11.2-RELEASE + 3 months| >> +--------------------------------------------------+-----------------------+ > Is there *any* indication when X + 3 is going to be? Because as a downstream > vendor X + 3 months usually translates to X, because there is no time to prepare > for any of this, especially when swift adoption is enforced by upstream, e.g. > by deprecated packages, quarterly branch and locking users out of the ports tree. Yeah, that's been one of my concerns all along with this new deprecation schedule. It takes me about a month to qualify a new release, and we have only two windows a year when I can actually deploy it (after testing) -- from 12/26 to 12/30, and from the Monday after the first Saturday in June until the Friday before the first Monday in September.[1] Release schedules in recent years have been pretty pessimal for me as it is. I'll be rolling out 11.1 later this month, but if 11.2 were to happen in March I'd be SOL before I could even think about upgrading. -GAWollman [1] And not coincidentally, these are the times when everybody, myself included, wants to go on vacation. From owner-freebsd-security@freebsd.org Sun Dec 10 16:50:09 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D6A0E907D3 for ; Sun, 10 Dec 2017 16:50:09 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C7FC076BA3 for ; Sun, 10 Dec 2017 16:50:08 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (dslb-178-012-107-202.178.012.pools.vodafone-ip.de [178.12.107.202]) by host64.shmhost.net (Postfix) with ESMTPSA id 8F7A016DD9C; Sun, 10 Dec 2017 17:49:58 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [FreeBSD-Announce] FreeBSD 11.0 end-of-life From: Franco Fichtner In-Reply-To: <23084.52304.918811.943377@hergotha.csail.mit.edu> Date: Sun, 10 Dec 2017 17:49:57 +0100 Cc: freebsd-security Content-Transfer-Encoding: quoted-printable Message-Id: <87D630E8-E068-4F9A-873B-5EEBCA1C80B8@lastsummer.de> References: <20171208192538.C5C4D1C234@freefall.freebsd.org> <23084.52304.918811.943377@hergotha.csail.mit.edu> To: Garrett Wollman X-Mailer: Apple Mail (2.3273) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-Spam-Flag: NO X-Spam-Score: -1.0 X-Spam-Status: No score=-1.0 tagged_above=10.0 required=10.0 tests=[ALL_TRUSTED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 16:50:09 -0000 Hi Garrett, > On 10. Dec 2017, at 6:55 AM, Garrett Wollman = wrote: >=20 > < said: >=20 >> Hi, >>> On 8. Dec 2017, at 8:25 PM, FreeBSD Security Officer = wrote: >>>=20 >>> = +--------------------------------------------------+----------------------= -+ >>> |releng/11.1|11.1-RELEASE|n/a |July 26, 2017 |11.2-RELEASE + 3 = months| >>> = +--------------------------------------------------+----------------------= -+ >=20 >> Is there *any* indication when X + 3 is going to be? Because as a = downstream >> vendor X + 3 months usually translates to X, because there is no time = to prepare >> for any of this, especially when swift adoption is enforced by = upstream, e.g. >> by deprecated packages, quarterly branch and locking users out of the = ports tree. >=20 > Yeah, that's been one of my concerns all along with this new > deprecation schedule. It takes me about a month to qualify a new > release, and we have only two windows a year when I can actually > deploy it (after testing) -- from 12/26 to 12/30, and from the Monday > after the first Saturday in June until the Friday before the first > Monday in September.[1] Release schedules in recent years have been > pretty pessimal for me as it is. I'll be rolling out 11.1 later this > month, but if 11.2 were to happen in March I'd be SOL before I could > even think about upgrading. That's likely. The issue description was refined on IRC a bit and = basically goes like this: If we have to plan upgrades of production systems running FreeBSD 11.1 = now for all of 2018 WRT 11.2 and not missing the EoL deadline -- how would = we plan for it? We can't, because there is no indication when that is = going to be in the first place. There are two solutions: 1. Support 11.(x-1) along with 11.x and keep the unpredictable schedule. 2. Set a predictable schedule as soon as 11.x comes out for when = 11.(x+1) is planned, even if that deadline is not met in the end. I slightly favour the first solution, but it is clear that it will mean = work for an SO. There is probably a third and fourth action and I would like to see the bright and steering FreeBSD project members to take a constructive = interest in this matter and not let it go uncommented. Cheers, Franco= From owner-freebsd-security@freebsd.org Sun Dec 10 17:15:38 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB26AE915F5 for ; Sun, 10 Dec 2017 17:15:38 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B305777D6E for ; Sun, 10 Dec 2017 17:15:38 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAHFWER082767 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 09:15:32 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAHFVwA082761; Sun, 10 Dec 2017 09:15:31 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 09:15:31 -0800 From: John-Mark Gurney To: Eugene Grosbein Cc: Yuri , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210171531.GC5901@funkthat.com> Mail-Followup-To: Eugene Grosbein , Yuri , freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5A2709F6.8030106@grosbein.net> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 09:15:32 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:15:39 -0000 Eugene Grosbein wrote this message on Wed, Dec 06, 2017 at 04:04 +0700: > 06.12.2017 3:59, Yuri wrote: > > > It's understood that a lot of arguments can be made for and against this, > > like with any other issue, but security argument should outweigh most or all other arguments. > > It is illusion that https is more secure than unencrypted http in a sense of MITM > just because of encryption, it is not. Correct, because https doesn't just bring encryption, it also bring authentication.. https is more secure because of authentication, not because of encryption... There are many encryption only protocols that are broken because there is no authentication provided, allowing MITM.. Which is why self signed certs that are not pinned are also bad... IMO, the fact that we are even having this discussion to allow our users to be MITM like Comcast loves to do[1], is rediculous... If FreeBSD wants to be viewed as a secure OS, we need to go https (or other tech), and drop any unauthenticated methods of distribution of content... We don't allow freebsd-updates to be distributed w/o being authenticated, why are we allowing svn updates to be done so? The arguments that it takes up resources is true, but it is NOT significant... End users are often bandwidth limited, NOT CPU limited... [1] https://www.techdirt.com/articles/20161123/10554936126/comcast-takes-heat-injecting-messages-into-internet-traffic.shtml -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 17:21:30 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90405E9190A for ; Sun, 10 Dec 2017 17:21:30 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 71AF778188 for ; Sun, 10 Dec 2017 17:21:30 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAHLSvs083615 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 09:21:28 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAHLR8X083611; Sun, 10 Dec 2017 09:21:27 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 09:21:27 -0800 From: John-Mark Gurney To: Michelle Sullivan Cc: Yuri , Jason Hellenthal , Poul-Henning Kamp , "freebsd-security@freebsd.org" Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210172127.GD5901@funkthat.com> Mail-Followup-To: Michelle Sullivan , Yuri , Jason Hellenthal , Poul-Henning Kamp , "freebsd-security@freebsd.org" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5A2A6985.3070202@sorbs.net> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 09:21:28 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:21:30 -0000 Michelle Sullivan wrote this message on Fri, Dec 08, 2017 at 21:29 +1100: > Sorry you want to ensure a secure (trusted) connection you do it > yourself. You go through other nodes (switches and routers of the So you're fine w/ all the Comcast users having to switch ISPs? Because Comcast modifies traffic. So you're now saying that if you use FreeBSD you can't use Comcast as your ISP? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 17:32:24 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5015E91D24 for ; Sun, 10 Dec 2017 17:32:24 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C07D78863 for ; Sun, 10 Dec 2017 17:32:23 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAHWN05084756 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 09:32:23 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAHWM46084755; Sun, 10 Dec 2017 09:32:22 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 09:32:22 -0800 From: John-Mark Gurney To: Igor Mozolevsky Cc: RW , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210173222.GF5901@funkthat.com> Mail-Followup-To: Igor Mozolevsky , RW , freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 09:32:23 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:32:24 -0000 Igor Mozolevsky wrote this message on Wed, Dec 06, 2017 at 15:04 +0000: > On 5 December 2017 at 23:18, RW via freebsd-security < > freebsd-security@freebsd.org> wrote: > > > On Tue, 5 Dec 2017 14:08:49 -0800 > > Gordon Tetlow wrote: > > > > > > > Using this as a reason to not move to HTTPS is a fallacy. We should do > > > everything we can to help our end-users get FreeBSD in the most secure > > > way. > > > > I think it's more a question of whether all users should be forced onto > > https even if it might prevent some users from getting security updates. > > If updates are signed, then I don't see what can be gained by using > relatively expensive HTTPS over HTTP. The discussion has been for svn updates over http, not for freebsd-update updates which are independantly signed and verified.. There is currently no signatures provided via SVN to validate any source received via http. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 17:36:29 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A844E91FC9 for ; Sun, 10 Dec 2017 17:36:29 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id C081678D47 for ; Sun, 10 Dec 2017 17:36:28 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 5A3302737A; Sun, 10 Dec 2017 17:36:26 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBAHaAED023882 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 17:36:10 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBAHa7av023881; Sun, 10 Dec 2017 17:36:07 GMT (envelope-from phk) To: John-Mark Gurney cc: Michelle Sullivan , "freebsd-security@freebsd.org" , Yuri Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171210172127.GD5901@funkthat.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> <20171210172127.GD5901@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <23879.1512927367.1@critter.freebsd.dk> Date: Sun, 10 Dec 2017 17:36:07 +0000 Message-ID: <23880.1512927367@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:36:29 -0000 -------- In message <20171210172127.GD5901@funkthat.com>, John-Mark Gurney writes: >Michelle Sullivan wrote this message on Fri, Dec 08, 2017 at 21:29 +1100: >> Sorry you want to ensure a secure (trusted) connection you do it >> yourself. You go through other nodes (switches and routers of the > >So you're fine w/ all the Comcast users having to switch ISPs? Because >Comcast modifies traffic. So you're now saying that if you use FreeBSD >you can't use Comcast as your ISP? Comcast modifying traffic is a political problem. Encryption does not solve political problems. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Sun Dec 10 17:40:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 620F6E921D2 for ; Sun, 10 Dec 2017 17:40:15 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC25B78FED for ; Sun, 10 Dec 2017 17:40:14 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wm0-x232.google.com with SMTP id b76so10416490wmg.1 for ; Sun, 10 Dec 2017 09:40:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Ar90Xu99k8d0Ht4X2W3+ylCu51W50JPUNhLiagFhiiU=; b=e7UPfgQpqCTJutqLKnb1Tq76isvSqHwnjpCtKr9vezKQM2sqHeAsjFJ53b1wJCCy8W M3fAipwf7+242KbIFm5+5Fx7GIRNKlS8JW+UWLoLneqMAp06KoAghri7irp5PsjUji6G WJTPUzOV/WF80/Rud2kqXtaFJCt83NgSLJxUydO1G0Q/AFe24rrX828YqAAR0/AMMfmp EaraoyLet5JFAUl1uaW4Z7blPIbSxa+E0sMB0qCneV70xOHlTXsIKN1EgCTa1PGzaml/ ILs5xTInxKfJ1+rKWh4XB92cbz8o+8b/tfuBBaFKkNtA8HrnBXugZr5JnOqYKXmjp/M6 YNKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Ar90Xu99k8d0Ht4X2W3+ylCu51W50JPUNhLiagFhiiU=; b=JpO8qPLktloO6bKoovKDI/T3l+oXglMU8YlX2AwbDXEDEPvdYJod3pW3GfLfri1RuH gHJ1/KbCGn4zfA/56icJ5BPQCqJ6WuDgaCAqCkOUWwR/jgekE2Ljijktw7/QEfTtHCqp qjMny+xyOn5Znj/nNhV8crSRvo7tM/ZLU+qnQSHY8bwjcVm/lOJ/Ksysiniq4C/b6NYO 3OND1/zB04eX6tbAhul7zuqLQyHjH5V6vjzEWKV0zHUlCjuVgI8P5xDz3Kg0F7HwYKYF ebY7fAbIrhp9tKrhYl4sjO3N8Ewptmthu3pnRvXj5ZGi6VKyUUnix3GrVG5rHJI1zvOo 7IQA== X-Gm-Message-State: AKGB3mKb7661qykx3n1V4rkOl6YIAaYxlh7MhUIxawohLS1zxXc4qw5b fFNgvkXLNOmzqgHt2HCH2kgrZ6SHDfUo6Cd8I70= X-Google-Smtp-Source: AGs4zMayESku36n7ZchUfxvDEVlAOdKZ1b0Xw4jlHsiyYxD+gFKp7r34lJ0L/yzonPyL0gnApIsSLQjTRuBCbw483GY= X-Received: by 10.28.105.14 with SMTP id e14mr8136959wmc.74.1512927612674; Sun, 10 Dec 2017 09:40:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 09:39:31 -0800 (PST) In-Reply-To: <20171210173222.GF5901@funkthat.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 17:39:31 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , RW , freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:40:15 -0000 On 10 December 2017 at 17:32, John-Mark Gurney wrote: > > The discussion has been for svn updates over http, not for freebsd-update > updates which are independantly signed and verified.. There is currently > no signatures provided via SVN to validate any source received via http. > > There has been no instance of in-transit compromise reported since SVN was introduced. Even when the back-end was compromised, there was not detectable compromise of the codebase [1]. So even if the codebase was compromised, unless people *really knew* what they were doing, HTTPS would seed a false sense of security. There is a number of organisation that your computer is told to trust by default who have the know-how and capability to mount MITM without one even knowing unless that one were to manually verify CAs used for host certs, again, HTTPS doesn't buy anything in that regards. 1. https://www.freebsd.org/news/2012-compromise.html -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 17:41:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61D23E923E5 for ; Sun, 10 Dec 2017 17:41:20 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CA50A793E6 for ; Sun, 10 Dec 2017 17:41:19 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAHfIg1085801 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 09:41:19 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAHfI66085800; Sun, 10 Dec 2017 09:41:18 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 09:41:18 -0800 From: John-Mark Gurney To: Poul-Henning Kamp Cc: "freebsd-security@freebsd.org" , Michelle Sullivan , Yuri Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210174117.GG5901@funkthat.com> Mail-Followup-To: Poul-Henning Kamp , "freebsd-security@freebsd.org" , Michelle Sullivan , Yuri References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> <20171210172127.GD5901@funkthat.com> <23880.1512927367@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <23880.1512927367@critter.freebsd.dk> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 09:41:19 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:41:20 -0000 Poul-Henning Kamp wrote this message on Sun, Dec 10, 2017 at 17:36 +0000: > -------- > In message <20171210172127.GD5901@funkthat.com>, John-Mark Gurney writes: > >Michelle Sullivan wrote this message on Fri, Dec 08, 2017 at 21:29 +1100: > >> Sorry you want to ensure a secure (trusted) connection you do it > >> yourself. You go through other nodes (switches and routers of the > > > >So you're fine w/ all the Comcast users having to switch ISPs? Because > >Comcast modifies traffic. So you're now saying that if you use FreeBSD > >you can't use Comcast as your ISP? > > Comcast modifying traffic is a political problem. Please come the the US and solve this problem for us, since you appare to think that it's easy for people like me to solve. > Encryption does not solve political problems. Agreed. But it is the only tool in my toolbox that can solve it today, instead of some perfect future that will not happen. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 17:46:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 699A3E9278A for ; Sun, 10 Dec 2017 17:46:49 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 532F1796DF for ; Sun, 10 Dec 2017 17:46:49 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAHkSZn052602 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 09:46:48 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , RW , freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> From: Yuri Message-ID: <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> Date: Sun, 10 Dec 2017 09:46:27 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:46:49 -0000 On 12/10/17 09:39, Igor Mozolevsky wrote: > There has been no instance of in-transit compromise reported since SVN was > introduced. > > Even when the back-end was compromised, there was not detectable compromise > of the codebase [1]. So even if the codebase was compromised, unless people > *really knew* what they were doing, HTTPS would seed a false sense of > security. This is another incarnation of the bogus argument: https also has some vulnerabilities, so let's just stay with a completely insecure http until some ideal solution will be found in the future. Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 17:48:41 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C20E1E9295D for ; Sun, 10 Dec 2017 17:48:41 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id AB59779910 for ; Sun, 10 Dec 2017 17:48:41 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAHmKcJ053826 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 09:48:40 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me From: Yuri Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , RW , freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> Message-ID: <043f1adf-7518-5cea-5225-a3618a2a835b@rawbw.com> Date: Sun, 10 Dec 2017 09:48:19 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:48:41 -0000 On 12/10/17 09:39, Igor Mozolevsky wrote: > There has been no instance of in-transit compromise reported since SVN was > introduced. > > Even when the back-end was compromised, there was not detectable compromise > of the codebase [1]. So even if the codebase was compromised, unless people > *really knew* what they were doing, HTTPS would seed a false sense of > security. This is another incarnation of the bogus argument: https also has some vulnerabilities, so let's just stay with a completely insecure http until some ideal solution will be found in the future. Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 17:48:52 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33C0BE92983 for ; Sun, 10 Dec 2017 17:48:52 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B59A67994C for ; Sun, 10 Dec 2017 17:48:51 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x236.google.com with SMTP id z34so15285079wrz.10 for ; Sun, 10 Dec 2017 09:48:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=mnAWZu+QWmoWv1mInHxVGVRtrrK/LrWTuO1ESjNwJnY=; b=tQcQjPq4pWWV3pomdf8VJAtlVVHd2UQNK35dwNau6q7E0UNDgoy7AYh3kSmLWyUNNp AKN3Yf8RnwIZivKrVXkERcx2YD4eSEAwaFNo2/QjhGoCkaeM05xezk0inMSLRY7lx6Uh DKxKF53vcvq6gIIW5KckUiFtHV+cEoU9hmA8CTvCShp+5aZiUqOZSSdWG2aqsHPNANib /kKdv8GLP0MufalKS4I4vBcQwbR6rDsc+RV4oQL29hSf3OWCkKkoyGdFGbP4J70VrupK ILxbkY7M3wWpCeJzIKBwioqwWjxWg8RtNjdRn0KV3EkDaxhd/LdPUduGP8luqWBZlp1J 6/Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=mnAWZu+QWmoWv1mInHxVGVRtrrK/LrWTuO1ESjNwJnY=; b=hV5XmVOYCFr/d2ChefjfiVAthhkEVg72rL9KoM6ea95NunlVYTy5tlkXarZmCEQhQ5 lrjlsc0ad7jWFeAUZJkBpYZ0ShThhNLEFMxPYU/4VVFM9IngdS8kgrbwxmplj9g7F8as y9FHmKxA/NU3/CIdvDCnYlL1XvV9rYbgVUHW3WQSn25SqiSMCnbLV3ZQ2DZcgEJ40Gch 7mh/2fPOWWIuFLx2v0AZaZBR8n+TBsBmxACEX7PTCoCsz5E4318ygLaAK/frWudp9wLa mgPFmyEKX7AtRDfGJpjRv2p9qhUHmvhSWv5pl6piwZvYL4OP5jW+TgeivMoACDaWYaWW L8sw== X-Gm-Message-State: AJaThX7uPU5IL5Nb3eTYtvridQdmQFp1GgdnvR2tugdhUOy9XQDJPJM0 xQDx3YlSjzY3zYjdXvzDsgQ35+tt/3P6AVZIvRQ= X-Google-Smtp-Source: AGs4zMaYl7ltNmK7ipZsQGvC7POVXify0FZcjDKZ5tlYgHIiyhcKuRIR7OaIBTZ39QkxVVkwm77GbhlBvW0I2BaaD5I= X-Received: by 10.223.145.80 with SMTP id j74mr33506240wrj.250.1512928130043; Sun, 10 Dec 2017 09:48:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 09:48:09 -0800 (PST) In-Reply-To: <20171210174117.GG5901@funkthat.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> <20171210172127.GD5901@funkthat.com> <23880.1512927367@critter.freebsd.dk> <20171210174117.GG5901@funkthat.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 17:48:09 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Poul-Henning Kamp , "freebsd-security@freebsd.org" , Michelle Sullivan , Yuri Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:48:52 -0000 On 10 December 2017 at 17:41, John-Mark Gurney wrote: > Poul-Henning Kamp wrote this message on Sun, Dec 10, 2017 at 17:36 +0000: > > >So you're fine w/ all the Comcast users having to switch ISPs? Because > > >Comcast modifies traffic. So you're now saying that if you use FreeBSD > > >you can't use Comcast as your ISP? > > > > Comcast modifying traffic is a political problem. > > Please come the the US and solve this problem for us, since you appare > to think that it's easy for people like me to solve. Has there been a verifiable instance of Comcast modifying SVN traffic over HTTP, or do they *merely* use DPI to inject ads into HTML files? -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 17:51:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E6A5E92CCE for ; Sun, 10 Dec 2017 17:51:36 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 0467179C71 for ; Sun, 10 Dec 2017 17:51:35 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 6200F2737A; Sun, 10 Dec 2017 17:51:33 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBAHpWQK023987 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 17:51:32 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBAHpWFF023986; Sun, 10 Dec 2017 17:51:32 GMT (envelope-from phk) To: John-Mark Gurney cc: "freebsd-security@freebsd.org" , Michelle Sullivan , Yuri Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171210174117.GG5901@funkthat.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> <20171210172127.GD5901@funkthat.com> <23880.1512927367@critter.freebsd.dk> <20171210174117.GG5901@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <23984.1512928292.1@critter.freebsd.dk> Date: Sun, 10 Dec 2017 17:51:32 +0000 Message-ID: <23985.1512928292@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:51:36 -0000 -------- In message <20171210174117.GG5901@funkthat.com>, John-Mark Gurney writes: >> Comcast modifying traffic is a political problem. > >Please come the the US and solve this problem for us, since you appare >to think that it's easy for people like me to solve. I didn't use the word "easy". -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Sun Dec 10 17:52:09 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89369E92D60 for ; Sun, 10 Dec 2017 17:52:09 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1062A79EFA for ; Sun, 10 Dec 2017 17:52:09 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id f206so10350881wmf.5 for ; Sun, 10 Dec 2017 09:52:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=s1CFzQZlX2CifUqapAZKrKXjyfyXVpSyfvepFRz6D7s=; b=C7rQst9/z2AVA/gZ46ExVrlSObnf7RspYMHILyBZovBAOtZMLsxPaNSQiNM2DqknFP JUZMYudfKQOZ6wC0p0qP7T4OobXIaVOnqGh3SiEvsYyLCo5QQmegU43hfnuGA9vYDFoD npt1koq3Ep0g+ljO6yxfYSuDE15jMKXQR1FpRzWQH8lr6oE2RNLM0BCqxEpezMRh4ckv 3cKa7jge4iw4LXwfO5AjcUN3u/u6w2Z8r48iCajjZQA6tmitWWVlXfm0qiFeN0Ia22mm ft7gcXYLtr8z8SYH8UwWfaGq46Z4nAYqg1+2172EJoO7xPIZvYq3NH06+rwmUw/4UWEo BMZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=s1CFzQZlX2CifUqapAZKrKXjyfyXVpSyfvepFRz6D7s=; b=hVMPGVml54q1Ww7em3/7ddeWuyvzqvpL8A9B3GAAZsKcbAU33tPsOQdXkqWarvfqng sja7j5bgQ9sodpsnegO1NhKfou26GODQF5qAIiEcPex1wea9+P2exBOVsm6wF6RdWKL3 5Hgn+jGvGl+8WTymPGPAOtP2n8Lpqd+NKjqMegafEV6r8suKRrkFK9drlSAu8zVzikV5 O8WSp47AS2ZQGviaN6zb5QJTnEtrOWJA5NASPEsy8TVl+eHfQu1d8iFwHF13pPkbDyuT 5ezUKkIuXOQ+um0wTF586zWXyv0fbFnyAd/+FcUt8HTguE+yEfL380AMatg5Jl9c1We8 tAtw== X-Gm-Message-State: AKGB3mI8KZ6jqNe/dx/BqRBUUW+4q8oU4wNRp2y+gaZpdVuj7YBXytlm 9yIsRLo7zhUkEjEuENHJq1EBGxK/xzDD4WplJgM= X-Google-Smtp-Source: AGs4zMZkFSk48l+lCe0cqenqMvGfNeCef3aHyz+iZXGVUKS3iBhIqowMVlv/ej2jK7/p5G+kS8YoBzMmM2v20f8bBc8= X-Received: by 10.28.105.14 with SMTP id e14mr8151360wmc.74.1512928327572; Sun, 10 Dec 2017 09:52:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 09:51:26 -0800 (PST) In-Reply-To: <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 17:51:26 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri Cc: RW , freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 17:52:09 -0000 On 10 December 2017 at 17:46, Yuri wrote: > On 12/10/17 09:39, Igor Mozolevsky wrote: > > There has been no instance of in-transit compromise reported since SVN was > introduced. > > Even when the back-end was compromised, there was not detectable compromise > of the codebase [1]. So even if the codebase was compromised, unless people**really knew** what they were doing, HTTPS would seed a false sense of > security. > > > This is another incarnation of the bogus argument: https also has some > vulnerabilities, so let's just stay with a completely insecure http until > some ideal solution will be found in the future. > Hypothetical MITM-bogeyman and "suits not knowing that I use FreeBSD" doesn't make SVN over HTTP insecure. -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 18:01:37 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83510E933A0 for ; Sun, 10 Dec 2017 18:01:37 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6D7427A5FF for ; Sun, 10 Dec 2017 18:01:37 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAI1G4g062905 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 10:01:36 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> From: Yuri Message-ID: Date: Sun, 10 Dec 2017 10:01:15 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 18:01:37 -0000 On 12/10/17 09:51, Igor Mozolevsky wrote: > Hypothetical MITM-bogeyman and "suits not knowing that I use FreeBSD" > doesn't make SVN over HTTP insecure. Read here about Alice and Bob: https://en.wikipedia.org/wiki/Alice_and_Bob Hypothetical characters are commonplace in security discussions. Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 18:15:47 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39D57E93E21 for ; Sun, 10 Dec 2017 18:15:47 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB86D7B173 for ; Sun, 10 Dec 2017 18:15:46 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x236.google.com with SMTP id y21so15382614wrc.1 for ; Sun, 10 Dec 2017 10:15:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tbSqY+rTBLDlTkCAOjtNrI7mdQLUO792KCY9jn7wqPA=; b=XogAQPWJ2VRbRUBKB+bAwqNvOnDFzXv8QSlpsUyUwSbAJTZVmcOOoxLftf39P4luPw VnztGolDd5ovV933nNlfy3DLUMlcjiKzE6hexGgTcFECwk1KsiBYecsGRcSKrEpoHYTG Q4drA+eAF8mR1uGvQvjoLypUtP6zFR6Dt/VMYfR34qWwssTW9mcKI+4a0L3C8ZbUdtR4 eiwkHMniF4S1ccwEceo4sYwnpJBi2WOfX+WtvHuEv+smTVBBVSOE4jexI9gDJ5rX2VX9 aK9sqmG4mD8M1bhbIc1bB5ObFmjzGDbprNuIICzHiz1HDq5mJst8qj+SkpUUYmp2+oPK 3YKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tbSqY+rTBLDlTkCAOjtNrI7mdQLUO792KCY9jn7wqPA=; b=spf1E9xuCcWOxnVzrpY6/+ryw5+HRzXdSyfEKlsrcepEwtTR95CqOvEHh192X6Q0CE vFmD92BrYQRytwrlOjGMBeMDREwna3qxMZYnedKtAg2oHEcZvmu1yKBR2IXW+x6IZjzk XtXKNnziYBMmyKo12o+rD5+sv0eAAykFFlFtU5i0KUNP3yL1GKbJVl+wUrDryxYtnWRi KRBSEEagXNRgBTC2vqj1ztmqooTCFg62Uk2ztHAs+zID/1cIJ0+JU6v9nU3qQENwU3CO HKRxkx0x5wt7VzwMAeyF8Mtvlbk5UXB6NZXvQcRZo3Ng9IAnK1pK/adewo9WSw3pgcGZ MDJQ== X-Gm-Message-State: AJaThX6pcPuYoE+JiyddVzEbWLIZKc/vYC+gvgCmtDDvYlFXnBZDfuHF +Fzwk5ajIcBhVvQM/N3MOIjYtoGgKN2e2JzV5qI= X-Google-Smtp-Source: AGs4zMaWwrYnvtjMKUlIKXLGDoNIulBbj8Bz+zDtEIM58DlzN/PEk+UQZNuJMpBRkpUyDZwg1eJ0SpCOvP5g3EFhUmU= X-Received: by 10.223.199.133 with SMTP id l5mr35675772wrg.20.1512929745252; Sun, 10 Dec 2017 10:15:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 10:15:04 -0800 (PST) In-Reply-To: References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 18:15:04 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri Cc: freebsd security , RW Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 18:15:47 -0000 On 10 December 2017 at 18:01, Yuri wrote: > On 12/10/17 09:51, Igor Mozolevsky wrote: > >> Hypothetical MITM-bogeyman and "suits not knowing that I use FreeBSD" >> doesn't make SVN over HTTP insecure. >> > > > Read here about Alice and Bob: https://en.wikipedia.org/wiki/Alice_and_Bob > > Hypothetical characters are commonplace in security discussions. They are not "hypothetical characters," they are invented characters that are used in a threat model. But that's reframing the problem- a hypothetical threat model is very different to a real threat model. -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 19:02:59 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 81B7DE9673E for ; Sun, 10 Dec 2017 19:02:59 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F7BA7CDEF for ; Sun, 10 Dec 2017 19:02:58 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAJ2vFY099592 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 11:02:58 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAJ2voK099591; Sun, 10 Dec 2017 11:02:57 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 11:02:57 -0800 From: John-Mark Gurney To: Igor Mozolevsky Cc: RW , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210190257.GH5901@funkthat.com> Mail-Followup-To: Igor Mozolevsky , RW , freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 11:02:58 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:02:59 -0000 Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 17:39 +0000: > On 10 December 2017 at 17:32, John-Mark Gurney wrote: > > > > > The discussion has been for svn updates over http, not for freebsd-update > > updates which are independantly signed and verified.. There is currently > > no signatures provided via SVN to validate any source received via http. > > There has been no instance of in-transit compromise reported since SVN was > introduced. So, you require an exploit in the wild before you'll patch? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 19:14:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52D23E971EF for ; Sun, 10 Dec 2017 19:14:53 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "submission.mff.cuni.cz", Issuer "TERENA SSL CA 3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EB5597D4F9 for ; Sun, 10 Dec 2017 19:14:52 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University/CN=Dan+20Lukes+20100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.15.2/8.15.2) with ESMTPS id vBAJEjw1035313 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 10 Dec 2017 20:14:50 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: [FreeBSD-Announce] FreeBSD 11.0 end-of-life To: freebsd-security References: <20171208192538.C5C4D1C234@freefall.freebsd.org> <23084.52304.918811.943377@hergotha.csail.mit.edu> From: Dan Lukes Message-ID: <10e888e2-7d56-a45e-ecff-fa4dc14eadc4@obluda.cz> Date: Sun, 10 Dec 2017 20:14:45 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 MIME-Version: 1.0 In-Reply-To: <23084.52304.918811.943377@hergotha.csail.mit.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:14:53 -0000 On 10.12.2017 6:55, Garrett Wollman wrote: > we have only two windows a year when I can actually > deploy it (after testing) -- from 12/26 to 12/30, and from the Monday > after the first Saturday in June until the Friday before the first > Monday in September. Like me ... > I'll be rolling out 11.1 later this > month, but if 11.2 were to happen in March I'd be SOL before I could > even think about upgrading. I'm maintaining FreeBSDs installation in few independent companies (about 30 servers or so in total) and I'm in risk of the same. I has been forced to create workaround to mitigate the consequences. I'm have local copy of source repository with some own patches[1] already. Thus I can just back-port 11.2 SA (if there will be some) into our 11.1 repository to support 11.1 for two next upgrade windows (e.g. to end of 2018 if 11.2 will be released on March). Dan 1) There are few bug reported, including patches, ignored by FreeBSD's committers for long time. But most of our local patches are related to enhancements we are missing, support for unsupported devices or so. From owner-freebsd-security@freebsd.org Sun Dec 10 19:18:18 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D570E97420 for ; Sun, 10 Dec 2017 19:18:18 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D082B7D6A5 for ; Sun, 10 Dec 2017 19:18:17 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x229.google.com with SMTP id k61so15441670wrc.4 for ; Sun, 10 Dec 2017 11:18:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=T8ERRvujQe80EXdxTwSwRGSHJC5edn3vBARh4cpIhGo=; b=PKAyVkYP2he5MwM+5NRMALvRG3Uiq14Hgn0f5D8I9xypktUxmupsLiFN6EksD5fe+6 3/zZJs0JNx8lggARbiqTK05eiLAToH395h5VTqnk9H1Y6msnSOsuZz59pQM6tAnOK66D eta9cfEytp0dRylu/o+6iGrLLg0OqiSajoyMaOsXVpv5t9icKa2u9pE/K/+0h5IsQREG HwTUUxzp6h05hWmYtSIUosaN3avEdiMcq6SlPSZa7lMpZ+paxzuu1oqxS5UWcLrSdneo I1w+hjrqv/3LmVWK9LmDaBg3BZQkpAa5RC8a4bgxZu4lbYBfW1Tkplfyvy6MMpQD3GEI BOdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=T8ERRvujQe80EXdxTwSwRGSHJC5edn3vBARh4cpIhGo=; b=pMkdidiENkNIf420wAkJEZceUdl2zi0+Bavz4ySOIIXsKEA0eOTOQNZSmqWNi865Az /XmmAN0/sXj0I9QY3z3yjh59gCXfqrc3kenv8+rgz/Cq8dT/NXxhEyIZmUwjHrByVgIv wEU0KAl9YzPlRdnt0DYq6LKAe7psDEEE/9G4eIxayDAaPbilkveUwBjUS94LnQTbJ5fD PW1qG/UNCq5UFRTSdPPPy39/6loOGxOSJj38eits4dmQEbhdwWHcFGxjz/gtuGiW7nMs Y19L2ERZ/23CduOz04JGbdxklpuh+CPtKsPcSlVrydhGeGa7a1K6LXhn5Tz46kuoTiTI bFHg== X-Gm-Message-State: AJaThX6hwKDMUep1FVxblF8wbtqZuMGNjYkquxA47Hko2ayVHQguHab4 hmqlNZKHGI7iHTopCeD9B2PS7lUw4rmkOHE/40U= X-Google-Smtp-Source: AGs4zMbHbSpnDpTDUa7TtF7CwEU99Aq94hL+swkIiLN2d1O8Q245XGz++w/m2lA/ej4HHGVSl2Shw/IbCXphVrJsdm0= X-Received: by 10.223.130.177 with SMTP id 46mr35591717wrc.176.1512933495942; Sun, 10 Dec 2017 11:18:15 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 11:17:35 -0800 (PST) In-Reply-To: <20171210190257.GH5901@funkthat.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <20171210190257.GH5901@funkthat.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 19:17:35 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , RW , freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:18:18 -0000 On 10 December 2017 at 19:02, John-Mark Gurney wrote: > Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 17:39 +0000: > > On 10 December 2017 at 17:32, John-Mark Gurney wrote: > > > > > > > > > The discussion has been for svn updates over http, not for > freebsd-update > > > updates which are independantly signed and verified.. There is > currently > > > no signatures provided via SVN to validate any source received via > http. > > > > There has been no instance of in-transit compromise reported since SVN > was > > introduced. > > So, you require an exploit in the wild before you'll patch? No, I'm saying it's not a realistic threat model! If the threat is the integrity of the source code in transit, then it'd be way cheaper and way more reasonable to implement a Merkle Tree-like verification with each revision. -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 19:23:31 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D05CE97C70 for ; Sun, 10 Dec 2017 19:23:31 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 245667E03B for ; Sun, 10 Dec 2017 19:23:31 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAJN615003551 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 11:23:25 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> From: Yuri Message-ID: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> Date: Sun, 10 Dec 2017 11:23:05 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:23:31 -0000 On 12/10/17 10:15, Igor Mozolevsky wrote: > They are not "hypothetical characters," they are invented characters that > are used in a threat model. But that's reframing the problem- a > hypothetical threat model is very different to a real threat model. This is a very real threat model. There are a lot of malicious Tor exit node operators, and a lot of FreeBSD users update their system over subversion. The only thing that the Tor node operator needs to do is to detect relevant requests and serve malware. How is this not real? Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 19:24:50 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1A1FE97E06 for ; Sun, 10 Dec 2017 19:24:50 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x22a.google.com (mail-wr0-x22a.google.com [IPv6:2a00:1450:400c:c0c::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C8797E1C8 for ; Sun, 10 Dec 2017 19:24:50 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x22a.google.com with SMTP id a41so15471597wra.6 for ; Sun, 10 Dec 2017 11:24:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K3HK4IknLZGs588gLiM6t1DL+yEhDOgxfhaW1j0vM+Y=; b=VbCfGFijL9TLoCJylX8NObE0nJuSQchm5qcwgTCnSrjcK0JIwk12xn/ZwMoNA+MeZ9 a76ati3njpYsmdrYShDfogeJT3mdKRUIAayY0JqD33gu6na0sForkUiPg2KJ/pTKvHVT hg20SjblQdIv48GUCLYtgEsE23K5X47+892Rr+wf8KHh+PLS5CzBbGZX5lDWonsF7+MK mv5r1VxpGm9HaUnYhp4OyXApmgolL3jNhjiKfvGwzERWZbtUTJYJdujHENddxtBooUwc 75XKn2yYAPKs3sH6jLbsuB0mt62umBEJykJV+Jcx2JvaE0s+jpd0aQJNfdiI6WGsozmP aePg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K3HK4IknLZGs588gLiM6t1DL+yEhDOgxfhaW1j0vM+Y=; b=iPz/acMRRyXivIf3ZqseoLXe7o3QKxyG91bDrZWOI8FAgm26z2zXNs5uLzv5jAxArx U+BfiwkneVop/9JLzZT5DZKf3UGnEuZCXlUV863wqq/c/3ixKuFYHRwgihknCGircOEC mRdwh19fxVQqmJESw1iMn8TfA33eqVtn6d56HJryTXEOVYbAoTpWa5oD1yhHVjY9h0AA o/1mrwpYaIGjFMtdJLncsQ1CgILhV1PrrntCK26kto4701grclglj/RBtHO4NEDTWs1s gwaWt5+HiCpGXVUCtsIKytvJ9PtY+Vq6arjnpHuHZd9XuhER0redrX2wLsvvrYoflWQT ejEg== X-Gm-Message-State: AJaThX7h0fL7QDYLDj0lnS5tnpu7x4fJHb/8vSlqzHDtXp9DPPMRF5IM RL/ikeqdAWujrH3szdstj+YB2KdVoBEqbO9DjQU= X-Google-Smtp-Source: AGs4zMbxj2Jrqeeu43ktV6pDnG6x8sGicxuCiHR0svx9ENxGWXgHRnQQseb+ba37qKQ429ohS+bvgQQk4Ujfz15Tj/s= X-Received: by 10.223.139.199 with SMTP id w7mr29798668wra.282.1512933888808; Sun, 10 Dec 2017 11:24:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 11:24:07 -0800 (PST) In-Reply-To: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 19:24:07 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri Cc: freebsd security , RW Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:24:51 -0000 On 10 December 2017 at 19:23, Yuri wrote: > On 12/10/17 10:15, Igor Mozolevsky wrote: > >> They are not "hypothetical characters," they are invented characters that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. >> > > > This is a very real threat model. There are a lot of malicious Tor exit > node operators, and a lot of FreeBSD users update their system over > subversion. The only thing that the Tor node operator needs to do is to > detect relevant requests and serve malware. > > How is this not real? It seems the problem is *not* FreeBSD but Tor in your case! -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 19:31:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97E7AE981D1 for ; Sun, 10 Dec 2017 19:31:55 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7DEC77E53B for ; Sun, 10 Dec 2017 19:31:55 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAJVZo1006245 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 11:31:54 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> From: Yuri Message-ID: <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> Date: Sun, 10 Dec 2017 11:31:34 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:31:55 -0000 On 12/10/17 11:24, Igor Mozolevsky wrote: > It seems the problem is*not* FreeBSD but Tor in your case! This is the problem of the weakest link in the system which is FreeBSD. Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 19:37:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F5DDE98670 for ; Sun, 10 Dec 2017 19:37:36 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B9BDA7EBA1 for ; Sun, 10 Dec 2017 19:37:35 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x22e.google.com with SMTP id o2so15478676wro.5 for ; Sun, 10 Dec 2017 11:37:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W5AGMQd1HbV6pIaV10EmGevQKjL1N1eP/NH3Us2ca1Y=; b=U1VmUqgdqfHfGYKsLN7X1w4jmmTKh0Fhzw3IYDHlH8rY6kqKd6u7YHTCpeXXSyTiDt ZxErTcFVZvxUFqtV5jU4kP6Nzgw0T1my3NS8W8kIwalrk446e4VMm7dhK2vnghDwSYaj vU7a9xKmjQISu5FTuN3LPrpGamFjzCBQKQNBPx9Rqr9DgwiE/JPsburMmtdOcUV19bZu GPXuWOi4huwjbziwIvNA++HerORUmmRLbllBne3ci55VRe8r6ef11eUB2ZksHHWBAPnC jqCbuXmROmPo/cBcVREETpIZhkzxz5+aqE40zy1vM9w44GYHsBmngYb+N9i/3wPYLG3w yh0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W5AGMQd1HbV6pIaV10EmGevQKjL1N1eP/NH3Us2ca1Y=; b=eDNbxpePTUbOjcscidn/of6YGhSw5YZjLRT/v0j3S3PgBNqIezdazj4Hh+8fY/7IGj k87jZjkGx4sdKbcqN9MWz7ub2SPMrLJ3cWvN3NqfgK2SN+dst6b8ZNCeh8r9lPCV13hM P1czelmLSdbk+9a04Imi7tbmNpDmcUdYt3rHxLufW9btFKM/cULERXkMczCCMrLK9r5e jXStWJKRwjmGujRKzHo9Ab9E5kuL3KWd70ZtlRkLlFeJur5HbbQ1GTQ4oCcWfrUo6haS l4+Ll2Qs2IWQkXv1T5JdhZ5YeVjisU6iGQ/Xwa6zFzr5cqHjijm/WwzgTcWRQvOWATpj h/hQ== X-Gm-Message-State: AJaThX5/wQa+xPIyLUxQUbAXvXT3+lRrxUaWXTljfnDgtJ1sdGDE4Ul1 SaE6kiwbldELEkXpARj1u0kZlu13munTVuQ0cCs= X-Google-Smtp-Source: AGs4zMZM+FxzzfMjHDOnj3IT0j16Wnq3e1AoUghFQilRYGT4UbPOmOH11MrYJjV9vkfm+/SYsULV7wbAOnyMYbZzVYM= X-Received: by 10.223.145.80 with SMTP id j74mr33683801wrj.250.1512934654151; Sun, 10 Dec 2017 11:37:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 11:36:53 -0800 (PST) In-Reply-To: <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 19:36:53 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri Cc: freebsd security , RW Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:37:36 -0000 On 10 December 2017 at 19:31, Yuri wrote: > On 12/10/17 11:24, Igor Mozolevsky wrote: > > It seems the problem is **not** FreeBSD but Tor in your case! > > > This is the problem of the weakest link in the system which is FreeBSD. > If I give my bank card and PIN to someone who I don't trust, I can't complain that my bank doesn't take adequate precautions if that person drains my bank account! You choose to go down a route that *you* know is compromised! -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 19:42:35 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 150D8E989F8 for ; Sun, 10 Dec 2017 19:42:35 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C91C47F029 for ; Sun, 10 Dec 2017 19:42:34 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAJgYYd008621 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 11:42:34 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAJgYhD008620; Sun, 10 Dec 2017 11:42:34 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 11:42:34 -0800 From: John-Mark Gurney To: Igor Mozolevsky Cc: RW , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210194234.GJ5901@funkthat.com> Mail-Followup-To: Igor Mozolevsky , RW , freebsd security References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <20171210190257.GH5901@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 11:42:34 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:42:35 -0000 Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 19:17 +0000: > On 10 December 2017 at 19:02, John-Mark Gurney wrote: > > > Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 17:39 +0000: > > > On 10 December 2017 at 17:32, John-Mark Gurney wrote: > > > > > > > > > > > > > The discussion has been for svn updates over http, not for > > freebsd-update > > > > updates which are independantly signed and verified.. There is > > currently > > > > no signatures provided via SVN to validate any source received via > > http. > > > > > > There has been no instance of in-transit compromise reported since SVN > > was > > > introduced. > > > > So, you require an exploit in the wild before you'll patch? > > No, I'm saying it's not a realistic threat model! If the threat is the > integrity of the source code in transit, then it'd be way cheaper and way > more reasonable to implement a Merkle Tree-like verification with each > revision. Then you should be fine w/ http for banking sites, since it's not realistic that your ISP will MITM your connection to steal money from you, right? I don't know of a single instance of an ISP MITM'ing banking transactions to steal money. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 19:47:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30B89E98D9F for ; Sun, 10 Dec 2017 19:47:55 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 15B0B7F4AE for ; Sun, 10 Dec 2017 19:47:54 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAJlYY0010890 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 11:47:54 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> From: Yuri Message-ID: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> Date: Sun, 10 Dec 2017 11:47:33 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:47:55 -0000 On 12/10/17 11:36, Igor Mozolevsky wrote: > If I give my bank card and PIN to someone who I don't trust, I can't > complain that my bank doesn't take adequate precautions if that person > drains my bank account! You choose to go down a route that*you* know is > compromised! 1. The user has set up the subversion source trees based on the *current advice* here for anonymous checkout: https://wiki.freebsd.org/PortsSubversionPrimer > % svn co http://svn.freebsd.org/ports/head /usr/ports 2. The user heard that Tor improves his anonymity, and decided to use it. 3. The user updated the sources through Tor and got hacked. Where did this user go wrong, or where has he been irresponsible? The fact that this page https://wiki.freebsd.org/PortsSubversionPrimer still recommends http is appalling! Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 19:49:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66769E9900F for ; Sun, 10 Dec 2017 19:49:36 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E89097F737 for ; Sun, 10 Dec 2017 19:49:35 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wm0-x236.google.com with SMTP id i11so10639774wmf.4 for ; Sun, 10 Dec 2017 11:49:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=VXX15Z2lq1ZWnzb9vF1e/kcRg89Ho0rFb40Wma3eN9w=; b=FbtHU9iC4X2TYUR/rGtPbUmHH213CnWEhPGQLgGzrZAUJygZh1yGmVCOiqWdu5Iolh 7A2fPNEN5ajK11bkf6By27Ii8letrH3MvPt7a1+df7ecSA50WGEPkXnYewSRoDHj6RFQ hC/xTmxr5qsxAciV2vtC6o4T0lMEF6gT7oDWA+xClfqOatjHxRGpbISIlEeDv2hntN0b Bpq16r8/hxa2XdEhO+nTd518Q6QQeAA8ZbqHNNIDlbH+8Yaxv24wso+d4iFTlf4OFWYp wLeHXJgjBL5irenPYEK3h6XG3n7lxpLS9ziAXwSNwoXTton/y4kZkt8yzISY/dQiSf4P h/Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=VXX15Z2lq1ZWnzb9vF1e/kcRg89Ho0rFb40Wma3eN9w=; b=PuYU+5y947NT3BdC0GEQdOiGcobUxpkb1zctRm9Zw6uI6b84KIeEopdfQFxRPLzp+c NieW8z5aTgXK9aw45in1WA//9gUVAc+janroroV1nKtzWnMfejwWuVfOsrmt/2G/6dRu yn6YwgbTQUt8Wzq2CmdsIwEJ0gh+Xl/Pq5u6CbdOR4PPUz8Df5xmGuUdYm2l16LQBGuM Ly7HxG7IrGwgvygxu/EY3/aCNjWKreFJXQyOHDG5q0Cg74sLlP+M5Rqotwcy21pmI9nC 6+S5eprNK+1tFy3+xaIfslE89e1ocvZDtmTfIo92qwgb7NRlgokB/X4Y62LoYszlYxES vBGw== X-Gm-Message-State: AKGB3mIlmzWxcKe0mka8yHsPDjOPGQ8M6dQJkCR1dR5ecW7EzR1g8AGF yNfunL3pkk2ZmUrwhMYi3EDWZT2f/bvs46uCkkE= X-Google-Smtp-Source: AGs4zMY1kPg88ocP6fbq2DiG3zK13bHhHaKnx5ZxwiEwf6bHr8TqqUPQxL53mjkuNTdbWApADv9MBLz84zy/mgInmSw= X-Received: by 10.28.105.14 with SMTP id e14mr8293167wmc.74.1512935374360; Sun, 10 Dec 2017 11:49:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 11:48:53 -0800 (PST) In-Reply-To: <20171210194234.GJ5901@funkthat.com> References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <20171210190257.GH5901@funkthat.com> <20171210194234.GJ5901@funkthat.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 19:48:53 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , RW , freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:49:36 -0000 On 10 December 2017 at 19:42, John-Mark Gurney wrote: > Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 19:17 +0000: > No, I'm saying it's not a realistic threat model! If the threat is the > > integrity of the source code in transit, then it'd be way cheaper and way > > more reasonable to implement a Merkle Tree-like verification with each > > revision. > > Then you should be fine w/ http for banking sites, since it's not realistic > that your ISP will MITM your connection to steal money from you, right? > I don't know of a single instance of an ISP MITM'ing banking transactions > to steal money. Entirely different threat model that has nothing to do with MITM but a lot to do with bank-website mimicry! If I connect to MoneyBags, Inc, I want to be sure that everything I send is received at MoneyBags, Inc, and not someone pretending to be MoneyBags, Inc. If I connect to svn.example.com, all I care about is that the Merkle Tree holds, not whether svn.example.com or svn.middleman.example.com provided it. -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 19:53:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4321CE992DB for ; Sun, 10 Dec 2017 19:53:15 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BAA027FB28 for ; Sun, 10 Dec 2017 19:53:14 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x234.google.com with SMTP id o2so15501554wro.5 for ; Sun, 10 Dec 2017 11:53:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0zZbWu3iUhOnKuffGrQjXgW3sewd+Y3Z3kYMrTQ5LfA=; b=L5poAU/vH7yoxUn54rXQ8jFnzm+b5iEXyS+tMpUBaSD/iz1EAKAcl+e4RTI4SHc+tC SJTjZPp78w5jQ8M/fRQ7xoBA/hW7Lql69bBwuZ94tVpIJJGAT3mUdZFnhtHhOlJkzz8R aO8053Gcd4J/FEq6xJPTyZiGmp79kOE5Xhh0hXOSDTr8+C1kHqythoBYgbxqv36jxv7e pbqtwlE0KWLrKpfGwa+Ov2tVmogDoROK+h00TRxzCM4FEVyQkga2TNvhTuJUW103FZf7 fKVLoB7fLwmtPOv2bAeytRa3JxDjXqmtF6z/x9BeVt1Vu1b2oNqnTj8P2iCyYS8bbXOq iqvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0zZbWu3iUhOnKuffGrQjXgW3sewd+Y3Z3kYMrTQ5LfA=; b=kTBIHs+rMuyWLl8v6Gnm3dgnJ25gWDcGG6p3ZzbOgGRwLTtgOG6StSMyPzezZvNryq qpxj5JsqBjjSxP+9RsAKGzvHz7GbD3khEa9PraP+u/bAGxOUe3V3D/u4ieQ5RdjVPMnP dv1K46fq1aessr9zkEMA6GfddtfLORBba9bpcTCNMvBCTYZ6VD1EApE16WqVFK5bkQUD 2eh4aJz05Eihw1mARiMC1XrCtzyvQKYDvdN9Iarf51Id6ihX+s+Bb+0GT1xWUEBciOUT B/BMytdr7AkGQ43i78zmGIMFJfZgyJuul/vpYPKmPwq30RMM1Mw/E5VXqMOu6weR1/Ds tLLw== X-Gm-Message-State: AJaThX4gUBUxYTw5rVfuT4PGfaNMptKBWn8sXfKs4wNu3oN4tJBsQcIk KXPqpEK6kDj2VVh0abJFCPS4neTsZdTu7PFIEHk= X-Google-Smtp-Source: AGs4zMbFAkNwUmLz2sbUX1KG/Jp57asjUpQnSAsZ8Psc53Yo3uUk2Ia41d0SnZWu4QUeTqPIXERbq6QHl3p8q8GaYbc= X-Received: by 10.223.139.199 with SMTP id w7mr29840116wra.282.1512935593144; Sun, 10 Dec 2017 11:53:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Sun, 10 Dec 2017 11:52:32 -0800 (PST) In-Reply-To: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> From: Igor Mozolevsky Date: Sun, 10 Dec 2017 19:52:32 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri Cc: freebsd security , RW Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:53:15 -0000 On 10 December 2017 at 19:47, Yuri wrote: > On 12/10/17 11:36, Igor Mozolevsky wrote: > > If I give my bank card and PIN to someone who I don't trust, I can't > complain that my bank doesn't take adequate precautions if that person > drains my bank account! You choose to go down a route that **you** know is > compromised! > > > 1. The user has set up the subversion source trees based on the *current > advice* here for anonymous checkout: https://wiki.freebsd.org/ > PortsSubversionPrimer > > > % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? > > > The fact that this page https://wiki.freebsd.org/PortsSubversionPrimer still recommends http is appalling! > > The freebsd wiki doesn't recommend Tor, does it?! If the user was so badly educated about Tor, why is it FreeBSD's problem, honestly? What you're saying is no different, than "Alice" doesn't want to download FreeBSD herself, so she asks "Eve" to get her a CD with the source code. Unbeknownst to Alice, Eve replaces a bunch of files on the CD and present the CD to Alice as a bona fide copy. The problem in the chain is Eve (or Tor, in your case) not where Eve got the CD from! This discussion is turning circular and, quite frankly, ridiculous! -- Igor M. From owner-freebsd-security@freebsd.org Sun Dec 10 19:57:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 782E8E995EC for ; Sun, 10 Dec 2017 19:57:34 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 33B897FF40 for ; Sun, 10 Dec 2017 19:57:33 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 5AC7E2736D; Sun, 10 Dec 2017 19:57:31 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBAJvF95024469 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 19:57:15 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBAJvEit024468; Sun, 10 Dec 2017 19:57:14 GMT (envelope-from phk) To: Yuri cc: Igor Mozolevsky , freebsd security , RW Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24466.1512935834.1@critter.freebsd.dk> Date: Sun, 10 Dec 2017 19:57:14 +0000 Message-ID: <24467.1512935834@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 19:57:34 -0000 -------- In message <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com>, Yuri writes: >3. The user updated the sources through Tor and got hacked. > >Where did this user go wrong, or where has he been irresponsible? He trusted Tor? In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed that a LOT of the Tor network is on a longitude compatible with a "Bandit of The Beltway" location. If you still, elleven years later, seriously belive that Tor is trustworthy, you shouldn't be allowed near any kind of security decision. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Sun Dec 10 20:03:57 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46115E99AD2 for ; Sun, 10 Dec 2017 20:03:57 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1E0EC805C7 for ; Sun, 10 Dec 2017 20:03:56 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAK3bUo015170 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Sun, 10 Dec 2017 12:03:56 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me To: "freebsd-security@freebsd.org" From: Yuri Subject: Please commit the attached patch recommending the use of https in documentation Message-ID: Date: Sun, 10 Dec 2017 12:03:36 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:03:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224229 -- I am writing here because my previous documentation patches were not committed for months. It looks like there are no docs committers at all. Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 20:08:52 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77EC4E99E20 for ; Sun, 10 Dec 2017 20:08:52 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B2848098F for ; Sun, 10 Dec 2017 20:08:51 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBAK8jPa098429 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 10 Dec 2017 21:08:48 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBAJb8M5042012 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Dec 2017 02:37:08 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A2D8CDF.80903@grosbein.net> Date: Mon, 11 Dec 2017 02:37:03 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:08:52 -0000 11.12.2017 2:23, Yuri wrote: > On 12/10/17 10:15, Igor Mozolevsky wrote: >> They are not "hypothetical characters," they are invented characters that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. > > > This is a very real threat model. There are a lot of malicious Tor exit node operators, > and a lot of FreeBSD users update their system over subversion. The > only thing that the Tor node operator needs to do is to detect relevant requests and serve malware. Hmm, you should not pass your traffic through the network operated by lots of malicious operators in first place. No matter encrypted or not. There are plenty of alternative ways. From owner-freebsd-security@freebsd.org Sun Dec 10 20:37:58 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 960B7E9B2BF for ; Sun, 10 Dec 2017 20:37:58 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7DD1821BD for ; Sun, 10 Dec 2017 20:37:58 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAKbbq9022942 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 12:37:57 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Eugene Grosbein , Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> From: Yuri Message-ID: Date: Sun, 10 Dec 2017 12:37:36 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <5A2D8CDF.80903@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:37:58 -0000 On 12/10/17 11:37, Eugene Grosbein wrote: > Hmm, you should not pass your traffic through the network operated > by lots of malicious operators in first place. No matter encrypted or not. > There are plenty of alternative ways. Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 20:45:50 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 43FDEE9B87D for ; Sun, 10 Dec 2017 20:45:50 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AD5BE2AEF for ; Sun, 10 Dec 2017 20:45:49 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBAKji5a098736 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 10 Dec 2017 21:45:45 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBAKjeLp062221 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Dec 2017 03:45:40 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A2D9CEF.9020404@grosbein.net> Date: Mon, 11 Dec 2017 03:45:35 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:45:50 -0000 11.12.2017 3:37, Yuri wrote: > On 12/10/17 11:37, Eugene Grosbein wrote: >> Hmm, you should not pass your traffic through the network operated >> by lots of malicious operators in first place. No matter encrypted or not. >> There are plenty of alternative ways. > > > Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. From owner-freebsd-security@freebsd.org Sun Dec 10 20:52:42 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D927E9BEE4 for ; Sun, 10 Dec 2017 20:52:42 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [IPv6:2a01:4f8:a0:51d7::103:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C35DE332A for ; Sun, 10 Dec 2017 20:52:41 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (dslb-178-012-107-202.178.012.pools.vodafone-ip.de [178.12.107.202]) by host64.shmhost.net (Postfix) with ESMTPSA id 2A2DE160B30; Sun, 10 Dec 2017 21:52:39 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: http subversion URLs should be discontinued in favor of https URLs From: Franco Fichtner In-Reply-To: <5A2D9CEF.9020404@grosbein.net> Date: Sun, 10 Dec 2017 21:52:38 +0100 Cc: Yuri , Igor Mozolevsky , freebsd security , RW Content-Transfer-Encoding: quoted-printable Message-Id: <3C567C04-1B10-4F8F-B503-55AE5F5D53D7@lastsummer.de> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> To: Eugene Grosbein X-Mailer: Apple Mail (2.3273) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-Spam-Flag: NO X-Spam-Score: -1.0 X-Spam-Status: No score=-1.0 tagged_above=10.0 required=10.0 tests=[ALL_TRUSTED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:52:42 -0000 > On 10. Dec 2017, at 9:45 PM, Eugene Grosbein = wrote: >=20 > 11.12.2017 3:37, Yuri wrote: >=20 >> On 12/10/17 11:37, Eugene Grosbein wrote: >>> Hmm, you should not pass your traffic through the network operated >>> by lots of malicious operators in first place. No matter encrypted = or not. >>> There are plenty of alternative ways. >>=20 >>=20 >> Modern encryption protocols allow you to send traffic over insecure = networks and still maintain your security and privacy, so why not? >=20 > No, they don't. You get into MITM and then you have a choice: ignore = and run your connection anyway > or have no connectivity at all (using this channel). Both are bad, so = don't use such a channel from the beginning. You deconstructed the point you tried to make: With HTTP MITM you don't have a choice. ;) Cheers, Franco= From owner-freebsd-security@freebsd.org Sun Dec 10 20:55:04 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D862FE9C184 for ; Sun, 10 Dec 2017 20:55:04 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id BDEFE360A for ; Sun, 10 Dec 2017 20:55:04 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBAKsxJA026569 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 10 Dec 2017 12:55:04 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Eugene Grosbein , Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> From: Yuri Message-ID: <2fde7b1e-7174-00d1-5fd0-65c385bdcdef@rawbw.com> Date: Sun, 10 Dec 2017 12:54:58 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <5A2D9CEF.9020404@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:55:04 -0000 On 12/10/17 12:45, Eugene Grosbein wrote: > 11.12.2017 3:37, Yuri wrote: > >> On 12/10/17 11:37, Eugene Grosbein wrote: >>> Hmm, you should not pass your traffic through the network operated >>> by lots of malicious operators in first place. No matter encrypted or not. >>> There are plenty of alternative ways. >> >> Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? > No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway > or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. There's no MITMing with https unless you are a state actor. There are very few state actors, they are special case. Regular hackers can't MITM https, but can MITM http. Yuri From owner-freebsd-security@freebsd.org Sun Dec 10 20:59:48 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36EC6E9C39E for ; Sun, 10 Dec 2017 20:59:48 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D6BC737D5 for ; Sun, 10 Dec 2017 20:59:47 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBAKxc2J098832 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 10 Dec 2017 21:59:38 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: franco@lastsummer.de Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBAKxY3V066199 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Dec 2017 03:59:34 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Franco Fichtner References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> <3C567C04-1B10-4F8F-B503-55AE5F5D53D7@lastsummer.de> Cc: Yuri , Igor Mozolevsky , freebsd security , RW From: Eugene Grosbein Message-ID: <5A2DA031.2020009@grosbein.net> Date: Mon, 11 Dec 2017 03:59:29 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <3C567C04-1B10-4F8F-B503-55AE5F5D53D7@lastsummer.de> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 20:59:48 -0000 11.12.2017 3:52, Franco Fichtner wrote: >> On 10. Dec 2017, at 9:45 PM, Eugene Grosbein wrote: >> >> 11.12.2017 3:37, Yuri wrote: >> >>> On 12/10/17 11:37, Eugene Grosbein wrote: >>>> Hmm, you should not pass your traffic through the network operated >>>> by lots of malicious operators in first place. No matter encrypted or not. >>>> There are plenty of alternative ways. >>> >>> >>> Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? >> >> No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway >> or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. > > You deconstructed the point you tried to make: > > With HTTP MITM you don't have a choice. ;) Whith HTTP going through another route you could have no MITM because a) MITM is illegal for network provider and/or b) nobody on this route cares of this HTTP connection (opposed to TOR operator). Let's get it to real threat model instead of fictional one? From owner-freebsd-security@freebsd.org Sun Dec 10 21:03:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50254E9CA6E for ; Sun, 10 Dec 2017 21:03:15 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B76BE3F53 for ; Sun, 10 Dec 2017 21:03:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBAL39N0098892 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 10 Dec 2017 22:03:10 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBAL36LZ067229 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Dec 2017 04:03:06 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> <2fde7b1e-7174-00d1-5fd0-65c385bdcdef@rawbw.com> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A2DA105.9030501@grosbein.net> Date: Mon, 11 Dec 2017 04:03:01 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <2fde7b1e-7174-00d1-5fd0-65c385bdcdef@rawbw.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 21:03:15 -0000 11.12.2017 3:54, Yuri wrote: >>> Modern encryption protocols allow you to send traffic over insecure networks and still maintain your security and privacy, so why not? >> No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway >> or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. > > There's no MITMing with https unless you are a state actor. There are very few state actors, they are special case. > Regular hackers can't MITM https, but can MITM http. You either have no idea, or missed the point. In fact, anyone can do MITM (ssl bump) for https running through its system. It is only question of making it undetected and then you have a choice described in the quote above. From owner-freebsd-security@freebsd.org Sun Dec 10 22:43:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 91443E9F654 for ; Sun, 10 Dec 2017 22:43:33 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6F2C7664B6 for ; Sun, 10 Dec 2017 22:43:32 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0R00BDLOUTB500@hades.sorbs.net> for freebsd-security@freebsd.org; Sun, 10 Dec 2017 14:52:07 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> From: Michelle Sullivan Message-id: <5A2DB80D.3020309@sorbs.net> Date: Mon, 11 Dec 2017 09:41:17 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 22:43:33 -0000 Yuri wrote: > On 12/10/17 10:15, Igor Mozolevsky wrote: >> They are not "hypothetical characters," they are invented characters >> that >> are used in a threat model. But that's reframing the problem- a >> hypothetical threat model is very different to a real threat model. > > > This is a very real threat model. There are a lot of malicious Tor > exit node operators, and a lot of FreeBSD users update their system > over subversion. The only thing that the Tor node operator needs to do > is to detect relevant requests and serve malware. > > How is this not real? Sounds to me the proper solution is stop using Tor. If you can't trust the network (wire) no matter what you do you can't guarantee safety. Seriously if there are "a lot of malicious Tor exit node operators" the simple answer is stop using Tor. Michelle From owner-freebsd-security@freebsd.org Sun Dec 10 22:51:37 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2AB5E9FC89 for ; Sun, 10 Dec 2017 22:51:37 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 85478669B7 for ; Sun, 10 Dec 2017 22:51:37 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0R00BDPP8GB500@hades.sorbs.net> for freebsd-security@freebsd.org; Sun, 10 Dec 2017 15:00:18 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky Cc: freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> From: Michelle Sullivan Message-id: <5A2DB9F8.1040301@sorbs.net> Date: Mon, 11 Dec 2017 09:49:28 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 22:51:37 -0000 Yuri wrote: > On 12/10/17 11:36, Igor Mozolevsky wrote: >> If I give my bank card and PIN to someone who I don't trust, I can't >> complain that my bank doesn't take adequate precautions if that person >> drains my bank account! You choose to go down a route that*you* know is >> compromised! > > > 1. The user has set up the subversion source trees based on the > *current advice* here for anonymous checkout: > https://wiki.freebsd.org/PortsSubversionPrimer > >> % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? > User gets an email saying his banking details are compromised, and to update them now. User clicks the link and gives banking details to phishing site as well as having a keylogger and rootkit installed during the process. User has bank account hacked. Where did the bank go wrong? Bank installs secondary security to prevent phishing/user realises the site is phishing and puts in false details or aborts the input... Keylogger is still on their system though because that was installed on the first click before the page was updated because of a compromised Microsoft code signing certificate... Where did the bank or the user go wrong? Maybe instead, user takes their phone into the local Maccas and uses the hotspot there, as part of the sign-in they get a compromised app from a local hacker that has been stalking the hotspot... Ding ding ding we have a winner... can't trust the network, just like the Tor case... etc etc etc Michelle From owner-freebsd-security@freebsd.org Sun Dec 10 22:53:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66FCDE9FF93 for ; Sun, 10 Dec 2017 22:53:28 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BCCFF66CF5 for ; Sun, 10 Dec 2017 22:53:27 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id vBAMrQBP017824 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 14:53:26 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id vBAMrQhh017822; Sun, 10 Dec 2017 14:53:26 -0800 (PST) (envelope-from jmg) Date: Sun, 10 Dec 2017 14:53:26 -0800 From: John-Mark Gurney To: Michelle Sullivan Cc: Yuri , Igor Mozolevsky , freebsd security , RW Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171210225326.GK5901@funkthat.com> Mail-Followup-To: Michelle Sullivan , Yuri , Igor Mozolevsky , freebsd security , RW References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5A2DB80D.3020309@sorbs.net> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sun, 10 Dec 2017 14:53:26 -0800 (PST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 22:53:28 -0000 Michelle Sullivan wrote this message on Mon, Dec 11, 2017 at 09:41 +1100: > Yuri wrote: > > On 12/10/17 10:15, Igor Mozolevsky wrote: > >> They are not "hypothetical characters," they are invented characters > >> that > >> are used in a threat model. But that's reframing the problem- a > >> hypothetical threat model is very different to a real threat model. > > > > > > This is a very real threat model. There are a lot of malicious Tor > > exit node operators, and a lot of FreeBSD users update their system > > over subversion. The only thing that the Tor node operator needs to do > > is to detect relevant requests and serve malware. > > > > How is this not real? > > Sounds to me the proper solution is stop using Tor. > > If you can't trust the network (wire) no matter what you do you can't > guarantee safety. IMO, all security needs to be node-to-node. It needs to be assumed that the network is compromised. Be it public wifi, tor, or malicious actor rerouting traffic via BGP spoofing, node-to-node protection is the answer to all of those. Considering that China has redirected large segments of the inet traffic through them, you can't even trust the inet back bone to be secure. I know I've never gotten notification from my ISP that my traffic may have been compromised this way, and w/o notification, I cannot properly assess what may have been compromised. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-security@freebsd.org Sun Dec 10 23:07:22 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19511EA07B4 for ; Sun, 10 Dec 2017 23:07:22 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id ED9FE67768 for ; Sun, 10 Dec 2017 23:07:21 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0R00BDWPYOB500@hades.sorbs.net> for freebsd-security@freebsd.org; Sun, 10 Dec 2017 15:16:02 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Igor Mozolevsky , freebsd security References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <20171210190257.GH5901@funkthat.com> <20171210194234.GJ5901@funkthat.com> From: Michelle Sullivan Message-id: <5A2DBDA8.7030703@sorbs.net> Date: Mon, 11 Dec 2017 10:05:12 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <20171210194234.GJ5901@funkthat.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 23:07:22 -0000 John-Mark Gurney wrote: > Igor Mozolevsky wrote this message on Sun, Dec 10, 2017 at 19:17 +0000: >> On 10 December 2017 at 19:02, John-Mark Gurney wrote: >> >> >>> So, you require an exploit in the wild before you'll patch? >> No, I'm saying it's not a realistic threat model! If the threat is the >> integrity of the source code in transit, then it'd be way cheaper and way >> more reasonable to implement a Merkle Tree-like verification with each >> revision. > Then you should be fine w/ http for banking sites, since it's not realistic > that your ISP will MITM your connection to steal money from you, right? > I don't know of a single instance of an ISP MITM'ing banking transactions > to steal money. > Invalid analogy... You probably shouldn't go there... so I will. I have in the past (long time ago - well past that statute of limitations - so can share now) compromised an FTP server on a certain European ISPs network, on there I put a password sniffer looking for a very specific user/connection/password combination... 4 hours it took to get the password I then had "root" across their entire network and in particular to their IRC server... needless to say I have grown up since those days. However, at the time there was very little online banking, and all the banking I knew about was pretty much read only (checking balances, authorising payments to pre-existing arrangements etc)... but using this 'well you might as well use HTTP' would have left me with the opportunity to make a lot of illegal money real quick if you apply it now. Here's a tip, you come to my street and find my open wifi, I'll compromise your arse (just the same as these hypothetical 'malicious Tor node operators') you want a secure connection, one that won't leave you with a hacked android device, don't use my open wifi network. Come and ask me to use my secure network, or use another network. Michelle From owner-freebsd-security@freebsd.org Sun Dec 10 23:15:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46253EA0D30 for ; Sun, 10 Dec 2017 23:15:17 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 053E167EBE for ; Sun, 10 Dec 2017 23:15:16 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 984F62737A; Sun, 10 Dec 2017 23:15:12 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBANEuXu099307 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 10 Dec 2017 23:14:56 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBANEs0E099306; Sun, 10 Dec 2017 23:14:54 GMT (envelope-from phk) To: John-Mark Gurney cc: Michelle Sullivan , Yuri , RW , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171210225326.GK5901@funkthat.com> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <99304.1512947694.1@critter.freebsd.dk> Date: Sun, 10 Dec 2017 23:14:54 +0000 Message-ID: <99305.1512947694@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 23:15:17 -0000 -------- In message <20171210225326.GK5901@funkthat.com>, John-Mark Gurney writes: >IMO, all security needs to be node-to-node. There's nothing "IMO" about that. The end-to-end principle became a bed-rock foundation of all rational networking with "End to End Arguments in System Design" in 1981. http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf The only realistic way for the FreeBSD project to implement end-to-end trust, is HTTPS with a self-signed cert, distributed and verified using the projects PGP-trust-mesh and strong social network. Anything else is just pretend-security today. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Sun Dec 10 23:20:16 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1736EA0F79 for ; Sun, 10 Dec 2017 23:20:16 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 83B25680BA for ; Sun, 10 Dec 2017 23:20:16 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0R00402QK3RH00@hades.sorbs.net> for freebsd-security@freebsd.org; Sun, 10 Dec 2017 15:28:55 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Jason Hellenthal , Poul-Henning Kamp , "freebsd-security@freebsd.org" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> <20171210172127.GD5901@funkthat.com> From: Michelle Sullivan Message-id: <5A2DC0AB.3070900@sorbs.net> Date: Mon, 11 Dec 2017 10:18:03 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <20171210172127.GD5901@funkthat.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Dec 2017 23:20:16 -0000 John-Mark Gurney wrote: > Michelle Sullivan wrote this message on Fri, Dec 08, 2017 at 21:29 +1100: >> Sorry you want to ensure a secure (trusted) connection you do it >> yourself. You go through other nodes (switches and routers of the > So you're fine w/ all the Comcast users having to switch ISPs? Because > Comcast modifies traffic. Sure, my ISP in Australia modifies some traffic (how much I don't know because I haven't looked deeply) first detection of it I setup mitigation to secure my connection from tampering... where I care about it. In my case they disabled https access so they could MITM... All my http(s) traffic now goes through a proxy, and all my network traffic now exits over a VPN connection to my network in a DC which hosts the top of my proxy server chain. > So you're now saying that if you use FreeBSD > you can't use Comcast as your ISP? No, I'm saying if you can't trust ${ISP} to give you your FreeBSD source untampered with, you should not use ${ISP} as your ISP... don't give a t*** who ${ISP} is, if you can't trust it, don't use it or mitigate your trust issues by doing like me. This argument is circular and pointless, if ${User} is downloading and compiling FreeBSD from source there is a pretty good chance they know a little more about Tor than 'I heard this app will allow me anonymity'... Seriously, you want anonymity and safety I have a device that I'll send you for free... Its lightweight and simple, it consists of two metal blades with a pivot in the middle. Michelle From owner-freebsd-security@freebsd.org Mon Dec 11 15:10:09 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0699BE945ED for ; Mon, 11 Dec 2017 15:10:09 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mail.inka.de (quechua.inka.de [IPv6:2a04:c9c7:0:1073:217:a4ff:fe3b:e77c]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C29DF696E5 for ; Mon, 11 Dec 2017 15:10:08 +0000 (UTC) (envelope-from news@mips.inka.de) Received: from mips.inka.de (news@[127.0.0.1]) by mail.inka.de with uucp (rmailwrap 0.5) id 1eOPiY-0001Gk-65; Mon, 11 Dec 2017 16:10:06 +0100 Received: from lorvorc.mips.inka.de (localhost [127.0.0.1]) by lorvorc.mips.inka.de (8.15.2/8.15.2) with ESMTP id vBBF8bFi024598 for ; Mon, 11 Dec 2017 16:08:37 +0100 (CET) (envelope-from news@lorvorc.mips.inka.de) Received: (from news@localhost) by lorvorc.mips.inka.de (8.15.2/8.15.2/Submit) id vBBF8bN6024597 for freebsd-security@freebsd.org; Mon, 11 Dec 2017 16:08:37 +0100 (CET) (envelope-from news) To: freebsd-security@freebsd.org From: Christian Weisgerber Newsgroups: list.freebsd.security Subject: Re: http subversion URLs should be discontinued in favor of https URLs Date: Mon, 11 Dec 2017 15:08:37 -0000 (UTC) Message-ID: References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> User-Agent: slrn/1.0.3 (FreeBSD) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 15:10:09 -0000 On 2017-12-08, Luke Crooks wrote: > The pull request was rejected for a valid reason, offering http allows > users with limited network access chance to clone or download freebsd where > https is not possible. Do users actually exist who have access to http but not to https? Or is this a myth? And how do these users access popular sites like Wikipedia, or www.FreeBSD.org for that matter? This is also of interest for the choice of master sites in ports. -- Christian "naddy" Weisgerber naddy@mips.inka.de From owner-freebsd-security@freebsd.org Mon Dec 11 15:16:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6CB08E94A62 for ; Mon, 11 Dec 2017 15:16:36 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F08D269C86 for ; Mon, 11 Dec 2017 15:16:35 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x22e.google.com with SMTP id 9so15097112wme.4 for ; Mon, 11 Dec 2017 07:16:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=zNTxN6YT3zU3y5Sd5z/tlubJNEsmhc9VjQbJNe4c59s=; b=xrcrlGQsllQ4fLANMdblXoIWgaafDa5v2JnDE+kBckrb23SlWowFg7ln9H15z2A6F8 ALhxhEptx1C6rSFpwcVWOIiroQ1GfJieryFO0PIDfKOefZJwQT98C4og+kkrrv9WH+IR ppHR5nln02jR644uYRJJdAgzTGq+tSFk9hmv4pn+pyBKAeTmUaGULwTBqm+zMkDoTmvT C4/ZecYhDeQyUiDM0NT6qkMcQUbsKhdXwcrSUkq6SKS442619IdsnwHSOnTYwSqx0Ou3 CsSsVSve+yBw+HWSWyAZMcPkfp0IzkiaqNmf8C5VVjgUm6106Zmy/SNbO+jJnrp4fNaY VNVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=zNTxN6YT3zU3y5Sd5z/tlubJNEsmhc9VjQbJNe4c59s=; b=m9HYo8JeLE4tAydcneRqcxSXYsCH8tJlAONtcDMZL0Duw5Xo2kRQQ86bLvNN0q4D3Y MLzg7ULqmXxAmOd2Uc4UDq9+eMgzCjii0MmWnYnszPu+iEAHNOT/l5yTcBTWKg4Bf9DT XDaiHT9x1hm4WxsOFCkizGz9lBi986iMCtOmV+D9ThMgDmCkGsc6s8i7yP3xUINlWfxP qFs5k6i37VdN3SISrKxZrtCNub88yz+55osDl8m9SmgRrmCs+mAW6C5Msvu2YEZ8SZf1 oU28B6FSoadGzt9maVmBcE1KWc7EwM8125Op24KlhzhCK7n86bfgP1GfDpTTR/sI9Soa 5Nmw== X-Gm-Message-State: AKGB3mJmtKxqnyiQRekfLPqZcMi90kKMsXkc5kWRR7Mdzho42NiuOuhp YQW6Ok0lJFm9ccieK1gbMwxOFvKiakg= X-Google-Smtp-Source: ACJfBos/W0ejuLHTVTEL49r5er3eUngndrGjrZ81MND4I20fyGXXVpNACg6llrAPjtXxSsswinGZ2Q== X-Received: by 10.28.94.75 with SMTP id s72mr1161048wmb.112.1513005394124; Mon, 11 Dec 2017 07:16:34 -0800 (PST) Received: from mutt-hbsd ([85.159.237.210]) by smtp.gmail.com with ESMTPSA id e40sm17412436wre.6.2017.12.11.07.16.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 07:16:33 -0800 (PST) Date: Mon, 11 Dec 2017 10:16:14 -0500 From: Shawn Webb To: Christian Weisgerber Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171211151614.76cm7s4zk6go4clo@mutt-hbsd> References: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a3nvtjobkpsou4mv" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20171027 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 15:16:36 -0000 --a3nvtjobkpsou4mv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 11, 2017 at 03:08:37PM -0000, Christian Weisgerber wrote: > On 2017-12-08, Luke Crooks wrote: >=20 > > The pull request was rejected for a valid reason, offering http allows > > users with limited network access chance to clone or download freebsd w= here > > https is not possible. >=20 > Do users actually exist who have access to http but not to https? > Or is this a myth? And how do these users access popular sites > like Wikipedia, or www.FreeBSD.org for that matter? In an effort to enforce encrypted comms, my network is the inverse: TCP:80 is disallowed, but TCP:443 is accepted. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --a3nvtjobkpsou4mv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlouoTsACgkQaoRlj1JF bu6j0A//f7KKlWFc3IyPF8h05/WHtFyoqeuwuhWH4mz7z/a2TsChO/wvz7sg5VWr wl0eEZrtjWr3UJhosrjb99o16GiN7jOSS4fUhwzVk/DioScLbRwmYJerMFPmDGBe a9YzV3R4haX+CgoXily10Jmn9CTdamQpa6LLb9OcBf6HCoRglnlMrZ0ZEnpLiA/P wEjdP4ycrLBfLSqRsKSA6nY9V9dts79G9iilrDTSaE0q5R7Akwtt9NvJUQ5Z+MOO CYUerlOGAXD0uUXjeihku8c5kxxEvFFyImjkkyrPHthxSilfrwh0mLNaDHe3M69N 6DNsoBLaa94OllIXx1YcTzEaGVQZHEcp20KwJXtQjmtAOxzR9bVzoC+jby8HnnTV PrbvtqsJR8bYWvnfJ10TF+hmvVQnNPYuwv2lKzexnlsEtZB20v04F6zQoJcTVY6h +EzQ11wmxY02hi6wcVgLFI4XEbutcuyyDwdLPKOfrElCHIcLL6k5q/oeNXCTIXC/ TuSQza8M7HIcaw655L3gGh+NlLeSlW6+qmvpmNvS77POtvgHRFmqamPJ58HglpxD svAjBOk/s5PI10fHccNVNCffe5LDb1qdRRBdYfUfUG9hA7fLB8G4uOJnXeMH6oaP +e3qIqLTzjQlZvBuGV8Imo5wmezNqD6G6IvpAOz7ffWqccyD0G8= =gES/ -----END PGP SIGNATURE----- --a3nvtjobkpsou4mv-- From owner-freebsd-security@freebsd.org Mon Dec 11 16:06:58 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B29FE962CE for ; Mon, 11 Dec 2017 16:06:58 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id E32556C03B for ; Mon, 11 Dec 2017 16:06:57 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id 9A5DF2734B for ; Mon, 11 Dec 2017 11:06:22 -0500 (EST) Received: from [192.168.10.23] (D13.Denninger.Net [192.168.10.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id C547612333F for ; Mon, 11 Dec 2017 10:06:20 -0600 (CST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <20171211151614.76cm7s4zk6go4clo@mutt-hbsd> From: Karl Denninger Message-ID: Date: Mon, 11 Dec 2017 10:06:20 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171211151614.76cm7s4zk6go4clo@mutt-hbsd> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms020204050904010009050305" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 16:06:58 -0000 This is a cryptographically signed message in MIME format. --------------ms020204050904010009050305 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 12/11/2017 09:16, Shawn Webb wrote: > On Mon, Dec 11, 2017 at 03:08:37PM -0000, Christian Weisgerber wrote: >> On 2017-12-08, Luke Crooks wrote: >> >>> The pull request was rejected for a valid reason, offering http allow= s >>> users with limited network access chance to clone or download freebsd= where >>> https is not possible. >> Do users actually exist who have access to http but not to https? >> Or is this a myth? And how do these users access popular sites >> like Wikipedia, or www.FreeBSD.org for that matter? > In an effort to enforce encrypted comms, my network is the inverse: > TCP:80 is disallowed, but TCP:443 is accepted. > > Thanks, Wading back into this; it may be worth one half of 2 bits from other's points of view.... IMO there are three issues and we're conflating them/.=A0 This is unfortunate because only one of them matters. /Https allegedly provides three things: 1. Attestation (you're talking to who you think you are) 2. Data integrity (the data has not been tampered with) 3. Privacy during transport (nobody but the receiving party can observe the payload except on the sending and terminal ends) #2 in https comes about because if #1 is true then the payload will not decode if someone tampers with it or the certificate in use, /provided /the correct options are enforced. The problem is that if #1 is false then both #2 and #3 are ALSO false, because if I can tamper with attestation then I can MITM the data (insert discussion/debate/whatever on the existing CA structure, etc. which is really the never-ending debate on key management, distribution and the vouching process in any given certificate management design)=A0 This leads to all sorts of other issues (like intentional MITM behavior via wildcard certs and overrides on certificate checking by corporate IT departments, possibly ISPs, user anti-virus software, compromise of a CA by state actors or hackers, etc.)=A0 The premise of https is very pretty but the implementation -- not so much. Nonetheless a whole lot of commerce and such depends on it, because all three are required for commerce so imperfect beats nothing. But in the context of code distribution I care not about #3.=A0 I care /very much /that /the code is untampered with/ (#2)/, /but note that I really _*don't*_ care about #3 at all because the code is /intentionally published to the public at large/ and I don't care _*much*_ about #1 (if someone mirrors the source /exactly /then whether I get it from FreeBSD's server or some interloper doesn't really matter either.) SVN's shortcoming is that it does nothing for #2 on an inherent basis and this debate is thus about trying to use a tool that allegedly does three things when we really only need one of them. Maybe it's time to move toward something that can for source distribution to the public (e.g. Git) instead of trying to abuse something that we know can't actually meet the criteria required? Just sayin'..... --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms020204050904010009050305 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjExMTYwNjIw WjBPBgkqhkiG9w0BCQQxQgRAJuk4l81hFobQkoI+qcjPwUBuvGqmr+GgNc7N2QhDtV1Coii6 O305mUbyNp+xTPKl3zMDinqhG517KWqMD1kpXzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgBYEHzbJWwQlLzGfFdKYkChzP/nCQj6eDhSAVDiBrfXoJuEJyuUc+Wzb4xivW4vVJVL NMOXcvQ270KrCLYKVwib5ligNfinMQsfSImVK3raOqmZzEcIYH2Anpt4MBU2MYtfipWa9DP5 CFZvERDFsvOmuplRWCHvd/uNA309LwyMGy9LuXK2db00cFHqkzP1eVEmZltXX8RSMNJS7JxQ PjkJyScmOYvEa6rQ33wc09M9RF0H9TmsITM5RaTWMZrKGRE1e41IHhkvu3PkKLhnW55hk4RM WpY5jloO/MUxF8X/TyCbGjoq+OTUDWGyjKa0OhNaF3H5ObC+4NddkuGFbqLwjAexWaR9tSNH HXrWykiSw/360GP7UEilLXZfih1wnma3wQ0TqjemrGHj9OH7n6A3m+KcLoyRTPdbIPUTRES5 RGYc6z5at+DqJFrbh7rTQiF1UsOhnRhFFcX9GLuWL5nD2dhYnE9keCrYAW/yP5vJhLiHnvxz 2TiRdALIEvoWdyof6421XFrF4zHckUNjEz13X+aUb6g9rnaG3SGAlN0qjSAdVVHFDGqnJsk0 uYgYduA/VySx7wJvqru23XhxWSQTy7UBMLCPVM7xzQaQCsqfi/XnP4+mgMH3NwM5dqOjaXZy B3j4T12cLGNCWOpPajFhQAqNu+K2SIqFQwyQmKwT+gAAAAAAAA== --------------ms020204050904010009050305-- From owner-freebsd-security@freebsd.org Mon Dec 11 16:16:47 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D21C7E96858 for ; Mon, 11 Dec 2017 16:16:47 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5E1986C7FE for ; Mon, 11 Dec 2017 16:16:47 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wm0-x231.google.com with SMTP id f206so15137649wmf.5 for ; Mon, 11 Dec 2017 08:16:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NPAdjHSM1epiCHyjmJRin/WZ7M4425Gzvx50ilqlQuI=; b=CqwSL2pN2rtpX1EWvdKyPYyYCqsR31aYq07TJv2W014YLbmghe95EkuYpeVtr5P8c5 bZMyjenBkkn88aC42TzGDKageL9kC3XvOV/T/30bXjQ/RaVNjVr9I1GBJC/w/4dSSc4d rMbG+4IwiBXltKksALZt1jNpDDAtz6nXzrILGeK1i+S5JZq9g6wPg95GIMB3BSUwkIIa T383qDygqS4pBbuzM9/m6n44FrbNvo9wuP7KGURXLbb0v8HlCiqt3htpn6hxJz9pidic XIGudL32Ll7mgz3Y9KGXzxhWacckAjAn16HmJk9O74q/1lOnAqSeD0Huyh14FLTS62YW suhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NPAdjHSM1epiCHyjmJRin/WZ7M4425Gzvx50ilqlQuI=; b=qELu11K9ScZwVzH20HUr9UBE4vSZGRDfod25Zm2omvpHHM39u+KJrIUbLjR7yLu9EG LtPDmMNYUan7zk/E5XV43GnnMiqldxhHRHxVErKGHJ3SfqCqLfMAwXzkdoRWWTQQshxy Vhc7wkmW1ms3zSVBFeSQAdhiSJa2SOwBbb86hl3FUtHfwQNYaB0ei25H/ePaDKGVM1Tf s6pjHbYz/eYPTIzzUDTz4Yu/uZBXgkoGVePPnuXh3z0+00wnoa+X2TH96k7YxMaiqipo BynabAv8psS1jIPuZyCNdyJilobgtJc73NIxewZgUDTgGGHcXDtWVbDbNfzBtSGmzJyG ECcw== X-Gm-Message-State: AKGB3mK+zNI/+14/NzQ1iDmIS35Xa4Ezq69B6JuhbR19xHzGt2ZYDJwQ 2JFgFb0NzCDpfKK0ycETE+Qb36Fz1r6cBjyixUg= X-Google-Smtp-Source: ACJfBovkn1L2X4hhmlGLe7MOZhw7cdq01Fl/bNXAuR73jvD9/4FS/dJ9kOk4MLB+O2OMa7QMzRuvP9yFPHRInlQY8p4= X-Received: by 10.28.14.141 with SMTP id 135mr1323763wmo.104.1513009004568; Mon, 11 Dec 2017 08:16:44 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Mon, 11 Dec 2017 08:16:03 -0800 (PST) In-Reply-To: References: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <20171211151614.76cm7s4zk6go4clo@mutt-hbsd> From: Igor Mozolevsky Date: Mon, 11 Dec 2017 16:16:03 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Karl Denninger Cc: freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 16:16:47 -0000 On 11 December 2017 at 16:06, Karl Denninger wrote: SVN's shortcoming is that it does nothing for [integrity] on an inherent > basis > and this debate is thus about trying to use a tool that allegedly does > three things when we really only need one of them. > This is precisely why I suggested that something along the lines of a Merkle Tree of signed hashes over the revisions would provide adequate integrity, and I am guessing it'd be pretty straight forward to implement with SVN hooks (maybe?). I just don't have the time to look into it in any details. -- Igor M. From owner-freebsd-security@freebsd.org Mon Dec 11 16:34:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B3FFE970B8 for ; Mon, 11 Dec 2017 16:34:53 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [IPv6:2001:4b98:c:538::197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 255FE6D864 for ; Mon, 11 Dec 2017 16:34:53 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) X-Originating-IP: 93.26.153.77 Received: from [10.137.2.15] (77.153.26.93.rev.sfr.net [93.26.153.77]) (Authenticated sender: lists@whitewinterwolf.com) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 2773841C09B; Mon, 11 Dec 2017 17:34:49 +0100 (CET) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Christian Weisgerber , freebsd-security@freebsd.org, karl@denninger.net References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> From: WhiteWinterWolf Message-ID: <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> Date: Mon, 11 Dec 2017 17:34:48 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 16:34:53 -0000 Hi, Le 11/12/2017 à 16:08, Christian Weisgerber a écrit : > Do users actually exist who have access to http but not to https? I don't know about users, but caching is not possible anymore as soon you use end-to-end HTTPS. This is a reason why I personally like software and system updates to be served through HTTP instead of HTTPS. You don't need to fetch the same update for each environment each time from the remote vendor's system, you just need them to be somehow signed by him to ensure their authenticity. This was just to give an example of why one would prefer to use HTTP over HTTPS, and how as highlighted by Karl Denninger a system which does too much may actually be harmful. When you need signature, then apply signature, don't add encryption, tunneling, dynamic cipher suites negotiation, session keys exchange and so on as overhead. Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com From owner-freebsd-security@freebsd.org Mon Dec 11 18:08:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3574E99388 for ; Mon, 11 Dec 2017 18:08:43 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5FC6771171 for ; Mon, 11 Dec 2017 18:08:43 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x233.google.com with SMTP id k19so40801687qtj.6 for ; Mon, 11 Dec 2017 10:08:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=YU7UukiIB4D6GubZX6WlTW0TKKEOM0f9Hxh8Hp7lpXc=; b=DGDoCc/MYCGHvvVJXsOFmRoNAxTu8TVSRdJ/xdpfiYgvDzMNI7a6k+urKWNdsCBzvo JAdFp/6ZIeCz3i73leS8fGh5UyWA1a0rIGpFkHkaIuzDaXLGcuedBdRkwraU/TYBNiZK QgMbyRe59RADViDKhpxObXnq4pmBGAnkxHKxECmR6xZLh1G8hMFnzs+TA3uOmGLblVcF WQyHmZUph+VQ9gr9b3VjPgUs3XKWdrzbRutCbXZcH0/ffzcLZJczO1qwdMFKj6PAvrmB nCXOI2nXlFybbo0QpjeTJAtYt5zj2DOkYTOO2hpuA7vHIcObvtT7Rqzy+RBUTQMXmULQ b0IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=YU7UukiIB4D6GubZX6WlTW0TKKEOM0f9Hxh8Hp7lpXc=; b=YTKu2Fs6BQdAKqdR8OqMrkZqh5OfOJrmjFUp0mCCQ95XWW6+dsi2Eex1p+TZuho9T6 kWxBfUW4Ru1Hd38TEusoY0aRfkmYPDypBcXIjN9wFxi6HSrRlLcWiwhdiGAqj5smaDCg aORrXujcGiFGelSzSazmEHpj82YrDdJMmXrDqRUVvVE6D4+20x/VIqYt0OUkHR3kKywc XnodVPytuFKX/rWVL2Bx8PoWfPkL0vFkgG8qZe8LMJqursxPz69pd1w9f51pqboBhFyw nbaYuC1LfOuioq7Ws3ZUV4qeI1TYG9d5SCOw047Wj9IBZnjoTMIgaS9xxwohJINsDR20 WonQ== X-Gm-Message-State: AKGB3mL31FercnnKbI5vytzC2EoKKnzWC5VZ3CyNxSuyTqWpGBTAQYxr pHtaYJkMgLwZtk7mLwh5Hjk= X-Google-Smtp-Source: ACJfBot0kWRTRAXF7liuDSNAxfx8vlNFK6DeeymxKt1MXGKy5GxpO/tQr4LrtlhL67WeD86v+vq0aw== X-Received: by 10.55.169.5 with SMTP id s5mr1755787qke.79.1513015722317; Mon, 11 Dec 2017 10:08:42 -0800 (PST) Received: from localhost (ool-18e477b0.dyn.optonline.net. [24.228.119.176]) by smtp.gmail.com with ESMTPSA id k34sm4558000qtk.5.2017.12.11.10.08.41 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 10:08:41 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Mon, 11 Dec 2017 18:08:39 +0000 To: WhiteWinterWolf Cc: Christian Weisgerber , freebsd-security@freebsd.org, karl@denninger.net Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171211180839.ycc7es5ekstq44gn@localhost> References: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 18:08:43 -0000 On Mon, Dec 11, 2017 at 05:34:48PM +0100, WhiteWinterWolf wrote: > Hi, > > Le 11/12/2017 à 16:08, Christian Weisgerber a écrit : > > Do users actually exist who have access to http but not to https? > > I don't know about users, but caching is not possible anymore as soon > you use end-to-end HTTPS. Why must caching be at a MiTM? Why not simply have a subversion mirror on the same network? It is utterly unacceptable that "caching" is a reason why encryption is not considered as an option. > > This is a reason why I personally like software and system updates to be > served through HTTP instead of HTTPS. You don't need to fetch the same > update for each environment each time from the remote vendor's system, > you just need them to be somehow signed by him to ensure their authenticity. That's fine, you should have this ability if you understand the risks/consequences, but this should not be forced on other users. > > This was just to give an example of why one would prefer to use HTTP > over HTTPS, and how as highlighted by Karl Denninger a system which does > too much may actually be harmful. I disagree with this. The importance of message confidentiality doesn't magically disappear because someone is retrieving public information. The intermediate ISPs do not have the privilege of knowing what an end user is sending or receiving, we should not give them this information. They are simply passing along those packets based on aggregated route summaries, but no one should blindly trust these companies. The Internet is not a benevolent series of tubes - intentionally endangering users by not providing a mechanism for cryptographic authentication and checking data integrity is absolutely unacceptable. Everyone should have the option of hiding from intermediate parties what information they are retrieiving, verifying the information they received was not tampered in-transit, and verifying the information they received was not tampered on-disk prior to transmission. I also advocate for preventing the tracking of user activities, but at a minimum please provide message authentication and message confidentiality. While I find this entire discussion ridiculous, because I can't believe a software project is actually debating the necessity of secure code transmission, removing the option of an unauthenticated connection to the subversion server is not necessary, but imposing this on every user is completely irresponsible. > > When you need signature, then apply signature, don't add encryption, > tunneling, dynamic cipher suites negotiation, session keys exchange and > so on as overhead. Yes, TLS is a bloated protocal and most of it is not necessary, but are you saying the additional ~100 millisecond latency with its ~5KB handshake is too much overhead for downloading subversion updates? We are talking about 7 additional packets. This is not too much, even on a terrible Internet connection with high packet loss. TLS does not authenticate the revisions a user downloads, it's remarkable subversion still does not provide this ability after 16 years. > Regards, > Simon. > > -- > WhiteWinterWolf > https://www.whitewinterwolf.com From owner-freebsd-security@freebsd.org Mon Dec 11 18:18:30 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 16CF2E998B5 for ; Mon, 11 Dec 2017 18:18:30 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id DA56971987 for ; Mon, 11 Dec 2017 18:18:29 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id 5B71E2734B for ; Mon, 11 Dec 2017 13:18:29 -0500 (EST) Received: from [192.168.10.23] (D13.Denninger.Net [192.168.10.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id ACDA3125AA6 for ; Mon, 11 Dec 2017 12:18:27 -0600 (CST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> <20171211180839.ycc7es5ekstq44gn@localhost> From: Karl Denninger Message-ID: <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> Date: Mon, 11 Dec 2017 12:18:27 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171211180839.ycc7es5ekstq44gn@localhost> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms080807050809090708020301" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 18:18:30 -0000 This is a cryptographically signed message in MIME format. --------------ms080807050809090708020301 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/11/2017 12:08, Matthew Finkel wrote: > On Mon, Dec 11, 2017 at 05:34:48PM +0100, WhiteWinterWolf wrote: > >> This is a reason why I personally like software and system updates to = be >> served through HTTP instead of HTTPS. You don't need to fetch the same= >> update for each environment each time from the remote vendor's system,= >> you just need them to be somehow signed by him to ensure their authent= icity. > That's fine, you should have this ability if you understand the > risks/consequences, but this should not be forced on other users. It is NOT forced.=C2=A0 You can use SVN now over http OR https. >> This was just to give an example of why one would prefer to use HTTP >> over HTTPS, and how as highlighted by Karl Denninger a system which do= es >> too much may actually be harmful. > I disagree with this. The importance of message confidentiality doesn't= > magically disappear because someone is retrieving public information. Again, let's target the actual problem. Advocating the FORCING of https is IMHO utterly ridiculous for the reasons I pointed out. Today you CAN use https with svn if you wish.=C2=A0 You are not *forced* = to.=C2=A0 There are good reasons not to, including caching.=C2=A0 The problem with = not knowing if what you got is authentic and not tampered with is simply not resolved by forcing https; it's an out-of-scope hack that fails to target the actual issue. A forced election of something that doesn't actually solve the problem is IMHO a political argument rather than a technical one.=C2=A0 The issue= of potentially-tampered-with source code not only can't be dealt with correctly through the use of https (at least not with the public CA infrastructure that "everyone" relies on for "pedestrian" https) there ARE other means of dealing with it correctly that do not require using https. That's where attention should be focused. --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms080807050809090708020301 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjExMTgxODI3 WjBPBgkqhkiG9w0BCQQxQgRATI3sxxWzT2eurqt5DvH/2DVIkMdzPf6QzC3nU43xco+8UZbW vs5zNGCZmAt8LvMDiJcdzBH37529CPiUDnpuWjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgBrjVXKM1T5gxnmCvFTKqKEf9EarNIjDUb1wo5Dkvf7nyeiBYuh6xU7+xvYwr/oZIMa GPZY7Ffn+pOO6nNQR4qX2RcnPIb2NQpFNn7ZKQJ5hsqUwQx8ihuIF6XeipLij7/RBburTYDY NPjjrvPZQl6UuvkI60P/QfPYswiYdZ5x/TH2SFTQ2KkYEk5PH8oxm4qUBMgXEw9nlFJXBMZU sS5sSPeTxeDIbmO1NB20Vz+KFm92PCxvuA93tnDotkum9YcKDtPouuoSBItfZ61kBJqe8Gy/ Ea6AyMwaxnA/SGnMcS/gv2ZPWUfM7h6wxtAS01mswA98hpVWKZLQiHsME5zTQORXGuZRRErG HRh+iadRxkiO7Pox2j+9WZ6wwo9Kx3rUspa9sjLdGFNQ0H4U/srPA7TKGYoRpYpcZnzDrGEn uYaA2GsVvCzrJwevVDpAwnZyMOq7/UyQ0dvaozxIvPXADrXmz0Dmk7KPBr4b3v17hcl0tizH 22/dUlQ5XII6+hiEi1rsfX8rfEQ/eDP4bkfz8VbJeTnh7C8pRJoODzGACU6aSkSOp1Ea34Fy JkE8Lf7GiunZAw/1t3mS+Ed4ACsgIGDdJKSVwXC1fywZsSso/MbrDIQMkSZ2daHKg9Tmq8ML VdiAqenHK5uBPYc49XVxtuMVCwo8bvlh0nbYLCjvZgAAAAAAAA== --------------ms080807050809090708020301-- From owner-freebsd-security@freebsd.org Mon Dec 11 18:20:35 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13E4CE99AAE for ; Mon, 11 Dec 2017 18:20:35 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B4A9E71B6F for ; Mon, 11 Dec 2017 18:20:34 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x22f.google.com with SMTP id 33so40954952qtv.1 for ; Mon, 11 Dec 2017 10:20:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=mtW+blZmH0vVDJxhE8gvS0CRDo+tldz/b+By2PQvLQU=; b=N4wlPmyjLqb4PEnB+7rdormo15ojVznRBdfOU3hG5wMjTyy27vqCgpK2cCijWsCSpN cLPgfFIjYozqtavd1wv4vFFRxBR+rxn4qyeMkWoBtW1UgvSvWG/OerDFagEsRA/aS/jL +VpG3XWLOWbd6SnSMD3sP8rVbRL9IXQhPi90WSKIOUa1DW/lwCNJFEupMmRRy++1DUZn VikvPtSqcqIcE0F0KW3v2EYRFD0fMyT+oNKaXWAsz7FMwiS90uHTW1zO0+OLz3DchRvb HAacth5NTPjzNUNg/DeqPQdSS3KVE8GWfbh095N/2o/XzMwxhMpbeMPl5HQgdbdly/CG NIfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=mtW+blZmH0vVDJxhE8gvS0CRDo+tldz/b+By2PQvLQU=; b=s9ekPtKvs7wT/l6BtOb1MqzOmVjGbazQn7E8rRzBFcAcf7IKOdKtTHB8QEpP+abhfx 7bkqsAOMCFrV2hiQDHZEd6fAmab82UA6u23N/uRNx+CXFnrNbtKCoEzoXve8BmQnRlKG kvrFMfJLzUouN+2G4i2hPYIOuwhNN8DM5jnpw6A8NpgDyoRiN4x0qhBWSOa9nIMH/Vtx 5pyCUJxF1H7ZZNbFC8uysbTUw3VAmwxftid2AbyBQ29/2+xgi7Mn1wxzc7O/BFXhcSAn 0UEAMQkf9UrCXJdZ3kaeDi0SUOI468sHcJhZa7hiWQohI8SlLwhctaPz11MILDBxsksX grXQ== X-Gm-Message-State: AKGB3mKHcZW60f03uqn5JRSZS9sQjoV8Y+t5S9YCgNDvombsCxBr6oOI xapJ01hP4tjPa6oXlGxSJLo= X-Google-Smtp-Source: ACJfBoteBvinLRq59jQYgBv8SAqIhsKdqq/xEtSoeBNmITMMhxqSHyZ5P5LTRCeNT9yvsmDCX7HvPw== X-Received: by 10.55.197.133 with SMTP id k5mr1693476qkl.223.1513016433623; Mon, 11 Dec 2017 10:20:33 -0800 (PST) Received: from localhost (ool-18e477b0.dyn.optonline.net. [24.228.119.176]) by smtp.gmail.com with ESMTPSA id f5sm4818685qte.87.2017.12.11.10.20.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 10:20:33 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Mon, 11 Dec 2017 18:20:31 +0000 To: Poul-Henning Kamp Cc: Yuri , freebsd security , RW , Igor Mozolevsky Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171211182031.jhgansyyw7xrk4il@localhost> References: <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <24467.1512935834@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <24467.1512935834@critter.freebsd.dk> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 18:20:35 -0000 On Sun, Dec 10, 2017 at 07:57:14PM +0000, Poul-Henning Kamp wrote: > -------- > In message <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com>, Yuri writes: > > >3. The user updated the sources through Tor and got hacked. > > > >Where did this user go wrong, or where has he been irresponsible? > > He trusted Tor? > > In 2006 Steven Murdochs "Hot or Not" work in TCP timers revealed > that a LOT of the Tor network is on a longitude compatible with a > "Bandit of The Beltway" location. Are you really referencing a paper from 11 years ago specifically about a hidden service confirmation attack? This is not within Tor's threat model. Yes, it is a real attack, and yes, this could and should be prevented, but this says absolutely nothing about the security or "trustworthiness" of the Tor network or the protection it provides 99% of all users. > > If you still, elleven years later, seriously belive that Tor is > trustworthy, you shouldn't be allowed near any kind of security > decision. *head scratch* Most of the relays are in Europe now, just FYI. Tor is not perfect, but it offers by-far a better method of connecting two machines than using the Internet alone. > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Mon Dec 11 19:34:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB4C9E9BF93 for ; Mon, 11 Dec 2017 19:34:51 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [209.237.23.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C8F51754A2 for ; Mon, 11 Dec 2017 19:34:51 +0000 (UTC) (envelope-from marquis@roble.com) Received: from roble.com (roble.com [209.237.23.50]) by mx5.roble.com (Postfix) with ESMTP id 6283C3D685; Mon, 11 Dec 2017 11:34:45 -0800 (PST) Date: Mon, 11 Dec 2017 11:34:45 -0800 (PST) From: Roger Marquis To: Karl Denninger cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-Reply-To: <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> Message-ID: References: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> <20171211180839.ycc7es5ekstq44gn@localhost> <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 19:34:52 -0000 Karl Denninger wrote: > Advocating the FORCING of https is IMHO utterly ridiculous for the > reasons I pointed out. This is an important point. Given the differences of opinion noted here there is no good reason not to allow sites to sync over the protocol of their choosing. Of course signed datasets would be excellent, as would verifiable builds, but (also IMO) not good enough to justify forcing of non-encrypted updates. > The issue of potentially-tampered-with source code not only can't be dealt > with correctly through the use of https (at least not with the public CA > infrastructure that "everyone" relies on for "pedestrian" https) there ARE > other means of dealing with it correctly that do not require using https. > That's where attention should be focused. Would have to disagree with this assertion, at least until it can be demonstrated that an alternative signature presharing mechanism would be more secure (than the CA maintained by EFF/LetsEncrypt at least). IMO, Roger Marquis From owner-freebsd-security@freebsd.org Mon Dec 11 21:06:25 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0DC4E9E9AA for ; Mon, 11 Dec 2017 21:06:25 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 90E9E79399 for ; Mon, 11 Dec 2017 21:06:24 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 99D7827374; Mon, 11 Dec 2017 21:06:15 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBBL5xjq001403 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 11 Dec 2017 21:05:59 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBBL5wnv001402; Mon, 11 Dec 2017 21:05:58 GMT (envelope-from phk) To: Matthew Finkel cc: Yuri , freebsd security , RW , Igor Mozolevsky Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171211182031.jhgansyyw7xrk4il@localhost> From: "Poul-Henning Kamp" References: <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <24467.1512935834@critter.freebsd.dk> <20171211182031.jhgansyyw7xrk4il@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1400.1513026358.1@critter.freebsd.dk> Date: Mon, 11 Dec 2017 21:05:58 +0000 Message-ID: <1401.1513026358@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 21:06:25 -0000 -------- In message <20171211182031.jhgansyyw7xrk4il@localhost>, Matthew Finkel writes: >Most of the relays are in Europe now [...] Thank goodness nobody shady can rent cloud servers in Europe! -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Mon Dec 11 21:14:07 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9DCA4E9EDEF for ; Mon, 11 Dec 2017 21:14:07 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:a:dead:bad:faff]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6907E7995F for ; Mon, 11 Dec 2017 21:14:07 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id vBBLE3FR002081; Mon, 11 Dec 2017 21:14:03 GMT (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id vBBLE2u1002071; Mon, 11 Dec 2017 21:14:02 GMT (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201712112114.vBBLE2u1002071@donotpassgo.dyslexicfish.net> Date: Mon, 11 Dec 2017 21:14:02 +0000 Organization: Dyslexic Fish To: michelle@sorbs.net, jmg@funkthat.com Cc: yuri@rawbw.com, phk@phk.freebsd.dk, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> <5A2A6985.3070202@sorbs.net> <20171210172127.GD5901@funkthat.com> In-Reply-To: <20171210172127.GD5901@funkthat.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Mon, 11 Dec 2017 21:14:05 +0000 (GMT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 21:14:07 -0000 John-Mark Gurney wrote: > So you're fine w/ all the Comcast users having to switch ISPs? Because > Comcast modifies traffic. So you're now saying that if you use FreeBSD > you can't use Comcast as your ISP? ... or they could use HTTPS, which exists. This thread started with the proposal to remove HTTP, nothing to do with disabling already existing HTTPS solutions. Cheers, J. From owner-freebsd-security@freebsd.org Mon Dec 11 21:29:09 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65830E9F5D3 for ; Mon, 11 Dec 2017 21:29:09 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:a:dead:bad:faff]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 312787A2E2 for ; Mon, 11 Dec 2017 21:29:09 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id vBBLT7sX006261; Mon, 11 Dec 2017 21:29:08 GMT (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id vBBLT7tj006260; Mon, 11 Dec 2017 21:29:07 GMT (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201712112129.vBBLT7tj006260@donotpassgo.dyslexicfish.net> Date: Mon, 11 Dec 2017 21:29:07 +0000 Organization: Dyslexic Fish To: phk@phk.freebsd.dk, matthew.finkel@gmail.com Cc: yuri@rawbw.com, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <20171208082503.cve4526nkwf7chef@localhost> In-Reply-To: <20171208082503.cve4526nkwf7chef@localhost> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Mon, 11 Dec 2017 21:29:08 +0000 (GMT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 21:29:09 -0000 Matthew Finkel wrote: > Why doesn't everyone have that option? Why is broadcasting a users information > across the internet forced upon them? Shouldn't they have a choice? They do! HTTPS already exists! This thread is about removing HTTP and forcing HTTPS - "Why should HTTPS be forced upon them? Shouldn't they have a choice?" :-) | 21:16 (4) "/tmp" root@lapcat# svn export https://svn.freebsd.org/base/stable/11/usr.bin/fortune | A fortune | A fortune/datfiles | | [ ... ] | | A fortune/tools/Troff.sed | Exported revision 326782. Voila! A https delivery of "fortune" ! (Confirmed via tcpdump not to be using fallback HTTP) cheers! From owner-freebsd-security@freebsd.org Mon Dec 11 22:46:45 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90B0DEA1828 for ; Mon, 11 Dec 2017 22:46:45 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5CA5F7D7E6 for ; Mon, 11 Dec 2017 22:46:45 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-it0-x22e.google.com with SMTP id b5so19882364itc.3 for ; Mon, 11 Dec 2017 14:46:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=fbP/dd1AnAdCswXQdYqOsJyg0J0N5+gnyyXDbW57pBo=; b=JWR1tzirPhgk88HyEX2JD7OK3ni9Wy+9kI0LB3yi6p8YYBSr7jrLf3Vc/X5KnFWLGM TPZ5CYKWOxMRsl8dY8h7bXEfuqJDHh26ekbLUwEqoyDZKqjqrNlMsNnTzwXiGzs7bNwU VoNOXQ4SGBcK6NkJ0elopEahb9EDIgG/+01N8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=fbP/dd1AnAdCswXQdYqOsJyg0J0N5+gnyyXDbW57pBo=; b=TfPxj2LHWq8HSAXUaTm/QiIdoPaJkURiyUpca0PF0lJkTygPHAGdQ9xhKQf5H13pzc 3e58UwdRiTOrkIcR2bxErfJ9fDyIsBNkBV/r7mdrLjT8akOYhYoFNo4awfSRzK2BnbAR Btp/6GYIeBpwKpIuPiczCCJVFNO3dJCquj6Hh3saB3/xYGTyDZc/ZZ3zi5CQgrgnaACW bfLUD4KijgtYnghYVt8dg/rA37lFsPVuZHT3hCDK1crNxOOyMFCDURdBNZDBsLW+Djpn nUGojiEcGF4tCL+Hlzll7w9ewsRUiO0KvVZ+BLKbBKt5UrKCwzQMAOlwJHAIS+QnnQZ/ sRYA== X-Gm-Message-State: AKGB3mJfVq3aruvN8zBNMPleZy3zoiOvBx/agkRNHtwoDbPBAyqQURx5 KljJtincCtiOX0kNM/fqJ5Z7JD8mYto= X-Google-Smtp-Source: ACJfBou/8xwukcLzTHOLmUgnFhsJ95q23f/qIuY8CArGKVjrXs8c5BVR2xN4DQQ0VbDoORGL5WEuvw== X-Received: by 10.107.52.140 with SMTP id b134mr2859103ioa.291.1513032404218; Mon, 11 Dec 2017 14:46:44 -0800 (PST) Received: from [192.168.0.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [174.117.121.225]) by smtp.gmail.com with ESMTPSA id d6sm5946654ioe.10.2017.12.11.14.46.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Dec 2017 14:46:43 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: yuri@rawbw.com Cc: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <20171208082503.cve4526nkwf7chef@localhost> <201712112129.vBBLT7tj006260@donotpassgo.dyslexicfish.net> From: Yonas Yanfa Message-ID: <225f2891-dc04-0e38-05bb-b4af9645f663@fizk.net> Date: Mon, 11 Dec 2017 17:40:50 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <201712112129.vBBLT7tj006260@donotpassgo.dyslexicfish.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 22:46:45 -0000 On 12/11/2017 16:29, Jamie Landeg-Jones wrote: > Matthew Finkel wrote: > >> Why doesn't everyone have that option? Why is broadcasting a users information >> across the internet forced upon them? Shouldn't they have a choice? > They do! HTTPS already exists! > > This thread is about removing HTTP and forcing HTTPS - "Why should > HTTPS be forced upon them? Shouldn't they have a choice?" > > :-) > > | 21:16 (4) "/tmp" root@lapcat# svn export https://svn.freebsd.org/base/stable/11/usr.bin/fortune > | A fortune > | A fortune/datfiles > | > | [ ... ] > | > | A fortune/tools/Troff.sed > | Exported revision 326782. > > Voila! A https delivery of "fortune" ! (Confirmed via tcpdump not to be > using fallback HTTP) > > cheers! Yuri, I prefer HTTPS over HTTP as well, but wouldn't switching over to git and using signed commits be even more secure than using HTTPS? Yonas From owner-freebsd-security@freebsd.org Mon Dec 11 23:23:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD4BDEA25C8 for ; Mon, 11 Dec 2017 23:23:51 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id A90DF7EF09 for ; Mon, 11 Dec 2017 23:23:51 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBBNNTwT016566 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 11 Dec 2017 15:23:44 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yonas Yanfa Cc: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <20171208082503.cve4526nkwf7chef@localhost> <201712112129.vBBLT7tj006260@donotpassgo.dyslexicfish.net> <225f2891-dc04-0e38-05bb-b4af9645f663@fizk.net> From: Yuri Message-ID: Date: Mon, 11 Dec 2017 15:23:28 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <225f2891-dc04-0e38-05bb-b4af9645f663@fizk.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 23:23:51 -0000 On 12/11/17 14:40, Yonas Yanfa wrote: > I prefer HTTPS over HTTP as well, but wouldn't switching over to git > and using signed commits be even more secure than using HTTPS? So far, nobody pointed out even one security flaw of using https combined with the private CA. So no, they appear to be equally secure, with https approach having the advantage of being able to work on the same infrastructure in virtually the same way. Yuri From owner-freebsd-security@freebsd.org Mon Dec 11 23:38:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 603A8EA2E0A for ; Mon, 11 Dec 2017 23:38:15 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AE14F7F7CA for ; Mon, 11 Dec 2017 23:38:14 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x22a.google.com with SMTP id i40so43083841qti.8 for ; Mon, 11 Dec 2017 15:38:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=iHAx658ClCnRxZa6RzXl7+Io3x6Y8cvIO/B4+fM7Aas=; b=BQevW8n+7PLEJJaxxzz9VxSzWVCn0q1BhrwfG1B6EWFc2hkcP39LFY34rC9wl2p4pW odsaCXjostfZxG0gLaUfqWGvIcQB09VSkPYUt2fDuvWZgkw92odoxlEdGT+aY4ijl3K5 OblWRXQ8OE7ilxEFJMFwsypzk285qjv/2Nrb2DGA4PX6nCKvmH7DO60Dhq7vw4NPS74n SbwnqDOMnQg6tC/l1kylAIF7jrdxfqxZ4y69HCUjEr6STWlvRk9ZQEb1KfDe4wa+6GWJ ETckYwkrBf978xcArGcYLXSyvdMZeLZfxanEL0/ngVKn3aearAm9aVgvQcZTqYiHqfH4 jYIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=iHAx658ClCnRxZa6RzXl7+Io3x6Y8cvIO/B4+fM7Aas=; b=m2HBwL2MrwFPcz3L1jjFb32ImHWdAasby2UTnoMQbRKxmJseTz8Ggms1guivr3qBtl m19Jo3XsLx1bZTD1OsdEherth7Wc3ihf869un5+JLpd6/EjtrJCAZEKKCwGR0KrccTOW H2EllKGpgQQj/PKDGZmbi4v2DTPd5drX/rIXQ04qOTvNa06+jsTtNeLzYtHNWAyX4OzB WQddlILuQ9f+8XP8Kp0GmYQ+7LABcMzWYRLnA0VAUKPQSk9N1u9309wWcImeUXUACa6z hONiyrCXwv/W3cWlTnYwXC+WJKv3Ag+ewSoSSP/daYQkEuEV1ojcrnEIcjzqwlVBkmpc 1Obw== X-Gm-Message-State: AKGB3mI/YeD+PhIL+3rk48S6a/4fp5VQasGx1xnkIF4wGIjHeumXYOhC s9Lt00HThp1A7UHwv/uD7T4= X-Google-Smtp-Source: ACJfBouEdcs0FtNHWplYmUuu88CeqOYZVGxx0iTUjq4SpNyEWCpf9CAmK4jGAGW47TR5iBU1kF0azw== X-Received: by 10.55.217.149 with SMTP id q21mr3126914qkl.102.1513035493716; Mon, 11 Dec 2017 15:38:13 -0800 (PST) Received: from localhost (ool-18e477b0.dyn.optonline.net. [24.228.119.176]) by smtp.gmail.com with ESMTPSA id r55sm5222998qta.57.2017.12.11.15.38.12 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 15:38:13 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Mon, 11 Dec 2017 23:38:11 +0000 To: Poul-Henning Kamp Cc: Yuri , freebsd security , RW , Igor Mozolevsky Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171211233811.po5a6ktev7riytva@localhost> References: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <24467.1512935834@critter.freebsd.dk> <20171211182031.jhgansyyw7xrk4il@localhost> <1401.1513026358@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1401.1513026358@critter.freebsd.dk> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2017 23:38:15 -0000 On Mon, Dec 11, 2017 at 09:05:58PM +0000, Poul-Henning Kamp wrote: > -------- > In message <20171211182031.jhgansyyw7xrk4il@localhost>, Matthew Finkel writes: > > >Most of the relays are in Europe now [...] > > Thank goodness nobody shady can rent cloud servers in Europe! I'm glad you have a sense of humor. From owner-freebsd-security@freebsd.org Tue Dec 12 04:08:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E87F3E8B639 for ; Tue, 12 Dec 2017 04:08:33 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A17F36A748 for ; Tue, 12 Dec 2017 04:08:33 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x232.google.com with SMTP id u42so44218830qte.7 for ; Mon, 11 Dec 2017 20:08:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=gWunwW8ZNFWkYxrMNsbv78dIj9gcElbbRJJ++b1Z9BY=; b=CXHBglWgkK4rUXUScbpz4CbYStDACDHI+b45qd0koSRhH2Wr7aS/35vFynsKvfCD1u lRRoMURL/GTx1HiPOm3KBISvKeFM+vjJoHqjE0zGbolSERJxRe1kxkjzLtrZcDFP1USm geXlXT4oqNxYhOKX6/VcAeMOpB3JwQbEuDKqKCQoxoLJMaTCQE7aCguxMMOCKeE8QtG1 olWBwExtTbsh6V6EVQ+gEfU1XeV4XEy19+kTHc1ANzsOOxLLfbcNLFJqMsqQ4Egwxpuh yQj+UJTUaaWa3viJqnuYKG0c84KvgHH10JF3vIAFA14qk0tMI+WZ5yiqUkpxqFgiCVVo ht+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=gWunwW8ZNFWkYxrMNsbv78dIj9gcElbbRJJ++b1Z9BY=; b=kSM6JKpS3g2lrszl/N9N1S3653HRsv1xQRgG1xtERd2UVRHRyDU0iTL5f5tr6DddnX CfK0dSJYMa1FMtQeRa5vepykAfe0ychuDBPPqOLpE9QWAimHUuNOeNs8drnK17/7otSI MNC432Za/NtR0FBnnnFydyPNM83R+PIEal48KZNnrz04oh4SR4AZWkNaIeC2GO6ui4Fq hU112ytR7IeBELPD0dHpQB2Feok80WDDLTQ3HwlxQ5oV9/nUUMaoLv+TSHNFX7JvJOyT 601eUOFzM1e5jhxE0HUKVZvGrTNJ5zqxB50y+J0em5HFtFRwYvFZS+jUYlUC2UwQQhOY lgMQ== X-Gm-Message-State: AKGB3mIl3K1D+e8bzBaepIX7OZnP0blsM4BB/PZ5M+aEykm8PutewuTZ xKS2dDqp1+wTOGA761XAIKHYvY1F X-Google-Smtp-Source: ACJfBotk55FcEhUpUSbKEOI4yOJHz/rxP091es5cFlhHFKXWfh15OGaZ9h9I+3v5KGAzI/0Cnlr4Gg== X-Received: by 10.55.20.139 with SMTP id 11mr3838398qku.89.1513051712565; Mon, 11 Dec 2017 20:08:32 -0800 (PST) Received: from localhost (ool-18e477b0.dyn.optonline.net. [24.228.119.176]) by smtp.gmail.com with ESMTPSA id a35sm5957327qka.34.2017.12.11.20.08.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 20:08:31 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Tue, 12 Dec 2017 04:08:29 +0000 To: Karl Denninger Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171212040829.2nn6etffkcentglm@localhost> References: <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> <20171211180839.ycc7es5ekstq44gn@localhost> <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 04:08:34 -0000 On Mon, Dec 11, 2017 at 12:18:27PM -0600, Karl Denninger wrote: > > On 12/11/2017 12:08, Matthew Finkel wrote: > > On Mon, Dec 11, 2017 at 05:34:48PM +0100, WhiteWinterWolf wrote: > > > >> This is a reason why I personally like software and system updates to be > >> served through HTTP instead of HTTPS. You don't need to fetch the same > >> update for each environment each time from the remote vendor's system, > >> you just need them to be somehow signed by him to ensure their authenticity. > > That's fine, you should have this ability if you understand the > > risks/consequences, but this should not be forced on other users. > It is NOT forced.  You can use SVN now over http OR https. Yes, sorry, my mistake. I saw portsnap only uses http (with signed snapshots from mirrors), and I misread the website documentation (where it does specify https for `svn checkout https://[...]`). And no, I didn't look at the ticket first. > >> This was just to give an example of why one would prefer to use HTTP > >> over HTTPS, and how as highlighted by Karl Denninger a system which does > >> too much may actually be harmful. > > I disagree with this. The importance of message confidentiality doesn't > > magically disappear because someone is retrieving public information. > Again, let's target the actual problem. > > Advocating the FORCING of https is IMHO utterly ridiculous for the > reasons I pointed out. I understand why some people believe a resource should be available over http. It makes life easier in many situations. However, Yuri is correct, serving svn with http over the Internet is dangerous and should be discontinued. It is too easy for someone to make a mistake and checkout the ports repo over http (if they type it by hand instead of copying and pasting it from the handbook). That being said, if users can checkout the svn repos over an onion service, then the threat of tampering with the traffic in-transit is mitigated. The simple and undeniable fact of this matter is users make mistakes. As it was already mentioned multiple times, the recent trend by organizations on this topic is disabling access over plaintext HTTP entirely. It's obvious FreeBSD are unwilling to follow this pattern based on the presumption "That isn't tenable, far too many people around the world have limited internet access as it is."[0] Sure. [0] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097#c3 > > Today you CAN use https with svn if you wish.  You are not *forced* to.  > There are good reasons not to, including caching.  The problem with not > knowing if what you got is authentic and not tampered with is simply not > resolved by forcing https; it's an out-of-scope hack that fails to > target the actual issue. Correct. TLS accomplishes a different goal, it does not provide any guarantee about the whether the data is authentic. It simply provides assurance the data was not tampered in transit and it significantly increases the probability none of the intermediate parties learned what data was transmitted. > > A forced election of something that doesn't actually solve the problem > is IMHO a political argument rather than a technical one.  The issue of > potentially-tampered-with source code not only can't be dealt with > correctly through the use of https (at least not with the public CA > infrastructure that "everyone" relies on for "pedestrian" https) there > ARE other means of dealing with it correctly that do not require using > https. Yes. On the other hand, code authenticity isn't the reason software projects use TLS. I fully agree another mechanism should be put in place for this. Whether hacking a Merkle Hash Tree on top of SVN is the correct decision is an entirely different discussion. > > That's where attention should be focused. From owner-freebsd-security@freebsd.org Tue Dec 12 11:57:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7777E95A5C for ; Tue, 12 Dec 2017 11:57:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id A4E1978955 for ; Tue, 12 Dec 2017 11:57:51 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 6B90210135; Tue, 12 Dec 2017 11:57:50 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 5811186274; Tue, 12 Dec 2017 11:56:43 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Michelle Sullivan Cc: Yuri , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <5A2DB9F8.1040301@sorbs.net> Date: Tue, 12 Dec 2017 12:56:43 +0100 In-Reply-To: <5A2DB9F8.1040301@sorbs.net> (Michelle Sullivan's message of "Mon, 11 Dec 2017 09:49:28 +1100") Message-ID: <86h8swgnwk.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 11:57:52 -0000 Michelle Sullivan writes: > User gets an email saying his banking details are compromised, and to > update them now. User clicks the link and gives banking details to > phishing site as well as having a keylogger and rootkit installed > during the process. User has bank account hacked. Where did the bank > go wrong? Banks and financial institutions have whole teams working 24/7, usually in cooperation with national authorities, to detect, investigate and shut down phishing campaigns, and to warn customers (either directly or through mass media) of particularly large or well-executed campaigns. In the EU and EEA, banks are liable for losses in excess of =E2=82=AC150 un= less the customer acted =E2=80=9Cwith intent or gross negligence=E2=80=9D, but t= he definition of =E2=80=9Cgross negligence=E2=80=9D is fluid. Legal precedent in Norway = is to hold the customer liable only if the email was =E2=80=9Can obvious forgery=E2=80= =9D, for some definition of =E2=80=9Cobvious=E2=80=9D. TL;DR: yes, banks are held liable for losses attributable to phishing. Source: I do this for a living (although not at a bank). DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Dec 12 12:08:06 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52195E967B2 for ; Tue, 12 Dec 2017 12:08:06 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 14A49792BA for ; Tue, 12 Dec 2017 12:08:05 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 258DC1019E; Tue, 12 Dec 2017 12:08:05 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 181C686277; Tue, 12 Dec 2017 12:06:58 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Poul-Henning Kamp" Cc: John-Mark Gurney , Yuri , RW , Michelle Sullivan , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> Date: Tue, 12 Dec 2017 13:06:58 +0100 In-Reply-To: <99305.1512947694@critter.freebsd.dk> (Poul-Henning Kamp's message of "Sun, 10 Dec 2017 23:14:54 +0000") Message-ID: <86d13kgnfh.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 12:08:06 -0000 "Poul-Henning Kamp" writes: > The only realistic way for the FreeBSD project to implement end-to-end > trust, is HTTPS with a self-signed cert, distributed and verified > using the projects PGP-trust-mesh and strong social network. Your suggestion does not remove implicit and possibly misplaced trust, it just moves it from one place to another. Instead of trusting a certificate authority and DNS, you trust the source of the public key, and probably also DNS. As always, it boils down to a) key distribution is hard and b) what's your threat model? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Dec 12 12:59:56 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6443E97DBA for ; Tue, 12 Dec 2017 12:59:56 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id A32CC7B50A for ; Tue, 12 Dec 2017 12:59:56 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 0AF21273B4; Tue, 12 Dec 2017 12:59:54 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCCxcEb079569 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 12:59:38 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCCxati079568; Tue, 12 Dec 2017 12:59:36 GMT (envelope-from phk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: John-Mark Gurney , Yuri , RW , Michelle Sullivan , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <86d13kgnfh.fsf@desk.des.no> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <79566.1513083576.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 12:59:36 +0000 Message-ID: <79567.1513083576@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 12:59:57 -0000 -------- In message <86d13kgnfh.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3=3D= B8rgrav?=3D w rites: >"Poul-Henning Kamp" writes: >> The only realistic way for the FreeBSD project to implement end-to-end >> trust, is HTTPS with a self-signed cert, distributed and verified >> using the projects PGP-trust-mesh and strong social network. > >Your suggestion does not remove implicit and possibly misplaced trust, >it just moves it from one place to another. Instead of trusting a >certificate authority and DNS, you trust the source of the public key, >and probably also DNS. As always, it boils down to a) key distribution >is hard and b) what's your threat model? I don't think I agree with any of that ? With respect to authenticity of the FreeBSD SVN repo I cannot imagine anybody else being even one percent as qualified and trustworth as the FreeBSD projects own core-team. In particular I would never trust any "In the CA-racket for the money" organization to do so. If you are worried that the FreeBSD project "staff" cannot handle a root-cert competently, then the exposure is no smaller or larger than if it was a CA-signed cert they fumbled. Trusting DNS doesn't apply it if the project root-cert was stored on my local machine after I used my best judgement of PGP signatures to conclude that it was authentic. And I don't really see distribution of this particular key being difficult at all: We already PGP sign release checksums for authenticity and it the FreeBSD root-cert is just another file to get same treatment. Poul-Henning -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Tue Dec 12 14:17:23 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF5D2E997D9 for ; Tue, 12 Dec 2017 14:17:23 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id BFD2C7F478 for ; Tue, 12 Dec 2017 14:17:23 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id DB6582734B for ; Tue, 12 Dec 2017 09:16:52 -0500 (EST) Received: from [192.168.10.23] (D13.Denninger.Net [192.168.10.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id 02E8312AAAA for ; Tue, 12 Dec 2017 08:16:50 -0600 (CST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> From: Karl Denninger Message-ID: Date: Tue, 12 Dec 2017 08:16:48 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <79567.1513083576@critter.freebsd.dk> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms080409090600020309060703" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 14:17:24 -0000 This is a cryptographically signed message in MIME format. --------------ms080409090600020309060703 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/12/2017 06:59, Poul-Henning Kamp wrote: > -------- > In message <86d13kgnfh.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3= =3DB8rgrav?=3D w > rites: >> "Poul-Henning Kamp" writes: >>> The only realistic way for the FreeBSD project to implement end-to-en= d >>> trust, is HTTPS with a self-signed cert, distributed and verified >>> using the projects PGP-trust-mesh and strong social network. >> Your suggestion does not remove implicit and possibly misplaced trust,= >> it just moves it from one place to another. Instead of trusting a >> certificate authority and DNS, you trust the source of the public key,= >> and probably also DNS. As always, it boils down to a) key distributio= n >> is hard and b) what's your threat model? > I don't think I agree with any of that ? > > With respect to authenticity of the FreeBSD SVN repo I cannot > imagine anybody else being even one percent as qualified and > trustworth as the FreeBSD projects own core-team. > > In particular I would never trust any "In the CA-racket for the > money" organization to do so. > > If you are worried that the FreeBSD project "staff" cannot > handle a root-cert competently, then the exposure is no > smaller or larger than if it was a CA-signed cert they fumbled. > > Trusting DNS doesn't apply it if the project root-cert was > stored on my local machine after I used my best judgement of PGP > signatures to conclude that it was authentic. > > And I don't really see distribution of this particular key being > difficult at all: We already PGP sign release checksums for > authenticity and it the FreeBSD root-cert is just another file to > get same treatment. > > Poul-Henning Agreed. Now the question becomes this -- is the proper means to handle this via TLS (using that root cert) OR should the *transport* be fixed so that https doesn't need to be used? I argue the second, because the goal when it comes to source distributions is ensuring that the code you transfer is bit-wise identical to the code on the FreeBSD project repositories *which can be mirrored.* Attempting to "overload" TLS with this responsibility now requires that the project take operational and security responsibility for the integrity of any *mirror* of said code, which is IMHO flatly unreasonable and thus is simply not going to happen.=C2=A0 Otherwise you = can have all the assurance you want that the bits you get are the bits that were on the disk at the other end, but no assurance at all that the bits on the disk *are the same as the bits on the FreeBSD project's machines!*= Solve the problem at the correct location -- either fix svn to sign and verify updates or dump it for something that can and use that existing mechanism (e.g. git) --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms080409090600020309060703 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjEyMTQxNjQ4 WjBPBgkqhkiG9w0BCQQxQgRAxZ2VN8KxaV0adU7Azp2XvBSwWXzTcZdvAeJlod5LBQUVTaWs O/9PXa6sl63nu+NLQNBP41bB4H0mnL2iK3wUhjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgBJq1OK9XfrQwauur5i8koHinGXDtv9Ht7OtOWcntJZtpSGT3u4NePprfP5BMbc4ESn zdhduZUf/Y7DD5ep5TNn3HoopR7Qm1sP9zU6Yk4y7yMc+xBGV7wXzmXYJzTHEshaW3mRvdbl gyqEItFn/3Mxn1bSgSTnAPbrGDSp4OEJa0t1kxwlJEtqjtIg46hWg2ZhIxSIG9Y63jOY19es Baw7hx+MPGo9VJGhvBGdIW9WnaJrO1HTxfYaefYPeAQ48rxYc8oMghknHLT2K5k8EmboFS1f JFM737ib+6E0n8ORgrTacejq5l9wp7SexsmxC4U6X5CleifneNcaBo845zsJrKoWBrksBy7u d2iymj6Xr1rPXJgdqtd2wFLb6kP8sUXidXWaUvhgXIuS3ElURP/NHmvsh3Ro5jM3qfO+M6um kgYT5k32lwtcE83QRe0bRiD3ztZPWvJyYQ5n9cPYC9xxX+mQubbofzUurErRVmetrWyd1P/n xhdead5Ba0SS5O9iiKI+ym8NrBPehCe0QfsOMgdJuHsQGn/WjojzndlWkIQkfSDA9d5UaN41 O/j4fvGUTUgXCigr7kZQlJYtJllZ4Y4G3vScbB9GCfG78DZ81p0SabT77iXJyJY0BPemLz3l zJGClG9JWmdL17JvGBq4rdPSMn6MmpEFp/NP4M6fRQAAAAAAAA== --------------ms080409090600020309060703-- From owner-freebsd-security@freebsd.org Tue Dec 12 14:28:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3E4DE9A2CD for ; Tue, 12 Dec 2017 14:28:27 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 8F8B77FC2B for ; Tue, 12 Dec 2017 14:28:26 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id C74A52736D; Tue, 12 Dec 2017 14:28:24 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCES96W026442 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 14:28:09 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCES886026441; Tue, 12 Dec 2017 14:28:08 GMT (envelope-from phk) To: Karl Denninger cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26439.1513088888.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 14:28:08 +0000 Message-ID: <26440.1513088888@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 14:28:27 -0000 -------- In message , Karl Denn= inger writes: >Now the question becomes this -- is the proper means to handle this via >TLS (using that root cert) OR should the *transport* be fixed so that >https doesn't need to be used? I certainly would caution against inventing more encrypted transports than we already have. The only feasible alternative I see is SSH, provided we can persuade it somehow to not authenticate the client. If this requires a hacked sshd(8) which just says "welcome" I would be very worried about it coexisting with a untainted sshd on any system. >I argue the second, because the goal when it comes to source >distributions is ensuring that the code you transfer is bit-wise >identical to the code on the FreeBSD project repositories *which can be >mirrored.* I am personally a very big fan of integrity checks which does not also encrypt the content with an ephemeral key for exactly that reason. Most of the people who try to force everything behind HTTPS don't even know you can do that. For the FreeBSD SVN tree, this could almost be as simple as posting an email, maybe once a week, with the exact revision checked out and the PGP signed output of: svn co ... && find ... -print | sort | xargs cat | sha256 Such an archive would also be invaluable for reauthenticating in case, somebody ever manages to do something evil to our repo. >Solve the problem at the correct location -- either fix svn to sign and >verify updates or dump it for something that can and use that existing >mechanism (e.g. git) As I mentioned humoursly to you in private email, I don't think this particular problem will reach consensus any sooner if you = also tangling it in the SVN vs GIT political issue. -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Tue Dec 12 14:48:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98EC7E9ADDC for ; Tue, 12 Dec 2017 14:48:55 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id 6A0E48081B for ; Tue, 12 Dec 2017 14:48:54 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id 5F6432734B for ; Tue, 12 Dec 2017 09:48:25 -0500 (EST) Received: from [192.168.10.23] (D13.Denninger.Net [192.168.10.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id 6B88612AB9E for ; Tue, 12 Dec 2017 08:48:23 -0600 (CST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> From: Karl Denninger Message-ID: <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net> Date: Tue, 12 Dec 2017 08:48:20 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <26440.1513088888@critter.freebsd.dk> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms050606020704050002030104" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 14:48:55 -0000 This is a cryptographically signed message in MIME format. --------------ms050606020704050002030104 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/12/2017 08:28, Poul-Henning Kamp wrote: > -------- > In message , Karl D= enninger > writes: > >> Now the question becomes this -- is the proper means to handle this vi= a >> TLS (using that root cert) OR should the *transport* be fixed so that >> https doesn't need to be used? > I certainly would caution against inventing more encrypted transports > than we already have. > > The only feasible alternative I see is SSH, provided we can persuade > it somehow to not authenticate the client. > > If this requires a hacked sshd(8) which just says "welcome" I would > be very worried about it coexisting with a untainted sshd on any > system. I generally disagree with doing this at the transport level *at all* since it's quite-arguably the wrong place to do it and further it provides an alleged "verification" you not only don't need but maybe don't want (e.g. do you CARE if the bits come from the project's server directly or not?=C2=A0 No.=C2=A0 You only care that they weren't tampered= with.) >> I argue the second, because the goal when it comes to source >> distributions is ensuring that the code you transfer is bit-wise >> identical to the code on the FreeBSD project repositories *which can b= e >> mirrored.* > I am personally a very big fan of integrity checks which does not > also encrypt the content with an ephemeral key for exactly that > reason. > > Most of the people who try to force everything behind HTTPS don't > even know you can do that. > > For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > > svn co ... && find ... -print | sort | xargs cat | sha256 > > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo. That's a halfway hack but a pretty easy one..... >> Solve the problem at the correct location -- either fix svn to sign an= d >> verify updates or dump it for something that can and use that existing= >> mechanism (e.g. git) > As I mentioned humoursly to you in private email, I don't think > this particular problem will reach consensus any sooner if you=20 > also tangling it in the SVN vs GIT political issue. Fair enough but I think my underlying point -- that svn ought to provide the ability to distribute signed bits, and if it can't then it should either be wrapped or augmented to do so if possible, and tossed if not, remains valid. Offering encrypted transport as an option is good but it fails at providing the actual attestation you want (that the bits the project committed and has on its disk are the bits you received and stored on your disk, unaltered.) Removing unencrypted transport is thus IMO a net bad as it *claims* to address this but doesn't.=C2=A0 That's bad because you now lead people to= *believe* they have a secure means of tracking the project's bits but that's factually false. Specifically if I have a mirror of the svn repo today and I intentionally corrupt it (e.g. to insert a back door in "su") then I can have a perfectly-valid TLS/SSL certificate and serve you an exact copy of the bits on my disk but since I corrupted the bits on the disk you still get screwed! Signed commits prohibit this sort of chicanery in that I cannot generate the project's signature.=C2=A0 They thus make possible known-good mirrors= of the code repo that do not have to be under the physical control of the FreeBSD project.=C2=A0 This extends the existing capability to verify -RELEASE distributions on a mirror to the source, which IMHO is a net good and thus if we're talking about the context of source distribution security it is where attention should be focused. --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms050606020704050002030104 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjEyMTQ0ODIw WjBPBgkqhkiG9w0BCQQxQgRATFAFxycinyW3Kc/ePgT8crrrrvKFnDN5g1BO0iDdPtZKgPQl js0t71+vb5he4ejRVJjabAneDGqpalOW+GdWODBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgCFEgJuCzG4rGvUrQFzsHBruXZxGAFARTfsiCUh/H0ABzFhjN+EA9xcdf7XywkLegZH NxQGPgJ1zicaUBNzmisMOqINczQoC5DW7vAGbqFu9p8gb0hPmUl3mPWPaVwvkJfvn1sB6dIw dRkts3tUS96eOaWj66AFnbZkl7FLu5qBWnIJAEAuXuLyipI1QHVYiyQIOL6xhTtQ5faVnKNh smAtWcjUT+VB8k8mpZmDUdN044ern2KxCZNDKkv5UDcE15xXRMDkEkVksVxzM4rezOK1Tj1b rso3PciKpLAlxFWD/h6ncWpmVjxu6B7C7Ww9TxihRwy/Zsl9C8KwuehTBxdSxfHDGHHdqioF vniw8mdhi4wjuuOS0jPZvQUm8jM70q0RnLkHb+TIxt6lvRQI1cZe0zsDtPu6sA5aFtCiufc/ L+q/P6l+dXa8ZMPc+xF52aJgqBcmri8bo6lwkUsR6bhQU+cS4fbEwecBJ9gWq2BKEIhZ1lbd FtEXydBDGjfGqdJPIN1tNvJL18900yY21vuFZxoZs7SIvblSVIJauQMkMpFJs/V4JIZq8BiS HgHNAOCuSXCtxxnGgVWwqrchP8BAzdIOaspKC54NHIgxAWH77RxD1mADaAp+UBvdbw6zQEEr AHnCeEL8PJeH09qZmm2qdTkTEJmuyGKs8xkcga1z/wAAAAAAAA== --------------ms050606020704050002030104-- From owner-freebsd-security@freebsd.org Tue Dec 12 15:19:54 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4AFBE9BA96 for ; Tue, 12 Dec 2017 15:19:54 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id A318F1AC3 for ; Tue, 12 Dec 2017 15:19:54 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 6A92C27376; Tue, 12 Dec 2017 15:19:51 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCFJouZ026616 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 15:19:50 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCFJoqF026615; Tue, 12 Dec 2017 15:19:50 GMT (envelope-from phk) To: Karl Denninger cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26613.1513091990.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 15:19:50 +0000 Message-ID: <26614.1513091990@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 15:19:55 -0000 -------- In message <6fff232c-65c0-34bc-a950-0e79eda025c8@denninger.net>, Karl Denn= inger writes: >> As I mentioned humoursly to you in private email, I don't think >> this particular problem will reach consensus any sooner if you = >> also tangling it in the SVN vs GIT political issue. > >Fair enough but I think my underlying point -- that svn ought to provide >the ability to distribute signed bits, and if it can't then it should >either be wrapped or augmented to do so if possible, and tossed if not, >remains valid. It sure does, but knowing crypto-code and knowing the projects decision making process about such things, I see neither adding that to svn nor replacing svn as feasible this side of 2020. >Removing unencrypted transport is thus IMO a net bad as it *claims* to >address this but doesn't. That's bad because you now lead people to >*believe* they have a secure means of tracking the project's bits but >that's factually false. +1 -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Tue Dec 12 16:29:48 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 999F7E9E1FA for ; Tue, 12 Dec 2017 16:29:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 5AEDD647B9 for ; Tue, 12 Dec 2017 16:29:48 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id 41CD710758; Tue, 12 Dec 2017 16:29:47 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 451A886296; Tue, 12 Dec 2017 16:28:40 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Poul-Henning Kamp" Cc: John-Mark Gurney , Yuri , RW , Michelle Sullivan , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> Date: Tue, 12 Dec 2017 17:28:40 +0100 In-Reply-To: <79567.1513083576@critter.freebsd.dk> (Poul-Henning Kamp's message of "Tue, 12 Dec 2017 12:59:36 +0000") Message-ID: <864lovhpvr.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 16:29:48 -0000 "Poul-Henning Kamp" writes: > "Dag-Erling Sm=C3=B8rgrav" writes: > > Your suggestion does not remove implicit and possibly misplaced > > trust, it just moves it from one place to another. Instead of > > trusting a certificate authority and DNS, you trust the source of > > the public key, and probably also DNS. As always, it boils down to > > a) key distribution is hard and b) what's your threat model? > I don't think I agree with any of that ? > > With respect to authenticity of the FreeBSD SVN repo I cannot imagine > anybody else being even one percent as qualified and trustworth as the > FreeBSD projects own core-team. [...] Let me rephrase: it's not just the source of the key or certificate, but the path from that source to you. There is *always* some level of blind trust, and all your suggestion does is move it from one place to another. You trust the certificate because you trust the PGP key that was used to sign it, but why do you trust the key? Did someone you know personally vouch for it? Do you trust them? Were they present when the key was generated, or do they trust it because someone *they* trust told them it was genuine? Does your trust in whomever gave you the key translate to those they trust? Is there a bottom to this pit? The bottom line is, once again, that key distribution is hard, and that you shouldn't make infosec decisions without having at least a vague outline of a threat model. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Tue Dec 12 17:05:38 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB3BDE9F19D for ; Tue, 12 Dec 2017 17:05:38 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 7B2C365C29 for ; Tue, 12 Dec 2017 17:05:38 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 90E6427395; Tue, 12 Dec 2017 17:05:35 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCH5Jpr026910 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 17:05:20 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCH5HDH026909; Tue, 12 Dec 2017 17:05:17 GMT (envelope-from phk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: John-Mark Gurney , Yuri , RW , Michelle Sullivan , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <864lovhpvr.fsf@desk.des.no> From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <864lovhpvr.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26907.1513098317.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 17:05:17 +0000 Message-ID: <26908.1513098317@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 17:05:38 -0000 -------- In message <864lovhpvr.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3=3D= B8rgrav?=3D w rites: >Let me rephrase: it's not just the source of the key or certificate, but >the path from that source to you. There is *always* some level of blind >trust, and all your suggestion does is move it from one place to >another. That is correct, and I don't see any problem in applying the usual level of trust we use in this project to that cert. For instance, our core team elections are usually run by some Norvegian dude who very few committers have actually met in real life. But the committers seem to be willing to entrust that task to him because those of us who have met this Norvegian dude agree that his zealous pedantry is well suited to running our elections :-) >The bottom line is, once again, that key distribution is hard, and that >you shouldn't make infosec decisions without having at least a vague >outline of a threat model. Absolutely. But just to sum up: We are talking about anonymous checkouts of our source tree, and as far as my analysis goes, we are long past this point: https://www.youtube.com/watch?v=3DX0bWWtTIPlg Poul-Henning -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Tue Dec 12 17:22:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9EC96E9F922 for ; Tue, 12 Dec 2017 17:22:28 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [138.201.35.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 60EAD668F7 for ; Tue, 12 Dec 2017 17:22:27 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.bultmann.eu (unknown [IPv6:2a00:c380:c0d5:1:3586:b321:4e74:8584]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 2C7594F84 for ; Tue, 12 Dec 2017 17:22:20 +0000 (UTC) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> From: Jan Bramkamp Message-ID: Date: Tue, 12 Dec 2017 18:22:19 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <26440.1513088888@critter.freebsd.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 17:22:28 -0000 On 12.12.17 15:28, Poul-Henning Kamp wrote: > For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > > svn co ... && find ... -print | sort | xargs cat | sha256 > > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo. > >> Solve the problem at the correct location -- either fix svn to sign and >> verify updates or dump it for something that can and use that existing >> mechanism (e.g. git) > > As I mentioned humoursly to you in private email, I don't think > this particular problem will reach consensus any sooner if you > also tangling it in the SVN vs GIT political issue. How about an uncompressed tarball signed with signify? It could be replicated with rsync (or zsync) and getting security patches wouldn't require lots of network bandwidth. I still prefer to encrypt every transfer with PFS only protocols, but even with transport encryption in place content authentication is still valuable because it allows the use of caching proxies. From owner-freebsd-security@freebsd.org Tue Dec 12 18:09:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C465AEA0FB4 for ; Tue, 12 Dec 2017 18:09:33 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (ns1.bitblocks.com [173.228.5.8]) by mx1.freebsd.org (Postfix) with ESMTP id A2FB668E77 for ; Tue, 12 Dec 2017 18:09:33 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from bitblocks.com (localhost [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id 9F19D156E523; Tue, 12 Dec 2017 10:00:06 -0800 (PST) From: Bakul Shah To: "Poul-Henning Kamp" cc: Karl Denninger , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: Your message of "Tue, 12 Dec 2017 14:28:08 +0000." <26440.1513088888@critter.freebsd.dk> References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> Comments: In-reply-to "Poul-Henning Kamp" message dated "Tue, 12 Dec 2017 14:28:08 +0000." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <58811.1513101606.1@bitblocks.com> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 10:00:06 -0800 Message-Id: <20171212180021.9F19D156E523@mail.bitblocks.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 18:09:33 -0000 On Tue, 12 Dec 2017 14:28:08 +0000 "Poul-Henning Kamp" wrote: > = > For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > = > svn co ... && find ... -print | sort | xargs cat | sha256 > = > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo. Sort of a public ledger. I have a vague memory of some project *publishing* a crypto fingerprint of a collection of documents in a well-known newspaper.... I think it was this one: https://www.technologyreview.com/s/402961/fingerprinting-your-files/ Computing hashes of hashes is also the basis of a secure timestamp service invented by Stuart Haber and Scott Stornetta while the two were at Bellcore in 1990. The service, called Surety, makes it possible to generate a cryptographically secure and unforgeable proof that a given document, photograph, or other file existed at a particular time on a particular date and that it hasnt been changed since. The Surety technique works by computing a hash tree based on the hash codes of every document being time-stamped. The root of the tree is then published in a well-known locationit could, for example, be printed in a classified advertisement in the New York Times. You can prove that your document existed on the day in question by showing that your documents fingerprint was needed to generate the fingerprint-of-fingerprints that appeared in the newspaper. Nowadays can you even trust NYT?! From owner-freebsd-security@freebsd.org Tue Dec 12 18:15:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E04CEA1670 for ; Tue, 12 Dec 2017 18:15:32 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C2EE069641 for ; Tue, 12 Dec 2017 18:15:31 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x22d.google.com with SMTP id e2so49588716qti.0 for ; Tue, 12 Dec 2017 10:15:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=CAlwfPGqBj+2Z6coYkXwYoR0mu7lMJMI1GNeO8Y4V7M=; b=sSEGiUEr04+N8nQxHfSKDljw6gJKxHr83dq6VX80UBEKbi1aAcXwQdGEsmrKAXBtIy Dm4OKXstswy91sapF/z+/AgosHQEjT6xCffq3on4WbPrJqFZ+z2QFMHvySU94TbZsNyj 7YUpwmrlHH4m69nG5/c9oI7W/1tBWQ7jJgEr2ft8ounEtiKad5jtdwckg4BypP1OuAEh rVnUewi3Qb3Biss+KG4nW+oSNqBvPEZGJFGbIg3RduaQe9RzTOWcQ1oAeG6BhLjeVcAm 58MWsjH/LJDb+dsYieudJPiWkA1cd984Vc8vkohyppAHowZ8hU7OYLA90KyEX0/5DaV6 fAfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=CAlwfPGqBj+2Z6coYkXwYoR0mu7lMJMI1GNeO8Y4V7M=; b=cvy8YySGoPd8F8WxUH1Un8HpEwRVT+xFk7Q+LmXO/+UC9S3TFAxTeZwYpWH3cUXa+h ixfWwEf2q8sg0q8lMDfTlk7aQ5YGi8g1fxF0r+u7jiuSS6dtOhwlziFQjWzWacBOWNAt hu1lXQWsUuBoweHybTz6wumwLVBAsiKk2ertzzHPgpq1KCRGEKrm/TB5EwNyhWFTO8if 4h7hwr4Jd40PaWM2B4hZggieJHADObZsf6+GqO0EKEa0GpSU0IjzZ39oWRMvzV9lqMD/ fffB4glmtcY8H7tNs7JSYaFVcC2DnIQKrfuDcmifYubzNN/yG+j3X7KwKfoILvKvFri6 0SNQ== X-Gm-Message-State: AKGB3mLm1Hsw7KVrcWRV4v5pRpD6OEiCYTYuZhNfzIxxY4U/iJFRhfV6 SGiTGkOVfcfWNAuBaEiYRB2rPfvp X-Google-Smtp-Source: ACJfBotTR0y9bp2yHA9HqL6semcfCWa0bhVnLzdxkAo/M3nk6oknYNbwwJ30h3UnZoO4GQPs4m6cEw== X-Received: by 10.200.56.137 with SMTP id f9mr6455191qtc.116.1513102530815; Tue, 12 Dec 2017 10:15:30 -0800 (PST) Received: from localhost ([172.56.35.172]) by smtp.gmail.com with ESMTPSA id z126sm6209583qka.70.2017.12.12.10.15.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Dec 2017 10:15:30 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Tue, 12 Dec 2017 18:15:28 +0000 To: Jan Bramkamp Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171212181528.trlevbjkl2aeqgrz@localhost> References: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 18:15:32 -0000 On Tue, Dec 12, 2017 at 06:22:19PM +0100, Jan Bramkamp wrote: > > On 12.12.17 15:28, Poul-Henning Kamp wrote: > > For the FreeBSD SVN tree, this could almost be as simple as posting > > an email, maybe once a week, with the exact revision checked out > > and the PGP signed output of: > > > > svn co ... && find ... -print | sort | xargs cat | sha256 > > > > Such an archive would also be invaluable for reauthenticating in > > case, somebody ever manages to do something evil to our repo. > > > > > Solve the problem at the correct location -- either fix svn to sign and > > > verify updates or dump it for something that can and use that existing > > > mechanism (e.g. git) > > > > As I mentioned humoursly to you in private email, I don't think > > this particular problem will reach consensus any sooner if you > > also tangling it in the SVN vs GIT political issue. > > How about an uncompressed tarball signed with signify? It could be > replicated with rsync (or zsync) and getting security patches wouldn't > require lots of network bandwidth. Portsnap already provides signed snapshots of the tree from mirrors. The main problem is checking out the full tree as-is from the subversion servers. > > I still prefer to encrypt every transfer with PFS only protocols, but even > with transport encryption in place content authentication is still valuable > because it allows the use of caching proxies. From owner-freebsd-security@freebsd.org Tue Dec 12 18:53:01 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7E99EA2E02 for ; Tue, 12 Dec 2017 18:53:01 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 9F1466BA3F for ; Tue, 12 Dec 2017 18:53:01 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBCIqvVI096049 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 12 Dec 2017 10:52:58 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Eugene Grosbein , Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> From: Yuri Message-ID: <0df2f769-3700-0cfd-591e-d8b8906cf4e7@rawbw.com> Date: Tue, 12 Dec 2017 10:52:56 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <5A2D9CEF.9020404@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 18:53:01 -0000 On 12/10/17 12:45, Eugene Grosbein wrote: > No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway > or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. No, MITM of https with the private CA isn't possible. Please provide references if you believe that the opposite is true. Yuri From owner-freebsd-security@freebsd.org Tue Dec 12 19:13:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01335E80A41 for ; Tue, 12 Dec 2017 19:13:15 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id D10636CC52 for ; Tue, 12 Dec 2017 19:13:14 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0V00LKT4FSDT00@hades.sorbs.net> for freebsd-security@freebsd.org; Tue, 12 Dec 2017 11:21:49 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: Yuri , Igor Mozolevsky , freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <5A2DB9F8.1040301@sorbs.net> <86h8swgnwk.fsf@desk.des.no> From: Michelle Sullivan Message-id: <5A3029AC.8040203@sorbs.net> Date: Wed, 13 Dec 2017 06:10:36 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <86h8swgnwk.fsf@desk.des.no> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 19:13:15 -0000 Dag-Erling Smørgrav wrote: > Michelle Sullivan writes: >> User gets an email saying his banking details are compromised, and to >> update them now. User clicks the link and gives banking details to >> phishing site as well as having a keylogger and rootkit installed >> during the process. User has bank account hacked. Where did the bank >> go wrong? > Banks and financial institutions have whole teams working 24/7 Not out side of Europe (and those that do are not large.) > , usually > in cooperation with national authorities, to detect, investigate and > shut down phishing campaigns, and to warn customers (either directly or > through mass media) of particularly large or well-executed campaigns. No. > In the EU and EEA, banks are liable for losses in excess of €150 unless > the customer acted “with intent or gross negligence”, but the definition > of “gross negligence” is fluid. Legal precedent in Norway is to hold > the customer liable only if the email was “an obvious forgery”, for some > definition of “obvious”. Maybe that will change stuff. > TL;DR: yes, banks are held liable for losses attributable to phishing. No, and I can tell you I had a discussion with some un-named bank (but very well known, very very very well known) online security managers and I said to them, hold the users responsible for 419 type spams. The response was a resounding 'no', and not because of regulation, but purely because they were worried about losing market share to other banks through bad publicity! > > Source: I do this for a living (although not at a bank). > > DES So do I, have been in the business I am since 2000, and a lot of what I do and who for I can't even mention. What I can tell you is I built SORBS, I still run SORBS and I still work closely with LEOs and Banks (amongst others) dealing with online security for the company that now owns SORBS. This is getting way off-topic though. The topic is about forcing the use of https over http in the name of 'securing' an inherently insecure and compromised network, in the name of privacy for a couple of people. Wrong solution, for the wrong reasons, svn over https is already available those people that believe it gives security should use it and get out of other peoples business. If they really want to make an impact on the perceived problem they should target the malicious actors and the use of Tor as a pseudo secure platform (ie the few that would use http over Tor for downloading source that don't know the dangers should probably learn or not use Tor in the first place!) Regards, Michelle From owner-freebsd-security@freebsd.org Tue Dec 12 19:56:13 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DD2C8E8226C for ; Tue, 12 Dec 2017 19:56:13 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CAA76F7CE for ; Tue, 12 Dec 2017 19:56:12 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBCJu8r6018856 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Dec 2017 20:56:08 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id vBCJu3Gh005534; Wed, 13 Dec 2017 02:56:04 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> <0df2f769-3700-0cfd-591e-d8b8906cf4e7@rawbw.com> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A303453.9050705@grosbein.net> Date: Wed, 13 Dec 2017 02:56:03 +0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <0df2f769-3700-0cfd-591e-d8b8906cf4e7@rawbw.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-Spam-Level: ** X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 19:56:14 -0000 On 13.12.2017 01:52, Yuri wrote: > On 12/10/17 12:45, Eugene Grosbein wrote: >> No, they don't. You get into MITM and then you have a choice: ignore and run your connection anyway >> or have no connectivity at all (using this channel). Both are bad, so don't use such a channel from the beginning. > > > No, MITM of https with the private CA isn't possible. Please provide > references if you believe that the opposite is true. https://wiki.squid-cache.org/Features/SslPeekAndSplice You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all. From owner-freebsd-security@freebsd.org Wed Dec 13 00:13:57 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB415E8A691 for ; Wed, 13 Dec 2017 00:13:57 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id A1E517A00F for ; Wed, 13 Dec 2017 00:13:57 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBD0DnDD067756 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 12 Dec 2017 16:13:50 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Eugene Grosbein , Igor Mozolevsky Cc: freebsd security , RW References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> <0df2f769-3700-0cfd-591e-d8b8906cf4e7@rawbw.com> <5A303453.9050705@grosbein.net> From: Yuri Message-ID: <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> Date: Tue, 12 Dec 2017 16:13:48 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <5A303453.9050705@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 00:13:57 -0000 On 12/12/17 11:56, Eugene Grosbein wrote: > https://wiki.squid-cache.org/Features/SslPeekAndSplice > > You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all. When the user sees that SSL/TLS is stripped, this isn't a vulnerability of the protocol. User can make a choice to use such connection anyway. There are command line options like this for some commands, and the choice in the browser. Compare this with https using compromised by government CA, when the user doesn't have any way of knowing about MITM. So https+private CA stands secure. Yuri From owner-freebsd-security@freebsd.org Wed Dec 13 00:37:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F44EE8B1F4 for ; Wed, 13 Dec 2017 00:37:17 +0000 (UTC) (envelope-from peter@wemm.org) Received: from smtp2.wemm.org (smtp2.wemm.org [192.203.228.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2904A7AAA0 for ; Wed, 13 Dec 2017 00:37:16 +0000 (UTC) (envelope-from peter@wemm.org) Received: from overcee.wemm.org (canning.wemm.org [192.203.228.65]) by smtp2.wemm.org (Postfix) with ESMTP id 1BF40987; Tue, 12 Dec 2017 16:37:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1513125430; bh=WbqV3hhKXxY72xfahTuI8a+53TYOJG129vaqNdKAkv4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=jSxPx4uvnXq3/M+ui2pHziKZha8Vi4xpddNoSX0wYEbmm1J3KlD8UVYO0XXv2iyO6 H90IVI5qIi2OnUElID3JgaSGlmYSNvPbjjqkM6Vy4jIBjfDMt+8KGkL+YKK630HqxQ xv1yNbd+0/9Y38nayyXXdsfsvPdcDmyxXcqUfZUs= From: Peter Wemm To: freebsd-security@freebsd.org Cc: Yuri , Eugene Grosbein , Igor Mozolevsky , RW Subject: Re: http subversion URLs should be discontinued in favor of https URLs Date: Tue, 12 Dec 2017 16:37:05 -0800 Message-ID: <3138231.uiVPfnS2VB@overcee.wemm.org> User-Agent: KMail/4.14.10 (FreeBSD/12.0-CURRENT; KDE/4.14.30; amd64; ; ) In-Reply-To: <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3304951.O0M3ReN2mj"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 00:37:17 -0000 --nextPart3304951.O0M3ReN2mj Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" On Tuesday, December 12, 2017 04:13:48 PM Yuri wrote: > On 12/12/17 11:56, Eugene Grosbein wrote: > > https://wiki.squid-cache.org/Features/SslPeekAndSplice > >=20 > > You either ignore MITM and proceed with connection anyway or have n= o > > connectivity via this channel at all. > When the user sees that SSL/TLS is stripped, this isn't a vulnerabili= ty > of the protocol. User can make a choice to use such connection anyway= . > There are command line options like this for some commands, and the > choice in the browser. >=20 > Compare this with https using compromised by government CA, when the > user doesn't have any way of knowing about MITM. So https+private CA > stands secure. I think you're missing the point. It is a sad reality that SSL/TLS cor= porate=20 (and ISP) MITM exists and is enforced on a larger scale than we'd like.= But=20 it is there, and when mandated/enforced you have to go through the MITM= =20 appliance, or not connect at all. Private CA's generally break those=20= appliances - an unfortunate FreeBSD user in this situation is cut off. = How is=20 this better? =2D-=20 Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI= 6FJV UTF-8: for when a ' or ... just won\342\200\231t do\342\200\246 --nextPart3304951.O0M3ReN2mj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEBgrA0Vr/vfNVuPoUNdaXCeyAngQFAlowdjEACgkQNdaXCeyA ngT82QgAkyjz1tadlJXan1RXqrqorQwFRV2wiilVQP9MQIuAUr3tCwdm9GF0iFYB IQ78I3Fy+nKCuxiIkX+D7LD06SgkGKnMgG+m5FlO8W5tGSe2LC4RbA+lj+Xb9A6V y81TcWDFutM1TzX7OVjYlV33H5trqmL4tUqBvhBIxEmDtpokFp1wx/ojzj2vi3T7 6PlpN7zkHkQw3pT0Lh/Qh5SEy2XNv1HhstHwpHgEnRPJ2lB48hvPRAP9cteFILAF SjSwDNxNUITYwPHZPQINKTQQop+X0I0qVsKDRFGS1Sd0Gp05dYyMfo2qk+rkvuRh lCvn21MmAc+wEwLZKQYZ5QYnW/4i9A== =k6Nd -----END PGP SIGNATURE----- --nextPart3304951.O0M3ReN2mj-- From owner-freebsd-security@freebsd.org Wed Dec 13 01:38:12 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B3D9E8C572 for ; Wed, 13 Dec 2017 01:38:12 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 280057C382 for ; Wed, 13 Dec 2017 01:38:11 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vBD1c9qf077184 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 12 Dec 2017 17:38:10 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Peter Wemm , freebsd-security@freebsd.org Cc: RW , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> From: Yuri Message-ID: Date: Tue, 12 Dec 2017 17:38:08 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <3138231.uiVPfnS2VB@overcee.wemm.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 01:38:12 -0000 On 12/12/17 16:37, Peter Wemm wrote: > I think you're missing the point. It is a sad reality that SSL/TLS corporate > (and ISP) MITM exists and is enforced on a larger scale than we'd like. But > it is there, and when mandated/enforced you have to go through the MITM > appliance, or not connect at all. Private CA's generally break those > appliances - an unfortunate FreeBSD user in this situation is cut off. How is > this better? This is certainly better for users because it informs the user. Now he has a choice to use a special override key to use MITMed https anyway or refuse, vs. with http he is not informed. Yuri From owner-freebsd-security@freebsd.org Wed Dec 13 07:27:00 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15AE6E93E66 for ; Wed, 13 Dec 2017 07:27:00 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id C882A65BB9 for ; Wed, 13 Dec 2017 07:26:59 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id B9D81107F0; Wed, 13 Dec 2017 07:26:57 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 06E9A86304; Wed, 13 Dec 2017 07:25:50 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Michelle Sullivan Cc: Yuri , Igor Mozolevsky , freebsd security Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <5A2DB9F8.1040301@sorbs.net> <86h8swgnwk.fsf@desk.des.no> <5A3029AC.8040203@sorbs.net> Date: Wed, 13 Dec 2017 08:25:50 +0100 In-Reply-To: <5A3029AC.8040203@sorbs.net> (Michelle Sullivan's message of "Wed, 13 Dec 2017 06:10:36 +1100") Message-ID: <86zi6nf5s1.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 07:27:00 -0000 Michelle Sullivan writes: > Dag-Erling Sm=C3=B8rgrav writes: > > Banks and financial institutions have whole teams working 24/7 [...] > No. I was describing a fact, not opining or speculating. I know these people, I talk to them regularly and meet with them at industry events. Sorry to hear you're not part of the club =E2=80=94 that doesn't mean the c= lub doesn't exist. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Wed Dec 13 09:02:38 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 740E9E96D90 for ; Wed, 13 Dec 2017 09:02:38 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 4F07268B2F for ; Wed, 13 Dec 2017 09:02:37 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0W00E506UOR000@hades.sorbs.net> for freebsd-security@freebsd.org; Wed, 13 Dec 2017 01:11:15 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgrav?= Cc: Yuri , Igor Mozolevsky , freebsd security References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> <5A2DB9F8.1040301@sorbs.net> <86h8swgnwk.fsf@desk.des.no> <5A3029AC.8040203@sorbs.net> <86zi6nf5s1.fsf@desk.des.no> From: Michelle Sullivan Message-id: <5A30EC23.2000504@sorbs.net> Date: Wed, 13 Dec 2017 20:00:19 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <86zi6nf5s1.fsf@desk.des.no> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 09:02:38 -0000 Dag-Erling Smørgrav wrote: > Michelle Sullivan writes: >> Dag-Erling Smørgrav writes: >>> Banks and financial institutions have whole teams working 24/7 [...] >> No. > I was describing a fact, not opining or speculating. So was I. > I know these > people, I talk to them regularly and meet with them at industry events. I literally cannot tell you what I do for/with them, it would be a breach of contract but if you look closely at some of the larger (non-European) banks, you might spot a clue or three. > Sorry to hear you're not part of the club — that doesn't mean the club > doesn't exist. Absolutely true that. I'm not going to say any more on this subject because it is so tempting for me to say something which could put me in a position that could call into question my employment. Suffice it to say you might be right for Europe, but you should not dismiss my words about parts of the industry that you don't know about. Regards, Michelle From owner-freebsd-security@freebsd.org Wed Dec 13 11:29:07 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A68A3E9A89D for ; Wed, 13 Dec 2017 11:29:07 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 380C86C967 for ; Wed, 13 Dec 2017 11:29:06 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vBDBStSa025188 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Dec 2017 12:28:56 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vBDBSnXx069196 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 13 Dec 2017 18:28:50 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2D8CDF.80903@grosbein.net> <5A2D9CEF.9020404@grosbein.net> <0df2f769-3700-0cfd-591e-d8b8906cf4e7@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> Cc: freebsd security , RW From: Eugene Grosbein Message-ID: <5A310EED.9000907@grosbein.net> Date: Wed, 13 Dec 2017 18:28:45 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 11:29:07 -0000 13.12.2017 7:13, Yuri пишет: > On 12/12/17 11:56, Eugene Grosbein wrote: >> https://wiki.squid-cache.org/Features/SslPeekAndSplice >> >> You either ignore MITM and proceed with connection anyway or have no connectivity via this channel at all. > > > When the user sees that SSL/TLS is stripped, this isn't a vulnerability of the protocol. I never said it is vulnerability. From owner-freebsd-security@freebsd.org Wed Dec 13 21:29:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01813E87CB7 for ; Wed, 13 Dec 2017 21:29:28 +0000 (UTC) (envelope-from peter@wemm.org) Received: from smtp2.wemm.org (smtp2.wemm.org [IPv6:2001:470:67:39d::78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp2.wemm.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DA98864DEA for ; Wed, 13 Dec 2017 21:29:27 +0000 (UTC) (envelope-from peter@wemm.org) Received: from hater-dm.corp.yahoo.com (unknown [IPv6:2001:4998:effd:507:48d:6d64:9eb9:1d63]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: peter) by smtp2.wemm.org (Postfix) with ESMTPSA id 415EDC4A; Wed, 13 Dec 2017 13:29:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemm.org; s=m20140428; t=1513200567; bh=McnYXWusjX/HpxuawgSHpTZPpOWUsxiU0M7dBrlIDGk=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=qJ+Cdi0cA6uuiO7Jq4foo1LBWohq+7cSfMeRJkM9qMeRfPjgJMeg1q3Z6j4Z63hDF U86cDN1uMdd3Ia1gPfaCBHyh2M+pMbu5ReJfaOj2U3xdTLSb/cNBBB/fi8eNm5D93D 3NYUqIS26oCzF32aZMWtdwyy4Cfbb/G/sMkCGIjM= Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , freebsd-security@freebsd.org Cc: RW , Igor Mozolevsky References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> From: Peter Wemm Message-ID: <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> Date: Wed, 13 Dec 2017 13:29:26 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 21:29:28 -0000 On 12/12/17 5:38 PM, Yuri wrote: > On 12/12/17 16:37, Peter Wemm wrote: >> I think you're missing the point. It is a sad reality that SSL/TLS >> corporate >> (and ISP) MITM exists and is enforced on a larger scale than we'd like. But >> it is there, and when mandated/enforced you have to go through the MITM >> appliance, or not connect at all. Private CA's generally break those >> appliances - an unfortunate FreeBSD user in this situation is cut off. >> How is >> this better? > > > This is certainly better for users because it informs the user. Now he has > a choice to use a special override key to use MITMed https anyway or > refuse, vs. with http he is not informed. You misunderstand the problem. A well-behaving corporate with TLS MITM will *block* connections to the freebsd-ca signed services as they will fail it's validation. The user is left with: * can't connect on 443 (proxy blocks failed validations), or * can't connect on 80 (because you don't like people having options). .. which leads to stop using FreeBSD. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com; KI6FJV From owner-freebsd-security@freebsd.org Fri Dec 15 05:04:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D829E9B0C1 for ; Fri, 15 Dec 2017 05:04:34 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5284D67833 for ; Fri, 15 Dec 2017 05:04:34 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt0-x233.google.com with SMTP id r39so10710798qtr.13 for ; Thu, 14 Dec 2017 21:04:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=FFjxdLgYROs4diLkwKiofC0hivzhUWjs4tDShcIJ/y4=; b=TrgiV8nnuKnIIarQuobz2t5ddcncEVpIZv1CTcMgqEf8LBTZ92yo51pV4F1BEvnVhh 69FFMwQ47kXNEA7yu0HNb3ON9vZdyaw1RiQn6g7gSnqUfJiE6AmpKIEgtiE0+NJkBxGh 1OPuNEpBgcMqofv+2I7Q+H2g0J5wafRY19kxs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=FFjxdLgYROs4diLkwKiofC0hivzhUWjs4tDShcIJ/y4=; b=NptWdhnoVwz2UZTcL3m8MSiCTptFCTqXX6mZAzbeY6Gi43wMxmBuCsh6mn9cj5OB9m WLxOqnCI+D72dZdY8wKovi6qkNZiVgCf8zWRUuU6t4wyZPqjPYAGIZBEUe43i1Jxh6dn ZcgBXVD7ej/1IG+3L2beiKCXRYxM/naWuYSPyhJj4NtPBizt1EtZjmYawc9kB/xQj9h5 GOAierk7Xu5+f/v+RhCjtXnkgbtV3HQAtCQVSU9d3641PAokioqhpVFRfDmKFgEo3DI0 VyDn1AzgjIEbNraQTJ+OQ7Fa2WRQhPgmgZXPKXWAl/pE+33QTwKKmxrgt7nSQY2buqSd GAbA== X-Gm-Message-State: AKGB3mIW73vWA7zVNmFgYhISX6ArsrEEaEuICPIRkkmDTQ+L8q+OfCg2 DWqmlOdpisb+DJd1xCxFBhVTZEjeCtQA X-Google-Smtp-Source: ACJfBosS1UhaZz1WMRXrC8hBL3TGOWR6oLyTXlKnmLrL38NCfgyFAxVnp5JWD7AaIlKvACvd6NPwcg== X-Received: by 10.200.25.207 with SMTP id s15mr19901605qtk.94.1513314273318; Thu, 14 Dec 2017 21:04:33 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id g8sm3431254qth.68.2017.12.14.21.04.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2017 21:04:32 -0800 (PST) Date: Thu, 14 Dec 2017 21:04:30 -0800 From: Gordon Tetlow To: Peter Wemm Cc: Yuri , freebsd-security@freebsd.org, RW , Igor Mozolevsky Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171215050430.GT9701@gmail.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 05:04:34 -0000 On Wed, Dec 13, 2017 at 01:29:26PM -0800, Peter Wemm wrote: > On 12/12/17 5:38 PM, Yuri wrote: > > On 12/12/17 16:37, Peter Wemm wrote: > >> I think you're missing the point. It is a sad reality that SSL/TLS > >> corporate > >> (and ISP) MITM exists and is enforced on a larger scale than we'd like. But > >> it is there, and when mandated/enforced you have to go through the MITM > >> appliance, or not connect at all. Private CA's generally break those > >> appliances - an unfortunate FreeBSD user in this situation is cut off. > >> How is > >> this better? > > > > > > This is certainly better for users because it informs the user. Now he has > > a choice to use a special override key to use MITMed https anyway or > > refuse, vs. with http he is not informed. > > You misunderstand the problem. > > A well-behaving corporate with TLS MITM will *block* connections to the > freebsd-ca signed services as they will fail it's validation. > > The user is left with: > * can't connect on 443 (proxy blocks failed validations), or > * can't connect on 80 (because you don't like people having options). > .. which leads to stop using FreeBSD. I'm going to put my SO hat on here for a second, put on the flame retardant suit, and make the following statement: I want to move the default for svn to be HTTPS. This would mean setting up a redirect on http://svn.freebsd.org -> https://svn.freebsd.org. For those people that are unable (for whatever reason) to use HTTPS, we can make a vhost they are able to use HTTP on. I would suggest something like: http://i-love-waffles-and-svn-over-http.freebsd.org. (Waffles are awesome.) The CA for this HTTPS server should be the standard publicly trusted CA we use for everything (Let's Encrypt). We can debate the brokeness of the current CA system (and I completely agree there is a ton of brokeness there), but it is the system we have today. We should follow industry best practice here. Running a Root CA brings a huge amount of baggage and we are not mature enough in policy to build in a manner that would align with established practice for running a Root CA. Gordon From owner-freebsd-security@freebsd.org Fri Dec 15 06:10:20 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BDC6FE9C724 for ; Fri, 15 Dec 2017 06:10:20 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:a:dead:bad:faff]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 845206917C for ; Fri, 15 Dec 2017 06:10:20 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id vBF6AIqG073739; Fri, 15 Dec 2017 06:10:19 GMT (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id vBF6AIL0073738; Fri, 15 Dec 2017 06:10:18 GMT (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201712150610.vBF6AIL0073738@donotpassgo.dyslexicfish.net> Date: Fri, 15 Dec 2017 06:10:18 +0000 Organization: Dyslexic Fish To: gordon@tetlows.org Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> <20171215050430.GT9701@gmail.com> In-Reply-To: <20171215050430.GT9701@gmail.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Fri, 15 Dec 2017 06:10:19 +0000 (GMT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 06:10:20 -0000 Gordon Tetlow wrote: > I want to move the default for svn to be HTTPS. This would mean setting > up a redirect on http://svn.freebsd.org -> https://svn.freebsd.org. For Blimey! You're either very brave, or haven't read the thread fully! :-) From owner-freebsd-security@freebsd.org Fri Dec 15 08:40:02 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 680D4E9F64C for ; Fri, 15 Dec 2017 08:40:02 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4E46CEE1 for ; Fri, 15 Dec 2017 08:40:01 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id ECC5427376; Fri, 15 Dec 2017 08:39:51 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBF8daev044685 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 15 Dec 2017 08:39:36 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBF8dYPZ043617; Fri, 15 Dec 2017 08:39:34 GMT (envelope-from phk) To: Gordon Tetlow cc: Peter Wemm , Yuri , RW , Igor Mozolevsky , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171215050430.GT9701@gmail.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> <20171215050430.GT9701@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <43606.1513327174.1@critter.freebsd.dk> Date: Fri, 15 Dec 2017 08:39:34 +0000 Message-ID: <43607.1513327174@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 08:40:02 -0000 -------- In message <20171215050430.GT9701@gmail.com>, Gordon Tetlow writes: >Running a Root CA brings a huge amount of baggage and we are not mature >enough in policy to build in a manner that would align with established >practice for running a Root CA. Since we would not be protecting People Who Can Sue Use For Big Damages data, we wouldn't need to run a Root CA to that practice, which is mostly about Blame Allocation and very little about actual security. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Fri Dec 15 15:01:15 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64D3CE836CD for ; Fri, 15 Dec 2017 15:01:15 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 35D8278997 for ; Fri, 15 Dec 2017 15:01:14 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with ESMTPA id PrTze1OVVS7BpPrU1eYBpR; Fri, 15 Dec 2017 08:01:07 -0700 X-Authority-Analysis: v=2.2 cv=NKylwwyg c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=kj9zAlcOel0A:10 a=ocR9PWop10UA:10 a=Lyp7P1eCAAAA:8 a=7LAwx-u0AAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=mcu7OUusb89oX-bKYrIA:9 a=CjuIK1q_8ugA:10 a=s4A0QHeHGQEA:10 a=us27MLTdiSMbcMS-4tZE:22 a=Wbql1O7w7MJ4N54WVBAX:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id 5FA95335; Fri, 15 Dec 2017 07:01:03 -0800 (PST) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id vBFF135X050277; Fri, 15 Dec 2017 07:01:03 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id vBFF12ZL049067; Fri, 15 Dec 2017 07:01:02 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201712151501.vBFF12ZL049067@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.7 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Jamie Landeg-Jones cc: gordon@tetlows.org, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-Reply-To: Message from Jamie Landeg-Jones of "Fri, 15 Dec 2017 06:10:18 +0000." <201712150610.vBF6AIL0073738@donotpassgo.dyslexicfish.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 15 Dec 2017 07:01:01 -0800 X-CMAE-Envelope: MS4wfNph34XeCPZxcK/s3ZkIzOOPpLj8aJ4zCcIlndkpXOdm8eb6Irh9d7dQaNgQiM472vP5uJaeriYGyZpoP3tHchHjTM9/E2vDv+a6jDf5GOBXxq87+kU3 uMiw58iEh9qwghzUIywWD3ueY1oBOneEt+kC6bRNrx5ECFxu3CEGyP2bV+icg2r0TK+KIYhedWKyqr6oMNACql63oobvhdCSyInFF6FcgplW1Z/veGg/NZrz X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 15:01:15 -0000 In message <201712150610.vBF6AIL0073738@donotpassgo.dyslexicfish.net>, Jamie La ndeg-Jones writes: > Gordon Tetlow wrote: > > > I want to move the default for svn to be HTTPS. This would mean setting > > up a redirect on http://svn.freebsd.org -> https://svn.freebsd.org. For > > Blimey! You're either very brave, or haven't read the thread fully! :-) This discussion reminds me of some of my clients in which telnet, telnetd, ftp, and ftpd are not installed without departmental SO and CIO approval. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.