From owner-freebsd-security@freebsd.org Tue Dec 5 20:59:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E617E81575 for ; Tue, 5 Dec 2017 20:59:27 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 3F0E26F417 for ; Tue, 5 Dec 2017 20:59:26 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB5KxQ3P023480 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 5 Dec 2017 12:59:26 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me To: freebsd-security@freebsd.org From: Yuri Subject: http subversion URLs should be discontinued in favor of https URLs Message-ID: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> Date: Tue, 5 Dec 2017 12:59:25 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 20:59:27 -0000 I suggested this PR, but it got rejected: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097 http is insecure in its nature, and is an easy target for MITM. This is why https should be preferred. http needs to be discontinued and shut down because as long as it exists somebody will keep using it and will be in danger. Few years ago Wikimedia Foundation switched to https and discontinued http entirely: https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https I think this makes a lot of sense, and FreeBSD should do the same. It's understood that a lot of arguments can be made for and against this, like with any other issue, but security argument should outweigh most or all other arguments. Regards, Yuri From owner-freebsd-security@freebsd.org Tue Dec 5 21:05:14 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DE454E81FE4 for ; Tue, 5 Dec 2017 21:05:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 841CF70064 for ; Tue, 5 Dec 2017 21:05:12 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vB5L50FG048296 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Dec 2017 22:05:01 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@rawbw.com Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id vB5L4uRI095233 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 6 Dec 2017 04:04:56 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> From: Eugene Grosbein Message-ID: <5A2709F6.8030106@grosbein.net> Date: Wed, 6 Dec 2017 04:04:54 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0001] * 2.6 LOCAL_FROM From my domains * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 21:05:15 -0000 06.12.2017 3:59, Yuri wrote: > It's understood that a lot of arguments can be made for and against this, > like with any other issue, but security argument should outweigh most or all other arguments. It is illusion that https is more secure than unencrypted http in a sense of MITM just because of encryption, it is not. From owner-freebsd-security@freebsd.org Tue Dec 5 21:13:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67CE3E82688 for ; Tue, 5 Dec 2017 21:13:27 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 55FC370AC3 for ; Tue, 5 Dec 2017 21:13:27 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB5LDQRE025266 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Tue, 5 Dec 2017 13:13:26 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> From: Yuri Message-ID: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> Date: Tue, 5 Dec 2017 13:13:25 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <5A2709F6.8030106@grosbein.net> Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 21:13:27 -0000 On 12/05/17 13:04, Eugene Grosbein wrote: > It is illusion that https is more secure than unencrypted http in a sense of MITM > just because of encryption, it is not. It *is* more secure. In order to break it, you have to have compromized https authorities. Some state actors have plausibly done this. http, on the contrary, can be altered by anybody who has access to the wire, which is generally a much wider set. Yuri From owner-freebsd-security@freebsd.org Tue Dec 5 21:56:54 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B8EF2E843CA for ; Tue, 5 Dec 2017 21:56:54 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EA4697442C for ; Tue, 5 Dec 2017 21:56:53 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id vB5LuOna000848 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 6 Dec 2017 08:56:24 +1100 (AEDT) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host ewsw01.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> From: Dewayne Geraghty Message-ID: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> Date: Wed, 6 Dec 2017 08:55:00 +1100 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-AU X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 21:56:54 -0000 On 6/12/2017 8:13 AM, Yuri wrote: > On 12/05/17 13:04, Eugene Grosbein wrote: >> It is illusion that https is more secure than unencrypted http in a >> sense of MITM >> just because of encryption, it is not. > > > It *is* more secure. In order to break it, you have to have > compromized https authorities. Some state actors have plausibly done > this. http, on the contrary, can be altered by anybody who has access > to the wire, which is generally a much wider set. > > > Yuri Yuri, It can be illusory.   My last job was as Sec Mgr for a large bank.  They disabled cert checking on client devices, placed a wildcard cert at the internet boundary and captured all https unencrypted.  An alternative approach to advocate is dnssec.  :) You also need to ensure integrity, to ensure that the numbers are flipped in transit...  ;) From owner-freebsd-security@freebsd.org Tue Dec 5 22:08:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67A48E848D8 for ; Tue, 5 Dec 2017 22:08:53 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1BE9A74E35 for ; Tue, 5 Dec 2017 22:08:53 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-vk0-x234.google.com with SMTP id o70so1339025vkc.9 for ; Tue, 05 Dec 2017 14:08:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=96rKsaj9RqEUHHEqrooWMlrWYI99RktP/mr/LeoRyKg=; b=EvvZbauqSz2Fufa0SJryRrxZkAmzljUsFubx4sHOMAxqExX6yiN3knSRv5uORrS0Fk ThXjIB4UunYtJKa4VcnZ6Xsk6GE9Trj+06TcrMrISNrBOMF0zEtIgk15cQ0zoNnQ4GNs igGNAMLe+MDUU0wjr5piRh/CIAju1hM1k3Ckg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=96rKsaj9RqEUHHEqrooWMlrWYI99RktP/mr/LeoRyKg=; b=lgmBQbFJaP6PTmQEzWNacuIXUfU21RKjEpL0yuBReI/TtFLdHpfThWlv8Oedn21W2d XNuX+edFunR/BT+2PnZ4jFlQ2RYIvXONr3AmiiyKjWNo1MaRCSYSLueroys55G1KWqnZ IWAgembM8dCIO8b8Zmkf/kQCxXxy7Lg/4dgBt/nC3gBcW+rC4Yt5qI6xC7uT4vqGsklz cGi7VDmOsjE28bRrLreknGdhjf95X1s+L36N/fNDXAQTuZkO5qv2X23IsfgCjoOtn/1f yx/F82sN1zNGzNu5YwRQoKHbiuWkXvp4yZOtkO2lMj8RufnV6ttDPO2SomsbJQ6YUq5c 2FyQ== X-Gm-Message-State: AKGB3mJ4bK+TA1a5ADGk0Zkdddg6rivGpq+v+usSjBfnagoSSFGJ5JRR K3+7mdIULoFD8/+i2t0MkCiETbwsdQ== X-Google-Smtp-Source: AGs4zMaOd7dvwOscGqfApRw//sB+EZJQD1D5IfwMYIlXGpk4MHqBhkvEBOzRZ9kswpFg+zX2X+tToQ== X-Received: by 10.31.196.195 with SMTP id u186mr6425837vkf.189.1512511732228; Tue, 05 Dec 2017 14:08:52 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v21sm615012vkd.12.2017.12.05.14.08.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 14:08:51 -0800 (PST) Date: Tue, 5 Dec 2017 14:08:49 -0800 From: Gordon Tetlow To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171205220849.GH9701@gmail.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 22:08:53 -0000 On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > > > It *is* more secure. In order to break it, you have to have > > compromized https authorities. Some state actors have plausibly done > > this. http, on the contrary, can be altered by anybody who has access > > to the wire, which is generally a much wider set. > > > > > > Yuri > > Yuri, > It can be illusory.   My last job was as Sec Mgr for a large bank.  They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.  An alternative > approach to advocate is dnssec.  :) That's a specific decision made by a business as to how they are going to run their end-points. We can never help in that scenario. Using this as a reason to not move to HTTPS is a fallacy. We should do everything we can to help our end-users get FreeBSD in the most secure way. Regards, Gordon From owner-freebsd-security@freebsd.org Tue Dec 5 22:26:08 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1419AE85308 for ; Tue, 5 Dec 2017 22:26:08 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-io0-x244.google.com (mail-io0-x244.google.com [IPv6:2607:f8b0:4001:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D3E7575E15 for ; Tue, 5 Dec 2017 22:26:07 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-io0-x244.google.com with SMTP id t196so464699iof.0 for ; Tue, 05 Dec 2017 14:26:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=QfDuqRiiUciERojkYr0kSFXiRiM8vmYaOxyPw1/JWs8=; b=SMPHeDLv1rfMGW+dbPcDmvg9MMx7g1Ot+gwUapK+SlXL1KrM4DVa+/JIdGXhzc1EIZ 0xx805k3uik4GRfcXOKEFRM9MDsRt623ranXumUZ51uZ54pVeg6ftiiBOey30ouJfSMI kaEiehMlCgYBQIXB7euUciV9qn3KZ2C+35Kmw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=QfDuqRiiUciERojkYr0kSFXiRiM8vmYaOxyPw1/JWs8=; b=aoOdSojIHfJeCAGSTe4w/38KT2SQ+aGEM2gLY818kQc99Ac19tb872e3rhJTlRB+Vl f8Cb/wU8FdNAiW76K3VhubhqOV5RqiWYbgy7PsgVsJJX2/3HCzAee0ta55o/tuzi5JVF sMDKV4up99h0r+xlMCxo18pcnFbTh3moKZ9hX37R7WQsSDhm21FKpYvsbgSHlYaFdbVs x1ZawVKhxsjLbrHLBd2qMyr82uW64feMYO63b3Fw+rCPxkRALpR7RMPjWZTsb90f57lM cy13Hcmy3sURP0RllaxALu1RDmlR1velHE+Qux9DTkvmahqV+Jesp9k1ARfX/9pvxnGE gKtg== X-Gm-Message-State: AJaThX5u//oEVPwzn6XGcJa3n5ZlvMHp4yNeTTi+6cYhmlg8T/31tHhF TERpgO6n5mwEVdAy15K9Z4AxkRRXnGg= X-Google-Smtp-Source: AGs4zMYDNBYa/AkiLKqt2rzC7AW/SyD3N/fiTRVvCo7fOFGMg8p2Opm0zj0L4BYfo3qzXptdorrG1w== X-Received: by 10.107.144.136 with SMTP id s130mr29643971iod.29.1512512766725; Tue, 05 Dec 2017 14:26:06 -0800 (PST) Received: from [192.168.0.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [174.117.121.225]) by smtp.gmail.com with ESMTPSA id w6sm667844itc.5.2017.12.05.14.26.05 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 14:26:05 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> From: Yonas Yanfa Message-ID: <35656451-afff-7e56-ea9b-1f9658101255@fizk.net> Date: Tue, 5 Dec 2017 17:19:51 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171205220849.GH9701@gmail.com> Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 22:26:08 -0000 On 12/05/2017 17:08, Gordon Tetlow wrote: > On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: >> On 6/12/2017 8:13 AM, Yuri wrote: >>> On 12/05/17 13:04, Eugene Grosbein wrote: >>>> It is illusion that https is more secure than unencrypted http in a >>>> sense of MITM >>>> just because of encryption, it is not. >>> >>> It *is* more secure. In order to break it, you have to have >>> compromized https authorities. Some state actors have plausibly done >>> this. http, on the contrary, can be altered by anybody who has access >>> to the wire, which is generally a much wider set. >>> >>> >>> Yuri >> Yuri, >> It can be illusory.   My last job was as Sec Mgr for a large bank.  They >> disabled cert checking on client devices, placed a wildcard cert at the >> internet boundary and captured all https unencrypted.  An alternative >> approach to advocate is dnssec.  :) > That's a specific decision made by a business as to how they are going > to run their end-points. We can never help in that scenario. > > Using this as a reason to not move to HTTPS is a fallacy. We should do > everything we can to help our end-users get FreeBSD in the most secure > way. > > Regards, > Gordon I wholeheartedly agree with Gordon. Let's do more, not less. I believe it was fallacies like this that mislead many websites, including freebsd.org, to remain in HTTP for far too long. Cheers, -- Yonas Yanfa In Love With Open Source Drupal :: GitHub :: Mozilla fizk.net | yonas@fizk.net From owner-freebsd-security@freebsd.org Tue Dec 5 22:44:02 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A351CE857F3 for ; Tue, 5 Dec 2017 22:44:02 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 646157668E for ; Tue, 5 Dec 2017 22:44:02 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 034C92738F; Tue, 5 Dec 2017 22:43:58 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB5MhwcX024155 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Dec 2017 22:43:58 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB5MhuCI024154; Tue, 5 Dec 2017 22:43:56 GMT (envelope-from phk) To: Gordon Tetlow cc: Dewayne Geraghty , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171205220849.GH9701@gmail.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24152.1512513836.1@critter.freebsd.dk> Date: Tue, 05 Dec 2017 22:43:56 +0000 Message-ID: <24153.1512513836@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 22:44:02 -0000 -------- In message <20171205220849.GH9701@gmail.com>, Gordon Tetlow writes: >Using this as a reason to not move to HTTPS is a fallacy. We should do >everything we can to help our end-users get FreeBSD in the most secure >way. The vastly oversold "security" of HTTPS is entirely borrowed from a confederation of root-CA's which no non-deluded person can ever seriously trust. Only if you trust *everybody* on this list, is HTTPS "secure": grep '^ *Subject:' /usr/local/share/certs/ca-root-nss.crt And as if that delusion wasn't bad enough, the misguided and simple-minded IT-liberalistic "Encrypt everything" campaign is, 100% as predicted, pushing governments to neuter encryption in order to keep the court systems working. "IETF and what army?" -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Tue Dec 5 23:07:03 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23B6FE86132 for ; Tue, 5 Dec 2017 23:07:03 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 0F8107756E for ; Tue, 5 Dec 2017 23:07:02 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB5N70fu040456 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 5 Dec 2017 15:07:01 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Poul-Henning Kamp , Gordon Tetlow Cc: freebsd-security@freebsd.org, Dewayne Geraghty References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> From: Yuri Message-ID: <1294e5c4-9554-b9f5-8ea9-13aca5411e9a@rawbw.com> Date: Tue, 5 Dec 2017 15:06:59 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <24153.1512513836@critter.freebsd.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 23:07:03 -0000 On 12/05/17 14:43, Poul-Henning Kamp wrote: > The vastly oversold "security" of HTTPS is entirely borrowed from > a confederation of root-CA's which no non-deluded person can ever > seriously trust. Your argument goes like this: https potentially suffers from some vulnerabilities too, so we better dismiss it and go with the weakest solution. Sorry, but this doesn't make any sense. Yuri From owner-freebsd-security@freebsd.org Tue Dec 5 23:18:26 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 056D9E865FC for ; Tue, 5 Dec 2017 23:18:26 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C593477C79 for ; Tue, 5 Dec 2017 23:18:25 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pf0-x22d.google.com with SMTP id c204so1313071pfc.13 for ; Tue, 05 Dec 2017 15:18:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hUDDJ+NBG5OXkBgZQGNZlNEJAmq+dnMvrP+KX5viRA4=; b=ct/c3iH1BeBP+wLcqW2xkpDHWUCbWDhjkjtb7WFtLOYoas4KHzVscpzAQtu8nzxb0L eu+sqw+TGBNAxGKwH7rTgXN1yDPYimdfny9zV998QSa6mXwa7moFyd+uqyxR7+X+11X3 aX5E1fPGV0JD8GyB5B1+5KQtZH9smF4quqP6k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=hUDDJ+NBG5OXkBgZQGNZlNEJAmq+dnMvrP+KX5viRA4=; b=D4wpho5/1CDuC2BojZAlD8HnYsrprP2hYc+FOHQL9MKYi1TXg5Y7qZx9vJXSzWkLZz lsD15HJPzM8iE+KyUM+916A/MnLNSlrh3Zi3H8YFc0w2ybwbBw9QZ7LMY7GtDfj3+1ep KAzSzZMQv2aQky2ULSDZZ2Z4ntU27EP/s8nP0t7jS1swpi+LPUhfHGfnp96kkdeEsMx3 +6iZ8TBRYuDweQcVb73esI2mgfTZMZI/2VBSXeyZQ7wDmhO2awyob7rKGx5lSybr5mKe ynVZVqp0yAy00wfivz53CK3BOrTQuXrsHxAu7os2hvwvrxu2PWsyiXEvZ2lHiDXiQ2/G 5n4g== X-Gm-Message-State: AJaThX54a3MtZAroaAw8E2zc2VnWXY1iAaPXqFmqkQ57a8McKJLI1cUE hbheoeNyoOS1oAW4bjPF845yoCkKth+1 X-Google-Smtp-Source: AGs4zMYTVQUWFtXkAXvswuuKWtoDM68XxqhOx+xAXdpoGG2BKOd5xCYFBz7X/jroaxCBaoDHgEg6cg== X-Received: by 10.99.103.70 with SMTP id b67mr19272944pgc.211.1512515904964; Tue, 05 Dec 2017 15:18:24 -0800 (PST) Received: from ?IPv6:2600:380:4b61:3528:68c4:bb77:78eb:79ff? ([2600:380:4b61:3528:68c4:bb77:78eb:79ff]) by smtp.gmail.com with ESMTPSA id d2sm1552216pfe.164.2017.12.05.15.18.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 15:18:24 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: http subversion URLs should be discontinued in favor of https URLs From: Gordon Tetlow X-Mailer: iPhone Mail (15B202) In-Reply-To: <24153.1512513836@critter.freebsd.dk> Date: Tue, 5 Dec 2017 15:18:21 -0800 Cc: Dewayne Geraghty , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> To: Poul-Henning Kamp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 23:18:26 -0000 > On Dec 5, 2017, at 14:43, Poul-Henning Kamp wrote: >=20 > -------- > In message <20171205220849.GH9701@gmail.com>, Gordon Tetlow writes: >=20 >> Using this as a reason to not move to HTTPS is a fallacy. We should do >> everything we can to help our end-users get FreeBSD in the most secure >> way. >=20 > The vastly oversold "security" of HTTPS is entirely borrowed from > a confederation of root-CA's which no non-deluded person can ever > seriously trust. Assertion of identity and encryption in transit are separate issues. I do ag= ree that identity is fundamentally broken with the existing CA system. I=E2=80= =99m more interested in preventing tampering of data in transit. HTTPS is an= easy way to do that. Gordon= From owner-freebsd-security@freebsd.org Tue Dec 5 23:18:52 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C239E86666 for ; Tue, 5 Dec 2017 23:18:52 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD2A877D74 for ; Tue, 5 Dec 2017 23:18:51 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by mail-wm0-x22f.google.com with SMTP id l141so4232844wmg.1 for ; Tue, 05 Dec 2017 15:18:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XEtQJGHy3aISKIErMKXp78+p+yYAwzv72ACvM7TXJpY=; b=FW6yB6TD8yFLpbYiGw9kr9WmuPcqDBQeRYTjeLnigZhxEoqOifSl83LKcx9IFevJSs pVIzJzQiHwsPj9HBKIjEObTvamNtAV8PoJHk425gBOi3kEdVoM+IOvqi27dtUQHlIbhV U/3QkcE3z5lWusMWvAIDf7LHyeGej4a8DGakhJXXDb2VPKz5ZQKsA1yBxj/za8nFrbu4 20WWpU0Lwc0fQqKQ/VkrkRrOhpYLacKKE3l5Ba0d+8IePakk/A6UweRv39jUE29Tj8mt 5GFr2smtqfKBtD6CoD8cDmY6xZ/Zo/aNOGlnQr9VlD8w4d5PL7yWJljC3g2T1YRNxcpC XctQ== X-Gm-Message-State: AKGB3mLMefoK5GArd6mvtOBBvCPt0ObTGb4h2gQkpwabNyIymz7cMICN +vH0GHiJg9SuAKp64BrQ+nZS+Q== X-Google-Smtp-Source: AGs4zMZymbcAWEuGSbNBLP14teGfrpk2zjoydq5/qbWHuebhCWyww2d4wFduralrB5k9Rmfu4TlVvQ== X-Received: by 10.28.168.88 with SMTP id r85mr11360224wme.63.1512515929630; Tue, 05 Dec 2017 15:18:49 -0800 (PST) Received: from gumby.homeunix.com ([81.17.24.158]) by smtp.gmail.com with ESMTPSA id o63sm1531969wmb.4.2017.12.05.15.18.47 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 05 Dec 2017 15:18:49 -0800 (PST) Date: Tue, 5 Dec 2017 23:18:45 +0000 From: RW To: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171205231845.5028d01d@gumby.homeunix.com> In-Reply-To: <20171205220849.GH9701@gmail.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 23:18:52 -0000 On Tue, 5 Dec 2017 14:08:49 -0800 Gordon Tetlow wrote: > Using this as a reason to not move to HTTPS is a fallacy. We should do > everything we can to help our end-users get FreeBSD in the most secure > way. I think it's more a question of whether all users should be forced onto https even if it might prevent some users from getting security updates. From owner-freebsd-security@freebsd.org Tue Dec 5 23:30:39 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E20FE86BBF for ; Tue, 5 Dec 2017 23:30:39 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 132D5786A6 for ; Tue, 5 Dec 2017 23:30:38 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 9D61F2737A; Tue, 5 Dec 2017 23:30:37 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB5NUaDx024382 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Dec 2017 23:30:36 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB5NUZfN024381; Tue, 5 Dec 2017 23:30:35 GMT (envelope-from phk) To: Yuri cc: Gordon Tetlow , freebsd-security@freebsd.org, Dewayne Geraghty Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <1294e5c4-9554-b9f5-8ea9-13aca5411e9a@rawbw.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1294e5c4-9554-b9f5-8ea9-13aca5411e9a@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24379.1512516635.1@critter.freebsd.dk> Date: Tue, 05 Dec 2017 23:30:35 +0000 Message-ID: <24380.1512516635@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 23:30:39 -0000 -------- In message <1294e5c4-9554-b9f5-8ea9-13aca5411e9a@rawbw.com>, Yuri writes: >On 12/05/17 14:43, Poul-Henning Kamp wrote: >> The vastly oversold "security" of HTTPS is entirely borrowed from >> a confederation of root-CA's which no non-deluded person can ever >> seriously trust. > > >Your argument goes like this [...] Yuri, You get to express your opinion, you do not also get to express mine. The core problem of all encryption is key distribution. HTTPS doesn't have that, it relies entirely on the CA system for it. The CA conglomerate is broken, trojaned and backdoored, and documented as such, and therefore HTTPs is a potempkin shell of security. Until HTTPS has something more trustworthy than the CA conglomerate to distribute keys, it is no safer in any respect than plain HTTP. And you are wasting everybodys time by trying to change FreeBSD's *100% non-private* version control system to a protocol which offers no privacy where no privacy is needed. You should spend *your* time getting personally involved in your own countrys political system, which is where the relevant decisions, bad or good, about our electronic privacy will be made. Over and out... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Wed Dec 6 00:00:14 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5174FE87901 for ; Wed, 6 Dec 2017 00:00:14 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 3D0A779519 for ; Wed, 6 Dec 2017 00:00:13 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB600C2l047076 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 5 Dec 2017 16:00:13 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Poul-Henning Kamp Cc: freebsd-security@freebsd.org, Dewayne Geraghty , Gordon Tetlow References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1294e5c4-9554-b9f5-8ea9-13aca5411e9a@rawbw.com> <24380.1512516635@critter.freebsd.dk> From: Yuri Message-ID: <7bf1420c-2a3c-c9d0-fe91-7e69f9415214@rawbw.com> Date: Tue, 5 Dec 2017 16:00:11 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <24380.1512516635@critter.freebsd.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 00:00:14 -0000 On 12/05/17 15:30, Poul-Henning Kamp wrote: > The CA conglomerate is broken, trojaned and backdoored, and documented > as such, and therefore HTTPs is a potempkin shell of security. > > Until HTTPS has something more trustworthy than the CA conglomerate > to distribute keys, it is no safer in any respect than plain HTTP. You are wrong. https with all its problems is still safer. If I am browsing through Tor, any exit node operator can easily perform a MITM attack in case of http, which they generally can't do in case of https. In case of https he needs to be a state actor privy to the CA compromise. Yuri From owner-freebsd-security@freebsd.org Wed Dec 6 00:11:00 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0DD4E8839E for ; Wed, 6 Dec 2017 00:11:00 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt0-x243.google.com (mail-qt0-x243.google.com [IPv6:2607:f8b0:400d:c0d::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 57B8279F3C for ; Wed, 6 Dec 2017 00:11:00 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt0-x243.google.com with SMTP id e2so5173613qti.0 for ; Tue, 05 Dec 2017 16:11:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=gShVi16mSLm6AdrHdngjuFHLrfQfMlmoZLRwkOFtAbI=; b=RONDz2nXR+9p5nTh65H1BOOU9RTHxrlu3+M/xGxHUE2wPdV+SrdwtSq6IXLNVfeemx 0jd3KboReI56MMXFAvSsj/6XvAtbyXedMqVN9WfsLYB6t0v0NsdkK1DEftJZA1TgPWDv LG6lRBYBah3ZHdeDZhvRqGdPWdHrGUbWhLNqc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=gShVi16mSLm6AdrHdngjuFHLrfQfMlmoZLRwkOFtAbI=; b=feHg0JXs9ABcBiMkI4S59JHP3o9VVr1cEQEhYfbgIEA1QHQ84CgT1cGwxMFKAIJkCy qCW6TmxTRHxraks/0RN4oZYQcoPAVEZvC2tzO4hBYS8MuHoqFBNEQ/KCSepgD2kSffgP y8uAQ2SpzpIj8D5GO/RsnWvNeSPgVzihEotq4stzJ2ItBQ00iLts22fGrD05BW9XpAmy DjsNLUt9di/c85IFZdr19n3+8qHmdYNEq685oY+CKWslR/M5Why1ANj4dbxinHb22O64 WO0n+KY5oy9jaTAbwvlxlmRYF1Qz0smixTRogNG10Apr68/aXo6lUn25j8Orjgc/XXPS TLGA== X-Gm-Message-State: AKGB3mKeTG+sXLMLH0xGyNs186rTrBl+h/07DwzI7pe5jiqQp31hwIH0 8ZxBWdMu6CCt8cTO65BxfMFe X-Google-Smtp-Source: AGs4zMZyMpiqTERSJJuXsqTBhFrEAYUlUjYDfUBNMaz2r2qoBMC1iFj5eWinFyPHJXUQJoHtB2iOTw== X-Received: by 10.55.31.3 with SMTP id f3mr21673592qkf.20.1512519059319; Tue, 05 Dec 2017 16:10:59 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id v58sm866033qtk.18.2017.12.05.16.10.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 16:10:58 -0800 (PST) Date: Tue, 5 Dec 2017 16:10:56 -0800 From: Gordon Tetlow To: RW Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171206001056.GI9701@gmail.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171205231845.5028d01d@gumby.homeunix.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 00:11:00 -0000 On Tue, Dec 05, 2017 at 11:18:45PM +0000, RW via freebsd-security wrote: > On Tue, 5 Dec 2017 14:08:49 -0800 > Gordon Tetlow wrote: > > > > Using this as a reason to not move to HTTPS is a fallacy. We should do > > everything we can to help our end-users get FreeBSD in the most secure > > way. > > I think it's more a question of whether all users should be forced onto > https even if it might prevent some users from getting security updates. I agree with this sentiment. I would like https to be the default with http being an explicit decision on the user's end to use. This way, the naive user can get the benefits of encryption in transit while a knowledgable user can accept the risk of getting updates via http. Best, Gordon From owner-freebsd-security@freebsd.org Wed Dec 6 00:06:37 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9A92E88174 for ; Wed, 6 Dec 2017 00:06:37 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:a:dead:bad:faff]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9428C79DC2 for ; Wed, 6 Dec 2017 00:06:37 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id vB606Yqk080530; Wed, 6 Dec 2017 00:06:35 GMT (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id vB606YhU080529; Wed, 6 Dec 2017 00:06:34 GMT (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201712060006.vB606YhU080529@donotpassgo.dyslexicfish.net> Date: Wed, 06 Dec 2017 00:06:33 +0000 Organization: Dyslexic Fish To: phk@phk.freebsd.dk, gordon@tetlows.org Cc: freebsd-security@freebsd.org, dewayne.geraghty@heuristicsystems.com.au Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> In-Reply-To: <24153.1512513836@critter.freebsd.dk> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Wed, 06 Dec 2017 00:06:35 +0000 (GMT) X-Mailman-Approved-At: Wed, 06 Dec 2017 00:44:49 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 00:06:37 -0000 "Poul-Henning Kamp" wrote: > simple-minded IT-liberalistic "Encrypt everything" campaign is, > 100% as predicted, pushing governments to neuter encryption in > order to keep the court systems working. I agree. Unfortunately forums.freebsd.org not only went down the 'encrypt everything' route, they did so before TLS was ubiquitous (disabling SSL2 & SSL3 way before most places) Not directed personally at you, phk - it's just strange that forum questions are considered more important to secure than source files! cheers, Jamie From owner-freebsd-security@freebsd.org Wed Dec 6 00:57:08 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 424B0E89B0B for ; Wed, 6 Dec 2017 00:57:08 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BC497BA08 for ; Wed, 6 Dec 2017 00:57:07 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id 96AAC4419 for ; Tue, 5 Dec 2017 18:49:55 -0600 (CST) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Bb5YMa_alhQZ for ; Tue, 5 Dec 2017 18:49:54 -0600 (CST) Received: from [24.30.30.53] (c-24-30-30-53.hsd1.ga.comcast.net [24.30.30.53]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by safegreet.com (Postfix) with ESMTPSA id 94AC34209 for ; Tue, 5 Dec 2017 18:49:54 -0600 (CST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <201712060006.vB606YhU080529@donotpassgo.dyslexicfish.net> From: Joey Kelly Message-ID: Date: Tue, 5 Dec 2017 19:49:53 -0500 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <201712060006.vB606YhU080529@donotpassgo.dyslexicfish.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 00:57:08 -0000 > > Not directed personally at you, phk - it's just strange that forum > questions are considered more important to secure than source files! Me too! -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Wed Dec 6 01:07:58 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC8FDE8A073 for ; Wed, 6 Dec 2017 01:07:58 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB94C7C05A for ; Wed, 6 Dec 2017 01:07:58 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-it0-x229.google.com with SMTP id r6so5182087itr.3 for ; Tue, 05 Dec 2017 17:07:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=AADFD//m9KYcuefTkuBCg3iDpCBciS/93LLUXdFBGHw=; b=hgggrR549RXkJFREsBYhK3/vOOZTTe6uqkIN57MaE2oLOI6ewq+SSaQ0sERX7sqrPy U31Mcd9vv8oyfhlYAWLOzY6CunzzpaZd/PWX79Sn/F7n9z5aAZcEPRQCEBqTOWXwhpfV OqlicFTAWZ6UvHVEFkKBRbvJkFJ1UhM8J1Fe8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=AADFD//m9KYcuefTkuBCg3iDpCBciS/93LLUXdFBGHw=; b=ewoqXEXnQEHVwW/SjdoucMCCxC36ZKsIogHTAbIp6EjKKOr+BgmaQSReeHTbmY+wRR 6vTzrLuaMzKSIspHLyWLJSqiwXqGfJIfD0RgwFpMUCY9zbsTn9TfXevOikIqlvG8aaro Wqx7nS9dA4Sfm31bLKOpqE4bzQQcnIV70xo8OQlOjoXR3Yblc1mENDEsR12AR6DHLCoL bVulyIrIp2SJszpiqdRXzPt63jVSKEGjT3H3ljPchAuKgY6bR1Nt6qvFSAAxNZDgi8xz ttxZbcooT04FJU2kZvOfRyr4h6Bcqpwwr447yKViiGX5rLC/6FglANODHLyQxpd8VsDZ spQQ== X-Gm-Message-State: AKGB3mLiomGFAlSVklURGquLYttiqE4KjdB5AXr5DDYbuRDSWa1/iX/f W3wFZ/UarsSuma4rtMD8buBM5TC6gPc= X-Google-Smtp-Source: AGs4zMZqwJl9DjtrOUm19qBq7IK38wSWJCpTTagDMvSumDzHQaU/b3HXaHCRxZh/4bnv1AtqWBtnmQ== X-Received: by 10.36.123.134 with SMTP id q128mr21677921itc.80.1512522477807; Tue, 05 Dec 2017 17:07:57 -0800 (PST) Received: from [192.168.0.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [174.117.121.225]) by smtp.gmail.com with ESMTPSA id i63sm807360itb.35.2017.12.05.17.07.56 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Dec 2017 17:07:56 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> From: Yonas Yanfa Message-ID: <93c35d96-157a-c017-e646-0b32ec803abb@fizk.net> Date: Tue, 5 Dec 2017 20:01:41 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 01:07:59 -0000 On 12/05/2017 15:59, Yuri wrote: > I suggested this PR, but it got rejected: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097 > I would also prefer HTTPS over HTTP, but aren't signed commits what we're really looking for? Are individual commits in SVN digitally signed? Git has this ability, but it appears SVN does not. We have https://github.com/freebsd/freebsd but I don't see any signed commits. This might be a good reason to finally abandon SVN. Yonas From owner-freebsd-security@freebsd.org Wed Dec 6 02:02:59 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B501E8BB1B for ; Wed, 6 Dec 2017 02:02:59 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6D26A7DEC0 for ; Wed, 6 Dec 2017 02:02:59 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0I00F1HOR8RR00@hades.sorbs.net> for freebsd-security@freebsd.org; Tue, 05 Dec 2017 18:11:35 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yonas Yanfa , freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <35656451-afff-7e56-ea9b-1f9658101255@fizk.net> From: Michelle Sullivan Message-id: <5A274F5B.9030902@sorbs.net> Date: Wed, 06 Dec 2017 13:00:59 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <35656451-afff-7e56-ea9b-1f9658101255@fizk.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 02:02:59 -0000 Yonas Yanfa wrote: > > I wholeheartedly agree with Gordon. Let's do more, not less. > > I believe it was fallacies like this that mislead many websites, > including freebsd.org, to remain in HTTP for far too long. Oh good God! What is 'in the name of security' is this crusade making all - plain text, publicly accessible, static content sites 'HTTPS' instead of 'HTTP' ....? Bearing in mind its trivial to block anyhow, using a modern up to date browser if I block (send back resets - ie "connection refused") a connection to a client making a secure request to the web and the user has not explicitly set https:// as the start of the URL it (the browser) will automatically try port 80 (http) for the connection, I am now quite easily able to MITM attack the user by proxying (and re-writing) the http:// requests into https:// requests to the real webserver which might have disabled http:// connections "in the name of security" ... Now not saying that this is an issue on subversion requests as usually they are specific in their requests to use a secure layer or not but lets get real here, the protocol allows secure and insecure, you should use the secure by default. You should not automatically not use any insecure, or worse restrict access to secure only in the name of progress because those sites secured with their own project certificates (self-signed) will see people just turning off checking of the signers, and therefore will turn off checking of CRLs and you will lower overall security.... Its like making passwords change every week and have to be >20 characters with upper lower and special... result is security is lowered because people write them down. Michelle From owner-freebsd-security@freebsd.org Wed Dec 6 09:44:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C3BAE9AAFE for ; Wed, 6 Dec 2017 09:44:27 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 113B46AA8E for ; Wed, 6 Dec 2017 09:44:25 +0000 (UTC) (envelope-from steve@localhost.lu) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 9B5CE32032; Wed, 6 Dec 2017 10:36:48 +0100 (CET) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTPS id 8CF5E32053; Wed, 6 Dec 2017 10:36:48 +0100 (CET) Received: from localhost (pda57-1-82-231-116-233.fbx.proxad.net [82.231.116.233]) by mail2.mbox.lu (Postfix) with ESMTPSA id 4D63932032; Wed, 6 Dec 2017 10:36:48 +0100 (CET) Date: Tue, 5 Dec 2017 23:33:42 +0100 From: Steve Clement To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171205223342.r63xkbn4tiy6we3q@localhost.lu> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="zcolw2bkobq3gyyd" Content-Disposition: inline In-Reply-To: <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> OpenPGP: url=https://localhost.lu/0x9BE4AEE9.asc; id=9BE4AEE9 X-PGP-Fingerprint: 3F4D 8CF6 08F9 4F88 2815 2CB1 69A2 0F50 9BE4 AEE9 X-Operating-System: Darwin User-Agent: NeoMutt/20171027 X-Mailman-Approved-At: Wed, 06 Dec 2017 11:29:14 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 09:44:27 -0000 --zcolw2bkobq3gyyd Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > Dear all, Is it really wise suggesting that http is not that bad? While you are at it, perhaps reviving telnet is a good idea. (Yes it is a bad comparison) If your answer is to just not use it, good luck for the past. > It can be illusory. =C2=A0 My last job was as Sec Mgr for a large bank.= =C2=A0 They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.=C2=A0 An alternative > approach to advocate is dnssec.=C2=A0 :) And you just let this happen under your watch? > You also need to ensure integrity, to ensure that the numbers are > flipped in transit...=C2=A0 ;) As a security person you do have responsibilities. Of course if you (as a security person) gave up on all that, you might as well go to the beach and use your CB to talk to your Dr. I cannot believe these attitudes, can perhaps other people weigh-in, especially to the issue at hand? Looking forward to the first person brining up performance issues, in end-of-2017=E2=80=A6 Sincerely yours, Steve --zcolw2bkobq3gyyd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEP02M9gj5T4goFSyxaaIPUJvkrukFAlonHsYACgkQaaIPUJvk rul30xAA3V/re7IAdwjZctURcbruiczj2UpqGrI4+31OsfG3zUfQW7PcU97K3iwp 6wugzWOSdm0t5vjEDpFfOhrvE3hcHO4viF1cgdC7cGWbay20t27MSapHHFfnhHhh lKAeun3iHmio23OJt66IC5wsAMBzHdHqGFRVwU8xohbIKTwV5hHe/521RyYVCqGO GS74NT0fUfe5V8wyK0B0JC1VrDAji6egJMy9S3+C6iFkNpS+GULvHwU44Wgvb4+0 BttDJAZ3FEjOInMvYyhBZXWUV+BebXZDhnnOjQLQ7TqiXULEqI9H/qvpmW1+nnK0 ltLesGH7MRNwOzM+ifxOk67p2T8q6vP/scznk8CHtgYFIvR8d/BUfzDNslD222b6 PZhaa4iLnMJljbGMqpmBGB2260Y1YbGqonyMqgOfk6RqpXE4vKED/+1qZCAYLqiZ UNypLCsb7bKBleho2EThDvKpQoeY5jc7QLpp8CjYJp8k7D7civc6Uv1VgcEzhZG7 NmYjsxIocVgLrPqRVyQ8qvFrw+jy5sfmdSuoV25WY6b9OSCSJB/BZz38SJtpdA5c 0Bz/AmoCBGS8A1J5/Zek8pJ/7HVKQfoE2g2aMH/qFaO5cA9eoPl6Vv7yXAulfUV6 8zyRb4+PAU3r4fGH5EEkigqrTalYCnlsn95Si/dUjvXD9PzyGN4= =eoHU -----END PGP SIGNATURE----- --zcolw2bkobq3gyyd-- From owner-freebsd-security@freebsd.org Wed Dec 6 12:35:54 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25460E9F2D1 for ; Wed, 6 Dec 2017 12:35:54 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "submission.mff.cuni.cz", Issuer "TERENA SSL CA 3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BAB977089B for ; Wed, 6 Dec 2017 12:35:53 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University/CN=Dan+20Lukes+20100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [172.20.1.21] (fw.ax.cz [77.240.102.126]) (authenticated) by smtp1.ms.mff.cuni.cz (8.15.2/8.15.2) with ESMTPS id vB6CZj8r005477 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 6 Dec 2017 13:35:50 +0100 (CET) (envelope-from dan@obluda.cz) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205223342.r63xkbn4tiy6we3q@localhost.lu> From: Dan Lukes Message-ID: Date: Wed, 6 Dec 2017 13:35:45 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 SeaMonkey/2.48 MIME-Version: 1.0 In-Reply-To: <20171205223342.r63xkbn4tiy6we3q@localhost.lu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 12:35:54 -0000 >>>> It is illusion > As a security person you do have responsibilities Lets calm down, guys. Anyone can claim "I'm skilled security officer". But true professional will define the risk to mitigate *first*. We can discuss possible solutions *then*. Flamewars "https will save our souls" v.s. "https is illusion of security" with fuzzy goal helps to no one. Just my $0.02 Dan From owner-freebsd-security@freebsd.org Wed Dec 6 14:00:18 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB676E80580 for ; Wed, 6 Dec 2017 14:00:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8E8BF730E6 for ; Wed, 6 Dec 2017 14:00:18 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1eMaF6-0007EL-QN; Wed, 06 Dec 2017 17:00:08 +0300 Date: Wed, 6 Dec 2017 17:00:08 +0300 From: Slawa Olhovchenkov To: Yuri Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171206140008.GA5368@zxy.spb.ru> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 14:00:18 -0000 On Tue, Dec 05, 2017 at 01:13:25PM -0800, Yuri wrote: > On 12/05/17 13:04, Eugene Grosbein wrote: > > It is illusion that https is more secure than unencrypted http in a sense of MITM > > just because of encryption, it is not. > > > It *is* more secure. https don't work frequent than http and this is not secure. From owner-freebsd-security@freebsd.org Wed Dec 6 14:04:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59FEEE8093F for ; Wed, 6 Dec 2017 14:04:34 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E3D217354A for ; Wed, 6 Dec 2017 14:04:33 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id vB6E4RlI055273 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 6 Dec 2017 15:04:27 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: gordon@tetlows.org Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id vB6E4K4G017551; Wed, 6 Dec 2017 21:04:21 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Gordon Tetlow , Dewayne Geraghty References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> Cc: freebsd-security@freebsd.org From: Eugene Grosbein Message-ID: <5A27F8E4.5000800@grosbein.net> Date: Wed, 6 Dec 2017 21:04:20 +0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <20171205220849.GH9701@gmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-Spam-Level: ** X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 14:04:34 -0000 On 06.12.2017 05:08, Gordon Tetlow wrote: > Using this as a reason to not move to HTTPS is a fallacy. We should do > everything we can to help our end-users get FreeBSD in the most secure > way. Please do not mix opportunity with enforcement. From owner-freebsd-security@freebsd.org Wed Dec 6 14:17:21 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04975E8118F for ; Wed, 6 Dec 2017 14:17:21 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CF1EE73CE9 for ; Wed, 6 Dec 2017 14:17:20 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id MaVgeVEFZRDG7MaVhewMOc; Wed, 06 Dec 2017 07:17:19 -0700 X-Authority-Analysis: v=2.2 cv=b+PC2pOx c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=ocR9PWop10UA:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=GHIR_BbyAAAA:8 a=ajU_7a0nljQ5Yhy2RT0A:9 a=u2vpVO8HYZHNcfrC:21 a=sWldImV9-Zwx40IZ:21 a=QEXdDO2ut3YA:10 a=lQ3YJXd79goAsAJAFL0A:9 a=BS9Fj-vsZuJ_oiHK:21 a=CPUNCbDgYe2kMJVR:21 a=h9Wtxjfbzfob-Isi:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=uDbYcKmYiSQROLH8bhgx:22 Received: from [25.81.45.55] (unknown [72.143.226.12]) by spqr.komquats.com (Postfix) with ESMTPSA id 1ECC3110; Wed, 6 Dec 2017 06:17:16 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: http subversion URLs should be discontinued in favor of https URLs Date: Wed, 6 Dec 2017 06:17:18 -0800 To: Steve Clement , Dewayne Geraghty CC: "freebsd-security@freebsd.org" Message-Id: <20171206141716.1ECC3110@spqr.komquats.com> X-CMAE-Envelope: MS4wfO+uC/6qa3ExmOwFWcVFtz4Ay7iU4LUHaEA76nY0YvBzYM5ngXvZZXYjYJeAz3cUBKeqNOI4MMbCY7lJ049o0NenGMI2kpD99nCFGyPTUHg+u0KLZ1n7 w62EmYu3CRP38h8rFbfPkkpppURWxOc3IiqvIrm5Co3pKo6EsxvDMe3I5o+dHtebI+kY/0fVVq6NWIWNRiU3aukkzMIGsHzKLs6uIN/OO4bzSRYU0eErFGuN 3W3p4pWYw3b+/A1J15t0OwvS+Y2fLgmMCpoxkFUCXDM= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 14:17:21 -0000 No worries, telnet and ftp are in my sights. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. This old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: Steve Clement Sent: 06/12/2017 03:29 To: Dewayne Geraghty Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https = URLs * On Wed, Dec 06, 2017 at 08:55:00AM +1100, Dewayne Geraghty wrote: > On 6/12/2017 8:13 AM, Yuri wrote: > > On 12/05/17 13:04, Eugene Grosbein wrote: > >> It is illusion that https is more secure than unencrypted http in a > >> sense of MITM > >> just because of encryption, it is not. > > > > Dear all, Is it really wise suggesting that http is not that bad? While you are at it, perhaps reviving telnet is a good idea. (Yes it is a bad comparison) If your answer is to just not use it, good luck for the past. > It can be illusory. =C2=A0 My last job was as Sec Mgr for a large bank.= =C2=A0 They > disabled cert checking on client devices, placed a wildcard cert at the > internet boundary and captured all https unencrypted.=C2=A0 An alternativ= e > approach to advocate is dnssec.=C2=A0 :) And you just let this happen under your watch? > You also need to ensure integrity, to ensure that the numbers are > flipped in transit...=C2=A0 ;) As a security person you do have responsibilities. Of course if you (as a security person) gave up on all that, you might as well go to the beach and use your CB to talk to your Dr. I cannot believe these attitudes, can perhaps other people weigh-in, especially to the issue at hand? Looking forward to the first person brining up performance issues, in end-of-2017=E2=80=A6 Sincerely yours, Steve From owner-freebsd-security@freebsd.org Wed Dec 6 14:36:38 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0E4C2E81A95 for ; Wed, 6 Dec 2017 14:36:38 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id D98DA7465C for ; Wed, 6 Dec 2017 14:36:37 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id 8F4EA274EB for ; Wed, 6 Dec 2017 09:36:32 -0500 (EST) Received: from [192.168.10.23] (D13.Denninger.Net [192.168.10.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id B321F1059D6 for ; Wed, 6 Dec 2017 08:36:30 -0600 (CST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <20171206141716.1ECC3110@spqr.komquats.com> From: Karl Denninger Message-ID: <44927eab-ebcf-3889-8f41-df6d754fc21a@denninger.net> Date: Wed, 6 Dec 2017 08:36:27 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171206141716.1ECC3110@spqr.komquats.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms010303030707010407010209" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 14:36:38 -0000 This is a cryptographically signed message in MIME format. --------------ms010303030707010407010209 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12/6/2017 08:17, Cy Schubert wrote: > >> It can be illusory. =C2=A0 My last job was as Sec Mgr for a large bank= =2E=C2=A0 They >> disabled cert checking on client devices, placed a wildcard cert at th= e >> internet boundary and captured all https unencrypted.=C2=A0 An alterna= tive >> approach to advocate is dnssec.=C2=A0 :) > And you just let this happen under your watch? The reason such is done is that the IT people /have /thought about it and determined that being able to /scan and archive /all traffic going in and out is worth more than the "security" afforded by allowing HTTPS originated beyond their border in.=C2=A0 Oh by the way in some lines of business said ability to scan and archive is a matter//of regulatory compliance....... I'm not, by the way, opining on whether this is a correct analysis or not. But I will note for the record that Avast's anti-virus products will, by default, do exactly this sort of intentional interception on IMAP server traffic aimed at port 993 in an attempt to detect trojans and viruses that are attached to email messages. --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms010303030707010407010209 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcxMjA2MTQzNjI3 WjBPBgkqhkiG9w0BCQQxQgRAJAVI+9wQvYq3Z5e/RCzN7wLWVz7Gs8pEFlAOw7H22FkLQaLy /1yGIXu+kHLlp0Yp7AqozZGgR/3rVRt+XT2F0DBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgB/6qhcY1QUeiidaX2kzTZuPzI+SJW2rpqmQdhGSJUt1lfKsqbSqmR/7UQKz3AI087i KoAqypHkGklNBTHl130EhtjaD4WvNvUCPsRkZMrhC9a3XqmUqu3hdfOlFKW4UWNCaGoDbbZ/ CxGqL4vNfYc0FxlfCrw+mkCrtea5Mb1nPOCucEUtVXmzc9WHFuFTbFPeqmPFSXdgwHHomIQL CMNys2b3rdUCvpI9tPVa0f4L9ti7PstBjdq15SfdnXWk30wG/g6Yi6RTHpyugvYgWVZMv5z2 Osw1+4Iqt7i/3MOVnH0GEi0d5xDRSejKnDL20OjOjQxWT9eqYUCMd6OSCDTFklL1zgN/YIMG HGn+dQHYH5yXEigWQ4evhJmq2zGJclhwfuaoJmf0DVZbsAwSlX+Qbcgf6QJnubGKGVJSMBS9 phYCBCbbyhFXVqxhkWSy5Leo0CqqM3HxY2J0jVUnvT4VQ8lijKZw/rqEv7WTGGDGy4nnkE1k yo9f8Jw997AcWpQ0cg5E1vBCTYSIsJccoN/Gbqp3GrzUk/tvpsIUh6e6F/6UVgkgUiQjXrd1 xcIJc5oXQb+BcoorMGZmaZN23lFtrVc2sEUioNQ1NaO369bsJQv1LlA9TPGBZmZ4d1CjcugJ 4OKbWuD/ozh78dDuP59m7e85luzx5w3Bs+jxIXgV9AAAAAAAAA== --------------ms010303030707010407010209-- From owner-freebsd-security@freebsd.org Wed Dec 6 15:04:47 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBE06E82768 for ; Wed, 6 Dec 2017 15:04:47 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x235.google.com (mail-wr0-x235.google.com [IPv6:2a00:1450:400c:c0c::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 65E1C75706 for ; Wed, 6 Dec 2017 15:04:47 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x235.google.com with SMTP id y21so4250654wrc.1 for ; Wed, 06 Dec 2017 07:04:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kRYff1XB6s9aaaN1a/8qSNWz56XCFg2mFfzuKXe5JP8=; b=hH/hGumeA4PfsUB6YArbag5NKjOcp5Ccbb3ZInd/o8KblIteTDkuaIyhA4xahyHCuD DZyw2T8L6eeBgRZuHu7YvyH9SdPgrPLIY2bci1HQFnQgucVOXQbdWVBClAKosfQQr/KL dQMY8R3n18AZd4g0Ro6OgErOCUaJ3Y9EAuCYCPabDcouexEyLYIY868DrR7NdhpDFQql lrTEeGYjdI0Mm9gZXdUAkYiMVVNsw1iea+Axv2BF45lr3ng6VO1onY9elNtfKuphc9w0 9cJqaM+a6m5XnostQRmxrV8sIz8399eB4AvOYiQ6d8c97vzhuIULeLYactsSyuz4sEDm usUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kRYff1XB6s9aaaN1a/8qSNWz56XCFg2mFfzuKXe5JP8=; b=c8VUHTNIDzZOq6Ex8wlugB+byFVhrhcT9wIarS+AW6Hka1Jz40wOsYoom9NSrdk2WS Lw4YYwgAWSg0JYGZ5n/QoTK8BktMSRhoF98VIsH1y0OpC/XUOm66fDCk8HgKT/o+KFm8 MW+cSBYOmI5J+hp2rs19uLkoNVt8ZXqKFp54qjKTvyNKSTGTGTczjIlOVPVOsDbCHHuh 2dxUmZCRP5+mFmqq5gaGUg/Cn0LUWXOThclMeo1sHf7wob9XxBjghly6VFZLVrUcdvAg Zn5y4s9ky5hiPwpEg3RitNXvSq7FvhvBGRo+V0WjSufUmDoaFHaMeE6/k6cbhC1zW9Qz 8Ufg== X-Gm-Message-State: AJaThX5QBNztkgtjThPMm9XeJ5K8MOOlm2PwDFtE7uwx8gbXFnrHrqx1 OaQEIFUoEpF13oCR/ZZTA2tqqL988Web/ytDuKk= X-Google-Smtp-Source: AGs4zMZz1fe8yMweih6OtWqUace3iaK47ZAcf0lWLNqOHEJSzhqS63bvfBnSMilpsykxUThK5qWf/9hVJkD3HMoxzSE= X-Received: by 10.223.145.80 with SMTP id j74mr20737657wrj.250.1512572685710; Wed, 06 Dec 2017 07:04:45 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Wed, 6 Dec 2017 07:04:04 -0800 (PST) In-Reply-To: <20171205231845.5028d01d@gumby.homeunix.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> From: Igor Mozolevsky Date: Wed, 6 Dec 2017 15:04:04 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: RW Cc: freebsd security Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2017 15:04:47 -0000 On 5 December 2017 at 23:18, RW via freebsd-security < freebsd-security@freebsd.org> wrote: > On Tue, 5 Dec 2017 14:08:49 -0800 > Gordon Tetlow wrote: > > > > Using this as a reason to not move to HTTPS is a fallacy. We should do > > everything we can to help our end-users get FreeBSD in the most secure > > way. > > I think it's more a question of whether all users should be forced onto > https even if it might prevent some users from getting security updates. If updates are signed, then I don't see what can be gained by using relatively expensive HTTPS over HTTP. People screaming for HTTPS without justifying a specific threat model (cf. a generic "MITM"-bogeyman), don't understand HTTPS nor general security (to paraphrase the famous phrase). -- Igor M. From owner-freebsd-security@freebsd.org Thu Dec 7 14:14:26 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EDED9E881C9 for ; Thu, 7 Dec 2017 14:14:26 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id B556466042 for ; Thu, 7 Dec 2017 14:14:26 +0000 (UTC) (envelope-from des@des.no) Received: from desk.des.no (smtp.des.no [194.63.250.102]) by smtp.des.no (Postfix) with ESMTP id F2B5D1043F; Thu, 7 Dec 2017 14:05:29 +0000 (UTC) Received: by desk.des.no (Postfix, from userid 1001) id 73E0148F3E; Thu, 7 Dec 2017 14:04:42 +0000 (UTC) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Gordon Tetlow Cc: Poul-Henning Kamp , freebsd-security@freebsd.org, Dewayne Geraghty Subject: Re: http subversion URLs should be discontinued in favor of https URLs References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> Date: Thu, 07 Dec 2017 15:04:42 +0100 In-Reply-To: <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> (Gordon Tetlow's message of "Tue, 5 Dec 2017 15:18:21 -0800") Message-ID: <867etyzlad.fsf@desk.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 14:14:27 -0000 Gordon Tetlow writes: > Assertion of identity and encryption in transit are separate issues. I > do agree that identity is fundamentally broken with the existing CA > system. I=E2=80=99m more interested in preventing tampering of data in > transit. HTTPS is an easy way to do that. You can't have the latter without the former. Assertion of identity is the only protection against MITM eavesdropping or tampering. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@freebsd.org Thu Dec 7 14:50:35 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7FE9DE8944E for ; Thu, 7 Dec 2017 14:50:35 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 4238C673C9 for ; Thu, 7 Dec 2017 14:50:34 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id B68C127395; Thu, 7 Dec 2017 14:50:32 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB7EoWv2001293 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 7 Dec 2017 14:50:32 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB7EoUAG001292; Thu, 7 Dec 2017 14:50:30 GMT (envelope-from phk) To: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= cc: Gordon Tetlow , freebsd-security@freebsd.org, Dewayne Geraghty Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <867etyzlad.fsf@desk.des.no> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1290.1512658230.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Thu, 07 Dec 2017 14:50:30 +0000 Message-ID: <1291.1512658230@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 14:50:35 -0000 -------- In message <867etyzlad.fsf@desk.des.no>, =3D?utf-8?Q?Dag-Erling_Sm=3DC3=3D= B8rgrav?=3D w rites: >Gordon Tetlow writes: >> Assertion of identity and encryption in transit are separate issues. [.= ..] > >You can't have the latter without the former. Assertion of identity is >the only protection against MITM eavesdropping or tampering. Or more generally: If you dont/cant trust the other end, why would you trust them to keep the communication secret ? -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Thu Dec 7 17:06:35 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21E2DE8C8D7 for ; Thu, 7 Dec 2017 17:06:35 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id DE9936D97E for ; Thu, 7 Dec 2017 17:06:34 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB7H6S7j022282 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 7 Dec 2017 09:06:28 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> From: Yuri Message-ID: <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> Date: Thu, 7 Dec 2017 09:06:27 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 17:06:35 -0000 On 12/05/17 12:59, Yuri wrote: > I suggested this PR, but it got rejected: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097 > > > http is insecure in its nature, and is an easy target for MITM. This > is why https should be preferred. http needs to be discontinued and > shut down because as long as it exists somebody will keep using it and > will be in danger. > > > Few years ago Wikimedia Foundation switched to https and discontinued > http entirely: > https://blog.wikimedia.org/2015/06/12/securing-wikimedia-sites-with-https > I think this makes a lot of sense, and FreeBSD should do the same. > > > It's understood that a lot of arguments can be made for and against > this, like with any other issue, but security argument should outweigh > most or all other arguments. Let's forget about all the abstract arguments and considerations, and consider this concrete scenario: Let's assume there is the malicious hacker who runs the malicious Tor exit node. In his attempt to spread malware, he watches all outbound http traffic for subversion requests to the domain FreeBSD.org. Once he detects such request, he serves the maliciously patched versions of popular ports and kernel in a hope that they will be rebuilt locally and run. The unfortunate FreeBSD user who updated his source tree through Tor got infected. This can't possibly happen if https protocol was in use, because the hacker is just a private person and doesn't have access to any CA authorities, and doesn't impersonate anybody. Please justify the use of the http protocol in the face of this scenario. Yuri From owner-freebsd-security@freebsd.org Thu Dec 7 22:26:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F8DFE92EEA for ; Thu, 7 Dec 2017 22:26:27 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 39604796E9 for ; Thu, 7 Dec 2017 22:26:26 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id E1A5A2738B; Thu, 7 Dec 2017 22:26:23 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB7MQ8sl001219 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 7 Dec 2017 22:26:08 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB7MQ72Y001218; Thu, 7 Dec 2017 22:26:07 GMT (envelope-from phk) To: Yuri cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1216.1512685566.1@critter.freebsd.dk> Date: Thu, 07 Dec 2017 22:26:06 +0000 Message-ID: <1217.1512685566@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 22:26:27 -0000 -------- In message <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com>, Yuri writes: >The unfortunate FreeBSD user who updated his source tree through >Tor [...] Why would anybody do that in the first place ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Thu Dec 7 23:16:19 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2C6BE93C98 for ; Thu, 7 Dec 2017 23:16:19 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 71D3B7B144 for ; Thu, 7 Dec 2017 23:16:19 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-it0-x22d.google.com with SMTP id 68so944198ite.4 for ; Thu, 07 Dec 2017 15:16:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VWlGVUpGRE1uqF7Cl3FLyltOf+U6mkNVzc5ViB+pHo8=; b=SfC6lhxWrSdpevGCjloc5Ywv0Trq9pYSATNF7y0ytQtO5ucQunYY6UxWOjcj82mnXj FTGw9cbBVRQp4n4c6SFm41TV4AVNBh+I5vG8pw79nC64xHVsIG0dgYjjGIhKuVK79WgM jLQaf/d372TbtxB/iue2xGVL3Mpx2z7M2hYp4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VWlGVUpGRE1uqF7Cl3FLyltOf+U6mkNVzc5ViB+pHo8=; b=QTCOKqZZ87kh2jOK0tgMYgx6irL8CxpQKw2EUoGpfxQe1xmyB2ZOBVcTLwA0R/dF+L 9liWmiXWI2fxHVIIQ/LMeaNMs6WZdyXVjpgTS4GrHRIJw7WpfWOBl8402g12LwWQ3ikn N9gsTsuZBe7fMCyBwD6rwwJLkDyNUiboA+RN63wmuJuo0dm0ZThZMO00EoMuQsY25zjA aa9ymbXi0PdKO/rTf6RS9OzI3mugjzGzAaUOyhNyOE+u9qx2NM654b07ffDyRZzeHdBc xUs6HQHNtn3yfQwEY+KCvimFg0mdAuN45sExqccfUEWUYl6gTN1QEKYjRxPVpLVKzGzV ojEA== X-Gm-Message-State: AKGB3mKRIjFZm41UFy68zE5nLUh9dlv7LfgxPmyxTzIGpullEQ4nqo64 jb3TH8i9bdIP99if/wXZMtFn6bll56E= X-Google-Smtp-Source: AGs4zMY+/nHhvmem3hlf2cGbbMZo1iQgHlHxRSVUYtypU7sSI/YV52z/IqErPSRRvjpw2ErRp7faNw== X-Received: by 10.36.67.141 with SMTP id s135mr3293477itb.149.1512688578532; Thu, 07 Dec 2017 15:16:18 -0800 (PST) Received: from ?IPv6:2600:1008:b10d:2dd:d08a:faf5:43fa:261e? ([2600:1008:b10d:2dd:d08a:faf5:43fa:261e]) by smtp.gmail.com with ESMTPSA id l34sm2974760ioi.16.2017.12.07.15.16.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Dec 2017 15:16:17 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: http subversion URLs should be discontinued in favor of https URLs From: Jason Hellenthal X-Mailer: iPhone Mail (15C114) In-Reply-To: <1217.1512685566@critter.freebsd.dk> Date: Thu, 7 Dec 2017 17:16:15 -0600 Cc: Yuri , "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> To: Poul-Henning Kamp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 23:16:19 -0000 The truly paranoid types that don=E2=80=99t want anyone to know they are usi= ng FreeBSD apparently. Honestly if they are that worried about http then get a private vpn tunnel a= nd run through that instead ! > On Dec 7, 2017, at 16:27, Poul-Henning Kamp wrote: >=20 > -------- > In message <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com>, Yuri writes: >=20 >> The unfortunate FreeBSD user who updated his source tree through=20 >> Tor [...] >=20 > Why would anybody do that in the first place ? >=20 > --=20 > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe =20 > Never attribute to malice what can adequately be explained by incompetence= . > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " >=20 From owner-freebsd-security@freebsd.org Fri Dec 8 04:47:44 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77635E99E71 for ; Fri, 8 Dec 2017 04:47:44 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 5A72963542 for ; Fri, 8 Dec 2017 04:47:43 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id vB84lfta025195 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 7 Dec 2017 20:47:41 -0800 (PST) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-24-6-186-56.hsd1.ca.comcast.net [24.6.186.56] claimed to be yv.noip.me Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Jason Hellenthal , Poul-Henning Kamp Cc: "freebsd-security@freebsd.org" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> From: Yuri Message-ID: <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> Date: Thu, 7 Dec 2017 20:47:40 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 04:47:44 -0000 On 12/07/17 15:16, Jason Hellenthal wrote: > The truly paranoid types that don’t want anyone to know they are using FreeBSD apparently. > > Honestly if they are that worried about http then get a private vpn tunnel and run through that instead ! Some people aren't aware that they use http, and enable Tor because they think that it improves privacy. It's very easy to use such setup inadvertently. Yuri From owner-freebsd-security@freebsd.org Fri Dec 8 07:22:44 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C098E9C6BA for ; Fri, 8 Dec 2017 07:22:44 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id C3CA0675DE for ; Fri, 8 Dec 2017 07:22:43 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 0BBD52739F; Fri, 8 Dec 2017 07:22:40 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB87MOq5003002 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 8 Dec 2017 07:22:24 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB87MNGp003001; Fri, 8 Dec 2017 07:22:23 GMT (envelope-from phk) To: Yuri cc: Jason Hellenthal , "freebsd-security@freebsd.org" Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-ID: <2999.1512717743.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Fri, 08 Dec 2017 07:22:23 +0000 Message-ID: <3000.1512717743@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 07:22:44 -0000 -------- In message <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com>, Yuri writes: >On 12/07/17 15:16, Jason Hellenthal wrote: >> The truly paranoid types that don=E2=80=99t want anyone to know they ar= e using FreeBSD apparently. >> >> Honestly if they are that worried about http then get a private vpn tun= nel and run through that instead ! > > >Some people aren't aware that they use http, and enable Tor because they = >think that it improves privacy. It's very easy to use such setup = >inadvertently. And for this reason you want the FreeBSD project to take a politically stupid position in the war between IT-liberalists and all the worlds governments ? No thanks. -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Fri Dec 8 08:25:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34593E9D8CB for ; Fri, 8 Dec 2017 08:25:17 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC96E68E98 for ; Fri, 8 Dec 2017 08:25:16 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-it0-x231.google.com with SMTP id z6so3278493iti.4 for ; Fri, 08 Dec 2017 00:25:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=EnQPQOoCS6sufc82x+w+hsQjBFn7tqY4aY724zcgKAU=; b=cikNTrv6xNv1YxKNqyRE8qep0NYgaZzTlabO2HFFAyXbXf7uR1cQSKxb1xISHYTif5 yxCYZ7BXk9fTZdWTR852nnBt/sb7aOHxBz7Dki/7cCS6yDvu9hBhbjaMnIZGQ17AkEwN uiuYB1YGeAnZATLpubIPoZUDMeyoBvHDVOikrVDIQ8C9TPR4XErizXKpHNMOJn/KdOPR WU4BCc5PRBAtFBs8T/SRGrSXS4oX+FT4c0iQuKsATzjWAl3wSctmemnjldNHSwmgrDNy HHP0yzWMQbg4z7GDbquA13KEd6B5JfcsNwKcauyKsrc3YFljw+AQOmPk4CdtUNirm6T5 h9lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=EnQPQOoCS6sufc82x+w+hsQjBFn7tqY4aY724zcgKAU=; b=b3IRTt65iv0p54UDkkctrkGo/LSpyeyOpX0Yb26jxVOvYLmNnaBOjHn3EsZNH3HEqV PHGevMrHuWHRIWcIKrlNfgGkbMtTUZzZ5hV5YduV2agEGuz4wO6iCoBRHnEIMkPUa8Py 0aJ8ufv19VetuI8y+A2PnXbM0FOz0nTYymXKEM7Z1aUPTX9wHq4MkwsYS6P696A5rcgl x/hw8+j1/I3Rliro0Gdo2IKHs01drNqfWLYgPIiZz9udlB69YlVbADmtolIlUCANM+hK 4L8hOtiJ4v+MG0KoajopstLzDmgcJSy5aMU7GKaaYfNOMXIMujJ/Lqje8XsmYO5L4ZLD dOXw== X-Gm-Message-State: AKGB3mK41++ZnGNhncKUS3IXPRfQfYMjzl9Io5lfQn+IBzirr7Uvg+rV 246ue+BwllxiFKR6R9HsLX7YQHtX X-Google-Smtp-Source: AGs4zMZFwHO1yr1A4GNrbMzGTEoZceNAAPDsTBT7pVXYUPQjF79khbpGgJUogN04PUGIG+T3N5R+ag== X-Received: by 10.107.97.16 with SMTP id v16mr1404558iob.263.1512721515968; Fri, 08 Dec 2017 00:25:15 -0800 (PST) Received: from localhost (tor.emeraldonion.org. [23.129.64.101]) by smtp.gmail.com with ESMTPSA id d3sm557999itf.39.2017.12.08.00.25.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Dec 2017 00:25:15 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Fri, 8 Dec 2017 08:25:05 +0000 To: Poul-Henning Kamp Cc: Yuri , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171208082503.cve4526nkwf7chef@localhost> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1217.1512685566@critter.freebsd.dk> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 08:25:17 -0000 On Thu, Dec 07, 2017 at 10:26:06PM +0000, Poul-Henning Kamp wrote: > -------- > In message <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com>, Yuri writes: > > >The unfortunate FreeBSD user who updated his source tree through > >Tor [...] > > Why would anybody do that in the first place ? Why doesn't everyone have that option? Why is broadcasting a users information across the internet forced upon them? Shouldn't they have a choice? I don't disagree the CA mafia model is a broken mess, but there is some work being done for this - so maybe the situation will be better in 5-10 years. But even with those improvements, I'd rather have updates served over a self-authenticating onion service than over a direct http connection. I see five options: direct-http-connection, direct-https-connection, http-over-tor, https-over-tor, and http-over-onion. There is only one of these that does not require trusting the intermediate hops of the connection (or external third parties) and it guarantees the bits that went in at one end of the connection are the bits that come out the other end while not leaking sensitive information (metadata) along the path. As a concrete example, I encourage everyone read why Debian chose exactly this solution[0][1]. It would be nice if all updates are available over onion, not only subversion, but subversion is a good starting point. Onion services accomplish the same basic goal as TLS (authentication, integrity, confidentiality) and they protect against targetting and profiling users. As a user, I care about all these problems. Also, to Yuri's original point, you can ship a self-signed FreeBSD CA cert. Subversion supports using it, so beside getting the private keys on the mirrors there is little against doing it[2]. [0] https://blog.torproject.org/tor-heart-apt-transport-tor-and-debian-onions [1] https://bits.debian.org/2016/08/debian-and-tor-services-available-as-onion-services.html [2] http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.httpd.ssl From owner-freebsd-security@freebsd.org Fri Dec 8 08:25:46 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15B85E9D930 for ; Fri, 8 Dec 2017 08:25:46 +0000 (UTC) (envelope-from tj@tjvarghese.com) Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C669168F93 for ; Fri, 8 Dec 2017 08:25:45 +0000 (UTC) (envelope-from tj@tjvarghese.com) Received: by mail-it0-x232.google.com with SMTP id t1so3268422ite.5 for ; Fri, 08 Dec 2017 00:25:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tjvarghese-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=I9C/KEjkxDHfSZkPaZhHp10KP3nYHDfVxUg+Gfjj36A=; b=1nDR+S+9ARTjCiV1hS95S50ehetH6u09whfPNf+abFdo2CydFj+LyTjpCptvHeGk7L vZKMyFvhdX5qbXOCXV2k1oDx1desSlbyMd/xfmU6FiqBv6iwSZ7K8eg2Cajo8oq6f+YL ppjX5i8ZmZ+chKUVuGFWCHtMJmwkq+as2Z1ytRX8xpl4ICox+M/rl29ZxZxwHTHkgIox YU49WzaJvkdDIUzy8uheLJf6bWjyxbcfkxKueG2CVNuPYEKMXb0Hl8t1Y9A8NOqWIXlo sdII6LtvUDnCMQFCR3d8B7ob+5DiSaxNkrowq8VkosJpsdOMekYZWoShs5/3uw+vSVG6 HQAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=I9C/KEjkxDHfSZkPaZhHp10KP3nYHDfVxUg+Gfjj36A=; b=Xmi7XPoLZ9b7UU1isFysSgCRo1SSMdWEL7chvmnQ+W5zziNVJi8vNdKdqsF9pzPaIq ykWkGV7K36cWg8fX7XmyDv2PHTwkMhxjuWQHEdl6wC+ew4L6k9raT3tzvbBFSN7zs/F/ GWPn9to34KZT24BpaLRQrPXU0Xq/1EcYyhxV1w4BZaaaa1HfZRBD7IbODklS3u052eyN wDzF7iv6ATIawuEs8co/dAKVq20wSDEosizsjcBgvi3zpFtx2zVQQ9rrWgBZKSO0Dtne 39nXUbvlAOjOhQagBSt8u66v9TICxGp7p1x/aFOGyqp1j/lQiPwo4fo+H3q5h2VgJ42+ tKrg== X-Gm-Message-State: AKGB3mISk67Kk0RPHZgyyr1d2t72y2zSJb9/8WzS9n47MjDDOHTMx39M 1cWetzr3lmoQxFLrQsl4L4xrZkBQ X-Google-Smtp-Source: AGs4zMYnm8uT4Dfxwkty1A1zQ+pxx+tQHCLmIhzf/snkaUdddw2n/aoITaAtypLtWStxEG8w0IA7BA== X-Received: by 10.36.147.193 with SMTP id y184mr4542190itd.64.1512721544928; Fri, 08 Dec 2017 00:25:44 -0800 (PST) Received: from [192.168.10.201] ([175.136.175.51]) by smtp.googlemail.com with ESMTPSA id f68sm3394955iod.36.2017.12.08.00.25.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Dec 2017 00:25:43 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Poul-Henning Kamp , =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgr?= =?UTF-8?Q?av?= Cc: freebsd-security@freebsd.org, Dewayne Geraghty , Gordon Tetlow References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> From: TJ Varghese Message-ID: <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> Date: Fri, 8 Dec 2017 16:25:39 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: <1291.1512658230@critter.freebsd.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 08:25:46 -0000 On 12/07/2017 10:50 PM, Poul-Henning Kamp wrote: > >> You can't have the latter without the former. Assertion of identity is >> the only protection against MITM eavesdropping or tampering. > Or more generally: > > If you dont/cant trust the other end, why would you trust them to > keep the communication secret ? > I'm curious as to your take on electronic banking. Should they all merely use HTTP since HTTPS is hopelessly compromised by design? If your objection is that HTTPS bring nothing to the security table, then it really doesn't make a difference where it's used and we should all just stop using it, no? From owner-freebsd-security@freebsd.org Fri Dec 8 10:31:36 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06403EA08AF for ; Fri, 8 Dec 2017 10:31:36 +0000 (UTC) (envelope-from michelle@sorbs.net) Received: from hades.sorbs.net (hades.sorbs.net [72.12.213.40]) by mx1.freebsd.org (Postfix) with ESMTP id DCC716CAD2 for ; Fri, 8 Dec 2017 10:31:35 +0000 (UTC) (envelope-from michelle@sorbs.net) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=UTF-8; format=flowed Received: from typhoon.sorbs.net (203-206-128-220.perm.iinet.net.au [203.206.128.220]) by hades.sorbs.net (Oracle Communications Messaging Server 7.0.5.29.0 64bit (built Jul 9 2013)) with ESMTPSA id <0P0N0017Q1MTZE00@hades.sorbs.net> for freebsd-security@freebsd.org; Fri, 08 Dec 2017 02:40:08 -0800 (PST) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Yuri , Jason Hellenthal , Poul-Henning Kamp Cc: "freebsd-security@freebsd.org" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> From: Michelle Sullivan Message-id: <5A2A6985.3070202@sorbs.net> Date: Fri, 08 Dec 2017 21:29:25 +1100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40 In-reply-to: <83e44188-6e0d-13cc-4b80-d191ac010427@rawbw.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 10:31:36 -0000 Yuri wrote: > On 12/07/17 15:16, Jason Hellenthal wrote: >> The truly paranoid types that don’t want anyone to know they are >> using FreeBSD apparently. >> >> Honestly if they are that worried about http then get a private vpn >> tunnel and run through that instead ! > > > Some people aren't aware that they use http, and enable Tor because > they think that it improves privacy. It's very easy to use such setup > inadvertently. Ding! Ding! Ding! we have a winner! This is about privacy and anonymity rather than security then... Sorry you want to ensure a secure (trusted) connection you do it yourself. You go through other nodes (switches and routers of the normal internet) you make a choice... do I trust them to deliver my packets untampered with or not? I know there are nodes out there that are doing monitoring and filtering and even returning bad data (accessing a certain 58 servers/IPs in Australia will have all HTTP spoofed to return a static message that has nothing to do with those 58 servers... I now run a proxy on a network I trust and a VPN to that network (all of which are in Australia) and don't have my packets intercepted.) If you're running your connection over Tor, you're running over a second layer with people out there that are not even necessarily trustworthy, many are people that they themselves use Tor for legally questionable actions, many for perfectly valid (though legally questionable) reasons.. (think: penetration testers - even commissioned ones).. but by using Tor you are accepting the risks in the knowledge that your data is traversing a network where people with questionable legal motives/positions... So basically you want everyone to double their resources so that you can risk using an inherently untrustable network in the name of privacy... which in many cases you won't have anyway (because if the person doesn't know they are using http, then there is a pretty good chance they haven't secured their browser so it's spewing tracking cookies and other privacy defeating headers anyhow!) Enough please! Michelle From owner-freebsd-security@freebsd.org Fri Dec 8 10:33:10 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ECEFCEA09ED for ; Fri, 8 Dec 2017 10:33:10 +0000 (UTC) (envelope-from luke@solentwholesale.com) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B2BA46CCCF for ; Fri, 8 Dec 2017 10:33:10 +0000 (UTC) (envelope-from luke@solentwholesale.com) Received: by mail-it0-x22f.google.com with SMTP id u62so3939001ita.2 for ; Fri, 08 Dec 2017 02:33:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=solentwholesale.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=TZpxPd6b84RE78R6GbcUvTPtdiTSuVwQPnJ570UWQsE=; b=WNGmuVy+TXD+FvwdXLLqN7AnMDUi/GhtAegvoF0fAeUk7FPz5RSAqKBxoBH0Tz0cPk eIZaI20AGkWHyKobrMXKA7tKVR7L2wrX3Oh9FQp/MJYw51SZW81e/80zmurxnvYy6zfY FXx32B030ZSfAuVis1IxhTbNH64NLPaiSl+HI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=TZpxPd6b84RE78R6GbcUvTPtdiTSuVwQPnJ570UWQsE=; b=GpVinOZlpvDlEd8+FStdjvdaWotbR1GzluNWRb7b9TaX89ZuLH+xIRbNe/lYCb075f 6hmlYnHr0EqAtGu/MNaoMBN2Zq+tATLSa+vgQ31N14/y7iTPFDL8EqLE0DGh4Ny2aw/d GAaZNK4iLpLoYQCK+vJOPZ9xw012BjGO/RWC5HcuTZvtF4ORSVjCELFGttyBoBktX/G4 kZKCbeZu7zqMH+7CG5IcNrd1B4KVzIG7OIZIH5QakhKIbI8MF2hGA38Z0r1KDPc5aoDd w/s+0m/KpQUUDyTR2sxgUEj8/G/oF4zHjY8N31iXjuM9nd2HsP7yU2WCxyIK1jp3Bbqn XryQ== X-Gm-Message-State: AKGB3mI6zqK29U2lyJHMEoz6HPIyqfKqiLWAtmwE9hIRn8xa2+Vaw5no OBAnYtWvFK7vqyI+7qhYr5DgIPZZ75gp8FtJ6dSgKQ== X-Google-Smtp-Source: AGs4zMY1iX5uqpDM276+ryujRHQox29c7YgD9ANV5S2su/mLsvmgD66yPAFWiJXcoEXtMS/I3mLNcbgi24A7P3MaF4E= X-Received: by 10.36.221.216 with SMTP id t207mr4972397itf.112.1512729189784; Fri, 08 Dec 2017 02:33:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.79.175.13 with HTTP; Fri, 8 Dec 2017 02:33:09 -0800 (PST) In-Reply-To: <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> From: Luke Crooks Date: Fri, 8 Dec 2017 10:33:09 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 10:33:11 -0000 The pull request was rejected for a valid reason, offering http allows users with limited network access chance to clone or download freebsd where https is not possible. We all have differences of option on the matter and having a flame war on a mailing list just gives the project a bad reputation. Regards, -- Luke Crooks Solent Wholesale Carpets www.solentwholesale.com On Fri, Dec 8, 2017 at 8:25 AM, TJ Varghese wrote: > On 12/07/2017 10:50 PM, Poul-Henning Kamp wrote: > >> >> You can't have the latter without the former. Assertion of identity is >>> the only protection against MITM eavesdropping or tampering. >>> >> Or more generally: >> >> If you dont/cant trust the other end, why would you trust them to >> keep the communication secret ? >> >> > I'm curious as to your take on electronic banking. Should they all merely > use HTTP since HTTPS is hopelessly compromised by design? If your objection > is that HTTPS bring nothing to the security table, then it really doesn't > make a difference where it's used and we should all just stop using it, no? > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@freebsd.org Fri Dec 8 14:07:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 553DBE8454A for ; Fri, 8 Dec 2017 14:07:43 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 16308734D1 for ; Fri, 8 Dec 2017 14:07:42 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 700E72737A; Fri, 8 Dec 2017 14:07:35 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB8E7Jw0003916 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 8 Dec 2017 14:07:19 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB8E7DF6003915; Fri, 8 Dec 2017 14:07:13 GMT (envelope-from phk) To: TJ Varghese cc: =?UTF-8?Q?Dag-Erling_Sm=c3=b8rgr?= =?UTF-8?Q?av?= , freebsd-security@freebsd.org, Dewayne Geraghty , Gordon Tetlow Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> From: "Poul-Henning Kamp" References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3913.1512742033.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Fri, 08 Dec 2017 14:07:13 +0000 Message-ID: <3914.1512742033@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 14:07:43 -0000 -------- In message <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com>, TJ Vargh= ese w rites: >I'm curious as to your take on electronic banking. Good security is not "all or nothing", it is a carefully calibrated application of security measures to the problem at hand. By forcing all web-traffic onto HTTPS, the rabid IT-liberalist has put governments in a position where they either have to break HTTPS traffic open or give up on having a working criminal justice system. Anybody with a daughter knows what that dice will roll. If you've ever read Clausewitz, you will recognize this strategy as really stupid: *Never* put your enemy in a position where their only option is to defeat you. Various governments are going about this in different ways, some force a trojan root-cert on all their citzens, others pass law where you can be jailed indefinitely until you hand over your passwords, others again try force the IT-industry to "ensure legal access". Unfortunately this happens with little or no intelligent and cooperative input from the IT-community, who seem hell-bent on their "all or nothing" strategy. I personally preferred it back when HTTPS was tolerated by governments, because everybody could see that banking and e-commerce needed it, over the situation now, where HTTPS is so trojaned, that my webbank is no longer trustworthy via HTTPS. -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@freebsd.org Fri Dec 8 14:26:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 735FDE84BFF for ; Fri, 8 Dec 2017 14:26:43 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DD8C773EC0 for ; Fri, 8 Dec 2017 14:26:42 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-lf0-x230.google.com with SMTP id x20so12104297lff.1 for ; Fri, 08 Dec 2017 06:26:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=JaiOpFkWj+c51HKqbxtBxMciam1sh6peEysw4rOPLvI=; b=Aa2txrKRsn7TTrW5hGKg0k3Ogv3x18rgUwkeFhaMYsMJTSUSC/DvSIXy14ZQxH73Wt Gczu7y0Hx2CBnfFD1mJRmV0U/zJzrLWWTgF8aojj2w8inK6RxmSaMkksH4aq8zBi6Rxn OhHThDJ3sseYj0J9LHkPH1nS+E38iviR6rze2FTcJmL0cMr5sw6K4vx3NVuX46kBujXZ 0swV3uQQzsDv4/6mnjImpf03/oaIBn0mHhl3pAo2YbxpeBvMcFU0JnklFrsuXbUF5p6J IuznTqvxQ2pA/eFwkyykB5uagfak0vk5NWp43X1N9fO/Y3HJIpoGXvMSLmQrejn71fie tYYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=JaiOpFkWj+c51HKqbxtBxMciam1sh6peEysw4rOPLvI=; b=r0b3dBOi/fLnkHvmKG9Mtc86QqOSyB9TGvz1ylgC2KbiEiCnoj+OU4LVWfDSKN+YAB z25jQ+CIU9RIpjTG9OApQ3GUhjbClISxU993F9SztkcRQ7D3weXJ2p3WZDnCjZWh+3su 5KmYftGAz+nyWLREj0O/UZy6VGfW2IKp2bLLcjzKTPTEQRDjUJOCxRpL3eZFOQlmWlfD WB8AZHYcO5AAObxYSyXWZnbxzMVSLOlKn91n9ENUGsCgNnh8u50a62I01aWxnr7JDefr lp3uqSF0eLxEKCLI0P9IZk6xUEgjeOGgbWlY74QhSs9K8qCQ+gVZbgA3po3mT+YH49PP ZIWw== X-Gm-Message-State: AJaThX6WhNTAh3xNVQkFj6IbJy2aXbS/PbEkpuMvxx7MhQWZ5p2Vx3WF WJsiGJ3x3XblAPXuNvm5+mgLygxHbaM= X-Google-Smtp-Source: AGs4zMbrXQ3fKegKjnJUMJbNZoCrVvN8FJ/LZc4hrUMu81SILDM0nJTpTIaCRPbfrD/raOw4rKdphQ== X-Received: by 10.25.100.18 with SMTP id y18mr15377681lfb.187.1512743200559; Fri, 08 Dec 2017 06:26:40 -0800 (PST) Received: from mutt-hbsd (exit0.liskov.tor-relays.net. [149.56.223.241]) by smtp.gmail.com with ESMTPSA id f67sm1460844lfb.20.2017.12.08.06.26.35 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Dec 2017 06:26:39 -0800 (PST) Date: Fri, 8 Dec 2017 09:26:16 -0500 From: Shawn Webb To: Poul-Henning Kamp Cc: TJ Varghese , Dag-Erling Sm??rgrav , Dewayne Geraghty , Gordon Tetlow , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <3914.1512742033@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bpuxygqdswlgqzb7" Content-Disposition: inline In-Reply-To: <3914.1512742033@critter.freebsd.dk> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20171027 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 14:26:43 -0000 --bpuxygqdswlgqzb7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 08, 2017 at 02:07:13PM +0000, Poul-Henning Kamp wrote: > -------- > In message <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com>, TJ Varg= hese w > rites: >=20 > >I'm curious as to your take on electronic banking. >=20 > Good security is not "all or nothing", it is a carefully calibrated > application of security measures to the problem at hand. >=20 > By forcing all web-traffic onto HTTPS, the rabid IT-liberalist has > put governments in a position where they either have to break HTTPS > traffic open or give up on having a working criminal justice system. >=20 > Anybody with a daughter knows what that dice will roll. >=20 > If you've ever read Clausewitz, you will recognize this strategy > as really stupid: *Never* put your enemy in a position where their > only option is to defeat you. >=20 > Various governments are going about this in different ways, some > force a trojan root-cert on all their citzens, others pass law > where you can be jailed indefinitely until you hand over your > passwords, others again try force the IT-industry to "ensure > legal access". >=20 > Unfortunately this happens with little or no intelligent and > cooperative input from the IT-community, who seem hell-bent > on their "all or nothing" strategy. >=20 > I personally preferred it back when HTTPS was tolerated by governments, > because everybody could see that banking and e-commerce needed it, > over the situation now, where HTTPS is so trojaned, that my webbank > is no longer trustworthy via HTTPS. It really is a sad state that governments feel they must subvert secure communications channels used by citizens. I agree with you there. Please note that this is likely to be my only contribution to this thread. What if FreeBSD generated its own CA for use with critical infrastructure, like the svn repo. The trusted CA certificate would be distributed via multiple means: in the src tree and on the website. It would get installed on user's systems. The CA cert could have a long lifetime, say twenty years. FreeBSD would use key material generated by its CA to secure the comms channel for the critical infrastructure. This key material would have a significantly shorter lifetime, perhaps six months or one year. Thus, the private key material for the CA only needs to come out of cold storage to generate new key material only periodically (hence why the CA cert can have a long lifetime). This would accompish multiple goals: 1. It would secure the comms channels for critical infrastructure. 2. It would prevent FreeBSD from being tied to existing CAs, which could be compromised or coerced into misbehaving. 3. It keeps FreeBSD in full control of their infrastructure. FreeBSD already distributes key material for use with pkg (and perhaps freebsd-update and portsnap (I don't know how those two work under-the-hood with regards to dsigs)). Distributing one more piece of key material isn't going to create much overhead. We at HardenedBSD use a similar method as proposed above for our binary updates. We use X.509 certificates to create a chain of trust for our binary updates for base. We maintain our own CA, with the CA cert having a lifetime of twenty years. The key material used to sign the update gets regenerated every year on January 1st, but has a thirteen-month lifespan. The CA key material resides on an encrypted flash drive, stored in a place that requires two signatures from two parties and two physical keys, only one of which I hold. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --bpuxygqdswlgqzb7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAloqoQUACgkQaoRlj1JF bu5hOw/+KTkwMpcxGOYSk5jUbUOYFdQ+JqIiSQWKIEiiYlfhYFw/GCBhuMwyVq2l J4hKydkRFmgJWPnghkkQUnBkNu3r7s6BmbLmlaMn4rQU51z8Z5tnKT35N6YrmM9+ Xe5MoK/vvUgNVdUcxnNa59xlezFBt6XkE9YyV/0YWiuXMpjb5Ww5ST2/FJF1aN1p eaEnXZd3R8SLfv2DkFvPuUm/x7WAfBdPz10iMzAohA1RP5v/hPz5LOBT0djqv2w+ 0UZTh+YUGlj4dvfnLqIjZEET9pXXuDMmb7SoKJ5O7D2eS5vKPa8sI1LzPXQf3WbE hU0nThFoRqBoHK2YpBKEQk1gfd98fD5DMLzL4QRC2uXIG6qB9RgePWiwRUkQdXfi Vah3DookPCt/m+ydmaoSDLXwCFaigmMW3pQyrXt4odhio9rfmbkMTCWccv8gQmvR dQRXfO/WJ4s7eSL2AmCY/8RVMyjOMMEnIWKP3CJpgCxKqR0V07hDUHfUbEPSqPS7 qFEQs1JZFHyZw0f/tOrJ8/Wf2sU1R5C7tAH4JVnamIr6Z8lCnhPIatTj1qUwxZIQ /5nz8JLUQm9z3ivPrR/TSxCwkFYseS9FY/veNcmeIxSmYFEuKQyQVca293V3aQH4 /6S3/a2z9VgdQI1dw1UNmsx/B3jb2Ua25Oa2tgla8ZYbDIM0Was= =mFDi -----END PGP SIGNATURE----- --bpuxygqdswlgqzb7-- From owner-freebsd-security@freebsd.org Fri Dec 8 14:49:02 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C10AE85410 for ; Fri, 8 Dec 2017 14:49:02 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CD09274B68 for ; Fri, 8 Dec 2017 14:49:01 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-wr0-x22d.google.com with SMTP id a41so11056756wra.6 for ; Fri, 08 Dec 2017 06:49:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bI9luiPFOoXrOMNDdkLDQfWnh8nkRATcDAWwqlwfjEE=; b=tReSu3uVue0y1UknRV+Q2qS6JeYuCS6ToFpzuzo3tWU8XFbTEKhcqMLcVNghqiMxeM sS3AQJQxLqDssGdvH9LF+Q9ZIOBNz39jycmOZ2d1CwkVmM7SZrv0wH2JsEY+W1VnwnFk 6Ibieykgzx6ThAtBIlo31qzqfqIQOoNZHN16CjVxMhq4/V/8D/SiHihDI+0TOfryV0K6 oMsvFY2MTsldomAF+KGioitNe2juBZsADUBliChuuRn+aKDQQnXYaQ3QiDwbWyooOgPQ ucg1pOwzHQpKXG4N91aS/95OT0tvha/sI2V9kHdKkHq0q/783RYRJHJtAwO1PyIjROsn Oxeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bI9luiPFOoXrOMNDdkLDQfWnh8nkRATcDAWwqlwfjEE=; b=O/mVmzJm2JKuA/iQLFtF58X4/Nhs8QWzKt/CmGi9JWFI5l2eib/hOkGCd8mmtmq4UT KOu5yx8aOS6CCIMRzQGVEigvcqAp1hEWCK/ogixirlXPBsyfFOhXuTJnk5G2DW6A6dBB pt+yhre9sFJ75xh1gXqF3B5g++9Xom7UyQCIR6VFKjUrRBoz8NC4CP//GWtqAyDcitbZ LIBFBr2L0IZlmY3fPk7aKVMuajDOBX17+tWhaMuzuZDB3zIrTwyjAXbWDvBUEPk/Pdhg hCmdkxGqakv9BDaqPULCDWKQLG6piYWb7HrewowkXnkpZyV2t39fMhvXLXYHayfGQBQa pDhA== X-Gm-Message-State: AJaThX5pp7KzmXjLfgchcisprftkjT7yZDq/REhFHlWxfme6tsUAAZgb lLQhTE2M3M5hnARKesEvkXMRQEGf8gOdneHHZj4= X-Google-Smtp-Source: AGs4zMZFnNSveod74DcVYJ3feD7i9Hpi5CaQ4YoTvvGEdHv10wWRrwCdsnDOicFy3OLGn/2a9LhSIXPzuomhoN5owDY= X-Received: by 10.223.150.46 with SMTP id b43mr27022737wra.5.1512744540264; Fri, 08 Dec 2017 06:49:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.90.193 with HTTP; Fri, 8 Dec 2017 06:48:19 -0800 (PST) In-Reply-To: <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <3914.1512742033@critter.freebsd.dk> <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> From: Igor Mozolevsky Date: Fri, 8 Dec 2017 14:48:19 +0000 Message-ID: Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: Shawn Webb Cc: Poul-Henning Kamp , freebsd security , "Dag-Erling Sm??rgrav" , Dewayne Geraghty , Gordon Tetlow , TJ Varghese Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 14:49:02 -0000 On 8 December 2017 at 14:26, Shawn Webb wrote: Please note that this is likely to be my only contribution to this > thread. > > What if FreeBSD generated its own CA for use with critical > infrastructure, like the svn repo. Nobody has yet offered a concrete threat model that requires such elaborate investment. So far as I can tell, the only two things people have mentioned are: - abstract MITN-bogeyman; or - not wanting "the suits" learning one is using FreeBSD... To me, both of the above sound more unjustifiably paranoid than reasonable, yet the people advocating the above want not only an investment in elaborate infrastructure, but also waste computer cycles for crypto and network traffic for re-transmission of static data that is fully capable of getting cached thereby reducing network/server load at the source. Both Microsoft (unless you're running an MS-syndicated update server) and virtually every Linux distro require repeated downloads of the *same* data (due to HTTPS!) if you have more than one install (I am talking not just running a bunch of boxes but virtualised machines that people need to repeatedly create/destroy for whatever reason); that is a sheer insanity from the NetOps perspective! The "how do we know security updates are legitimate if they come down a mere HTTP" is answered by signing the updates themselves, rendering the S in the HTTPS redundant. -- Igor M. From owner-freebsd-security@freebsd.org Fri Dec 8 15:09:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2D3BE85B9F for ; Fri, 8 Dec 2017 15:09:27 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 65447758C2 for ; Fri, 8 Dec 2017 15:09:27 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id 1410427376; Fri, 8 Dec 2017 15:09:24 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vB8F9OIb004135 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 8 Dec 2017 15:09:24 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vB8F9Lur004134; Fri, 8 Dec 2017 15:09:21 GMT (envelope-from phk) To: Shawn Webb cc: TJ Varghese , Dag-Erling Sm??rgrav , Dewayne Geraghty , Gordon Tetlow , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> From: "Poul-Henning Kamp" References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <3914.1512742033@critter.freebsd.dk> <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <4132.1512745761.1@critter.freebsd.dk> Date: Fri, 08 Dec 2017 15:09:21 +0000 Message-ID: <4133.1512745761@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 15:09:27 -0000 -------- In message <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd>, Shawn Webb writes: >It really is a sad state that governments feel they must subvert >secure communications channels used by citizens. I agree with you >there. And it really is a sad state when rabid IT-liberalists don't see any problem with females who dare to speak out against sexual abuse being threathened via Tor, teenage girls, whos only crime is looking good, being sent dick-picks by shitbags and organized crime being above the law. >What if FreeBSD generated its own CA for use with critical >infrastructure, like the svn repo. The trusted CA certificate would be >distributed via multiple means: in the src tree and on the website. >It would get installed on user's systems. *Then* I could see a point in using HTTPS, because then you would have the FreeBSD Project telling you that you got to the right place rather than Taiwanese or Turkish government telling you that you got to what they think is the right place. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@freebsd.org Sat Dec 9 04:44:55 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E0188E9E865 for ; Sat, 9 Dec 2017 04:44:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1F22756E3; Sat, 9 Dec 2017 04:44:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: by freefall.freebsd.org (Postfix, from userid 945) id EC9D360CA; Sat, 9 Dec 2017 04:44:54 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:12.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20171209044454.EC9D360CA@freefall.freebsd.org> Date: Sat, 9 Dec 2017 04:44:54 +0000 (UTC) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Dec 2017 04:44:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:12.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-12-09 Affects: All supported versions of FreeBSD. Corrected: 2017-12-07 18:04:48 UTC (stable/11, 11.1-STABLE) 2017-12-09 03:44:26 UTC (releng/11.1, 11.1-RELEASE-p6) 2017-12-09 03:41:31 UTC (stable/10, 10.4-STABLE) 2017-12-09 03:45:23 UTC (releng/10.4, 10.4-RELEASE-p5) 2017-12-09 03:45:23 UTC (releng/10.3, 10.3-RELEASE-p26) CVE Name: CVE-2017-3737, CVE-2017-3738 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a full-strength general purpose cryptography library. II. Problem Description Invoking SSL_read()/SSL_write() while in an error state causes data to be passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. [CVE-2017-3737] There is an overflow bug in the x86_64 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). [CVE-2017-3738] This bug only affects FreeBSD 11.x. III. Impact Applications with incorrect error handling may inappropriately pass unencrypted data. [CVE-2017-3737] Mishandling of carry propagation will produce incorrect output, and make it easier for a remote attacker to obtain sensitive private-key information. No EC algorithms are affected and analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. [CVE-2017-3738] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all daemons that use the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons that use the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch.asc # gpg --verify openssl-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r326721 releng/10.3/ r326723 releng/10.4/ r326723 stable/11/ r326663 releng/11.1/ r326722 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlorX9pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P aucRig//XLyBjQb+uqZbCWBG9TuefOrdNFeGay5QjBMXRT6TsHel+lUQbAZuMoA7 p4Iammlir+krH9+D/iWPZqLVRhY29LMmI7eyCL9vgA0McRsoDI1bN0daJiAOypo4 AWjzslm+Z/8vLcs93fpi0Y26yf45CY8uzGVJBspGg1D9wPJ60bqKqimCPTYMBXtS 2ZecrF89Vg9u+U2dYmsoTryBNerPR+UWLMtO5DUUgDtcdAdINKjjcQt6i6A0XPr2 2d7fzVCN4k4eBqmOOi1YWL96uoYcfDOCmUWD4NYN3x6+1n/oHVpviYYi8CgXJNbU 1dsD6fPeAlqfBOi4e3tNKY2bwzq93/nJF9/RpzDz2JDlUxjHk2jc0EG64Dh3HSjK hwzXhc43qWnfzTs6PRkgZRNQp+0NFEZZT8gEXEQ8mCnW+3qF0LgvQYHBFknGDYCi EdZhnVN+DTHvaqLJpVrgE8TKt/qWCkdhsw1RRQblAovsC6CZZD3lYUS/o86jn2tp WVjndsfmfNs2EFWeZsKcwYCb+bdQGXbhlxb8iSU7f+U+msau5ZF++0+6T/EXvuvq hVOfwXJUD8xjO1ebZ+gtjn4HvRORLXqwi3zkoKJrSBOikK5ttlKyed445Q0cvuRk UHpNB7+q57SrO/4syinjh9fozSVSf78tTZaI9YbTCuC3DRY5luI= =/29R -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Sat Dec 9 07:05:56 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F874E813B6 for ; Sat, 9 Dec 2017 07:05:56 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.shmhost.net (host64.shmhost.net [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ECC1E7A219 for ; Sat, 9 Dec 2017 07:05:55 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.homeoffice.local (dslb-178-012-107-202.178.012.pools.vodafone-ip.de [178.12.107.202]) by host64.shmhost.net (Postfix) with ESMTPSA id 79E58160859 for ; Sat, 9 Dec 2017 08:05:52 +0100 (CET) From: Franco Fichtner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [FreeBSD-Announce] FreeBSD 11.0 end-of-life Date: Sat, 9 Dec 2017 08:05:51 +0100 References: <20171208192538.C5C4D1C234@freefall.freebsd.org> To: freebsd-security In-Reply-To: <20171208192538.C5C4D1C234@freefall.freebsd.org> Message-Id: X-Mailer: Apple Mail (2.3273) X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net X-Virus-Status: Clean X-Spam-Flag: NO X-Spam-Score: -1.0 X-Spam-Status: No score=-1.0 tagged_above=10.0 required=10.0 tests=[ALL_TRUSTED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Dec 2017 07:05:56 -0000 Hi, > On 8. Dec 2017, at 8:25 PM, FreeBSD Security Officer = wrote: >=20 > = +--------------------------------------------------+----------------------= -+ > |releng/11.1|11.1-RELEASE|n/a |July 26, 2017 |11.2-RELEASE + 3 = months| > = +--------------------------------------------------+----------------------= -+ Is there *any* indication when X + 3 is going to be? Because as a = downstream vendor X + 3 months usually translates to X, because there is no time to = prepare for any of this, especially when swift adoption is enforced by upstream, = e.g. by deprecated packages, quarterly branch and locking users out of the = ports tree. To that end, https://www.freebsd.org/releng/index.html states: > Upcoming Release Schedule > NOTE: Release dates are approximate and may be subject to schedule = slippage. > As of 2017-10-03, the next release has not yet been announced. Thank you, Franco=