Date: Tue, 27 Mar 2018 08:41:02 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@pdx.rh.CN85.dnsmgr.net> To: cem@freebsd.org Cc: Benjamin Kaduk <bjkfbsd@gmail.com>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers <src-committers@freebsd.org> Subject: Re: svn commit: r331618 - head/share/man/man7 Message-ID: <201803271541.w2RFf2YM052688@pdx.rh.CN85.dnsmgr.net> In-Reply-To: <CAG6CVpWf5Vkz_ACsAOrzuPR9-4z8hR6ATxnePKpMuP_jLkvVRA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Thinking of the network as attacker-controlled is fine, but without > the CA certificate database in ports, TLS provides neither data > integrity nor confidentiality.[0] > > Even with certificate validation, it's unlikely that TLS provides > meaningful confidentiality for svn.freebsd.org ? IP still exposes the > server's address: > > $ host 8.8.178.107 > 107.178.8.8.in-addr.arpa domain name pointer svnmir.ysv.freebsd.org > > Even a naive network attacker can determine that you are interacting > with a FreeBSD source mirror, and can determine the direction of the > flow of information based on simple count of upload / download bytes. Without the private part of the TLS they can not alter that data, correct? I know there are TLS intercepts, but they require you to get the client to accept an alternate cert to proxy the connection. > > Best, > Conrad > > P.S., we should probably ship a CA database in base. Maybe with an > override version in ports to match our release model. But, base > should be able to authenticate certificates out of the box. I believe there is a group of people working on that issue some place, or at least I recall seeing it as an adgenda item. > [0]: https://github.com/moxie0/sslsniff > > On Tue, Mar 27, 2018 at 8:01 AM, Benjamin Kaduk <bjkfbsd@gmail.com> wrote: > > On Tue, Mar 27, 2018 at 9:57 AM, Rodney W. Grimes > > <freebsd@pdx.rh.cn85.dnsmgr.net> wrote: > >> > >> > Author: trasz > >> > Date: Tue Mar 27 14:51:19 2018 > >> > New Revision: 331618 > >> > URL: https://svnweb.freebsd.org/changeset/base/331618 ... -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803271541.w2RFf2YM052688>