Date: Mon, 18 May 2015 20:55:15 +0200 From: Dan Lukes <dan@obluda.cz> To: freebsd-security <freebsd-security@freebsd.org> Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <555A3593.3010306@obluda.cz> In-Reply-To: <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> <555A228B.8080807@obluda.cz> <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05/18/15 20:04, Mark Felder: > Fetch also doesn't have a certificate trust store out of the box. fetch (nor SSL protocol itself) claim there is one here > FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this > behavior in fetch. If you add this to your base system image you can > lock this down pretty reliably. I'm not using fetch for transfer of secure data at all. But yes, the countermeasures you described can be part of SA I'm calling for. > Keep in mind that changing this default behavior in fetch would be a > POLA violation and possibly break scripts for countless users. > Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't > decide. :-( If I will be called to decide between POLA to be violated and security to be violated, I will vote for POLA violation all the times. Security have higher priority to be maintained. I'm sure it's not necessary to compare possible damages for those two scenarios. And no broken user script may happen in advance. No system will change behavior unless upgraded to patched version by responsible admin. He should be allowed to configure patched system to start fetch in former "security violation" mode (but not by default) if it will fit better their wishes. I consider it better than silence about the issue. But to say true, it's not my war - and no one seems to be with me here ;-) I have own source repository with custom system patches so I'm not tied to "official" decisions. No offense to FreeBSD team in any way! I'm just not average user. ;-) Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?555A3593.3010306>