From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 18:42:57 2005 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1EA716A41F for ; Wed, 30 Nov 2005 18:42:56 +0000 (GMT) (envelope-from netchild@FreeBSD.org) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AD2F43D62 for ; Wed, 30 Nov 2005 18:42:55 +0000 (GMT) (envelope-from netchild@FreeBSD.org) Received: from Andro-Beta.Leidinger.net (p54A5E727.dip.t-dialin.net [84.165.231.39]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.1/8.13.1) with ESMTP id jAUIGGmV013721; Wed, 30 Nov 2005 19:16:17 +0100 (CET) (envelope-from netchild@FreeBSD.org) Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1]) by Andro-Beta.Leidinger.net (8.13.3/8.13.3) with ESMTP id jAUIgoYB017097; Wed, 30 Nov 2005 19:42:50 +0100 (CET) (envelope-from netchild@FreeBSD.org) Date: Wed, 30 Nov 2005 19:42:50 +0100 From: Alexander Leidinger To: Peter Jeremy Message-ID: <20051130194250.255d2e18@Magellan.Leidinger.net> In-Reply-To: <20051130181530.GE32006@cirb503493.alcatel.com.au> References: <20051127182116.GA30426@cirb503493.alcatel.com.au> <000e01c5f410$2de67820$1300110a@pooptop> <20051130144343.od5die60gsw4k0k0@netchild.homeip.net> <20051130181530.GE32006@cirb503493.alcatel.com.au> Organization: FreeBSD X-Mailer: Sylpheed-Claws 1.9.100 (GTK+ 2.8.7; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Wed, 30 Nov 2005 18:45:05 +0000 Cc: freebsd-security@FreeBSD.org, Kurt Seifried Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 18:42:57 -0000 On Thu, 1 Dec 2005 05:15:30 +1100 Peter Jeremy wrote: > On Wed, 2005-Nov-30 14:43:43 +0100, Alexander Leidinger wrote: > >Kurt Seifried wrote: > > > >>should have people upload their keys. On another note I am available > >>to sign PGP keys (proving your key/identity is an excercise left to > >>the reader =), > > > >or to the signer... the keys are available in the handbook (either from > >www.freebsd.org or in raw from http://cvsweb.freebsd.org/doc) > > But how do I know that the data I download from *.freebsd.org hasn't > been tampered with? Either by a MITM attack between me and the real > *.freebsd.org site or a DNS attack redirecting me to a third site. > This was the nub of my original posting. Yes, I know. But if you get the same *wrong* data (for the PGP keys it's relatively easy to verify) from several locations (cvsup*.FreeBSD.org + cvsweb.freebsd.org + www.freebsd.org, don't forget to check if they point to a reasonable amount of different IP's; the printed handbook and the handbook on the release CDs), then you have other things to worry about... > > And AFAIK this is all PGP is supposed to verify, that the person > >behind "user@example.tld" is the same as the person with access to the > >secret key for this address. > > PGP is susceptable to MITM attacks - Ann asks Bruce for his public > key. Mallory intercepts the request and substitutes his own public > key. He can then intercept, alter and re-sign following exchanges so > neither Ann nor Bruce realise they have an intruder. Yes, in theory. In practice there's a point where you either say "I trust this", or you say "if I can't trust this from this point on, I don't have to worry about it, since I'm busted already". See above. > >But this assumes the signer trusts the FreeBSD.org security: > > If you don't trust the FreeBSD Project you wouldn't run FreeBSD. > > > Without ssh access there's no way to insert a key into the CVS > >repository. > > Assuming no security holes in the infrastructure... How can I tell Yes. > that my private copy of the FreeBSD Project's CVS repository is the > same as the one on whatever.FreeBSD.org? Assuming enough resources: ATM only by downloading all and diffing them. If they all match, you are either busted already since the attacker controls too much, or you can say the probability is high enough that you got a copy of the original repository. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7