From owner-freebsd-security@freebsd.org Fri Dec 8 08:25:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34593E9D8CB for ; Fri, 8 Dec 2017 08:25:17 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC96E68E98 for ; Fri, 8 Dec 2017 08:25:16 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-it0-x231.google.com with SMTP id z6so3278493iti.4 for ; Fri, 08 Dec 2017 00:25:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=EnQPQOoCS6sufc82x+w+hsQjBFn7tqY4aY724zcgKAU=; b=cikNTrv6xNv1YxKNqyRE8qep0NYgaZzTlabO2HFFAyXbXf7uR1cQSKxb1xISHYTif5 yxCYZ7BXk9fTZdWTR852nnBt/sb7aOHxBz7Dki/7cCS6yDvu9hBhbjaMnIZGQ17AkEwN uiuYB1YGeAnZATLpubIPoZUDMeyoBvHDVOikrVDIQ8C9TPR4XErizXKpHNMOJn/KdOPR WU4BCc5PRBAtFBs8T/SRGrSXS4oX+FT4c0iQuKsATzjWAl3wSctmemnjldNHSwmgrDNy HHP0yzWMQbg4z7GDbquA13KEd6B5JfcsNwKcauyKsrc3YFljw+AQOmPk4CdtUNirm6T5 h9lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=EnQPQOoCS6sufc82x+w+hsQjBFn7tqY4aY724zcgKAU=; b=b3IRTt65iv0p54UDkkctrkGo/LSpyeyOpX0Yb26jxVOvYLmNnaBOjHn3EsZNH3HEqV PHGevMrHuWHRIWcIKrlNfgGkbMtTUZzZ5hV5YduV2agEGuz4wO6iCoBRHnEIMkPUa8Py 0aJ8ufv19VetuI8y+A2PnXbM0FOz0nTYymXKEM7Z1aUPTX9wHq4MkwsYS6P696A5rcgl x/hw8+j1/I3Rliro0Gdo2IKHs01drNqfWLYgPIiZz9udlB69YlVbADmtolIlUCANM+hK 4L8hOtiJ4v+MG0KoajopstLzDmgcJSy5aMU7GKaaYfNOMXIMujJ/Lqje8XsmYO5L4ZLD dOXw== X-Gm-Message-State: AKGB3mK41++ZnGNhncKUS3IXPRfQfYMjzl9Io5lfQn+IBzirr7Uvg+rV 246ue+BwllxiFKR6R9HsLX7YQHtX X-Google-Smtp-Source: AGs4zMZFwHO1yr1A4GNrbMzGTEoZceNAAPDsTBT7pVXYUPQjF79khbpGgJUogN04PUGIG+T3N5R+ag== X-Received: by 10.107.97.16 with SMTP id v16mr1404558iob.263.1512721515968; Fri, 08 Dec 2017 00:25:15 -0800 (PST) Received: from localhost (tor.emeraldonion.org. [23.129.64.101]) by smtp.gmail.com with ESMTPSA id d3sm557999itf.39.2017.12.08.00.25.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Dec 2017 00:25:15 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Fri, 8 Dec 2017 08:25:05 +0000 To: Poul-Henning Kamp Cc: Yuri , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171208082503.cve4526nkwf7chef@localhost> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <1217.1512685566@critter.freebsd.dk> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 08:25:17 -0000 On Thu, Dec 07, 2017 at 10:26:06PM +0000, Poul-Henning Kamp wrote: > -------- > In message <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com>, Yuri writes: > > >The unfortunate FreeBSD user who updated his source tree through > >Tor [...] > > Why would anybody do that in the first place ? Why doesn't everyone have that option? Why is broadcasting a users information across the internet forced upon them? Shouldn't they have a choice? I don't disagree the CA mafia model is a broken mess, but there is some work being done for this - so maybe the situation will be better in 5-10 years. But even with those improvements, I'd rather have updates served over a self-authenticating onion service than over a direct http connection. I see five options: direct-http-connection, direct-https-connection, http-over-tor, https-over-tor, and http-over-onion. There is only one of these that does not require trusting the intermediate hops of the connection (or external third parties) and it guarantees the bits that went in at one end of the connection are the bits that come out the other end while not leaking sensitive information (metadata) along the path. As a concrete example, I encourage everyone read why Debian chose exactly this solution[0][1]. It would be nice if all updates are available over onion, not only subversion, but subversion is a good starting point. Onion services accomplish the same basic goal as TLS (authentication, integrity, confidentiality) and they protect against targetting and profiling users. As a user, I care about all these problems. Also, to Yuri's original point, you can ship a self-signed FreeBSD CA cert. Subversion supports using it, so beside getting the private keys on the mirrors there is little against doing it[2]. [0] https://blog.torproject.org/tor-heart-apt-transport-tor-and-debian-onions [1] https://bits.debian.org/2016/08/debian-and-tor-services-available-as-onion-services.html [2] http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.httpd.ssl