Date: Fri, 8 Dec 2017 08:25:05 +0000 From: Matthew Finkel <matthew.finkel@gmail.com> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: Yuri <yuri@rawbw.com>, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171208082503.cve4526nkwf7chef@localhost> In-Reply-To: <1217.1512685566@critter.freebsd.dk> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com> <1217.1512685566@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 07, 2017 at 10:26:06PM +0000, Poul-Henning Kamp wrote: > -------- > In message <2a6d123c-8ee5-8e1e-d99b-4bce02345308@rawbw.com>, Yuri writes: > > >The unfortunate FreeBSD user who updated his source tree through > >Tor [...] > > Why would anybody do that in the first place ? Why doesn't everyone have that option? Why is broadcasting a users information across the internet forced upon them? Shouldn't they have a choice? I don't disagree the CA mafia model is a broken mess, but there is some work being done for this - so maybe the situation will be better in 5-10 years. But even with those improvements, I'd rather have updates served over a self-authenticating onion service than over a direct http connection. I see five options: direct-http-connection, direct-https-connection, http-over-tor, https-over-tor, and http-over-onion. There is only one of these that does not require trusting the intermediate hops of the connection (or external third parties) and it guarantees the bits that went in at one end of the connection are the bits that come out the other end while not leaking sensitive information (metadata) along the path. As a concrete example, I encourage everyone read why Debian chose exactly this solution[0][1]. It would be nice if all updates are available over onion, not only subversion, but subversion is a good starting point. Onion services accomplish the same basic goal as TLS (authentication, integrity, confidentiality) and they protect against targetting and profiling users. As a user, I care about all these problems. Also, to Yuri's original point, you can ship a self-signed FreeBSD CA cert. Subversion supports using it, so beside getting the private keys on the mirrors there is little against doing it[2]. [0] https://blog.torproject.org/tor-heart-apt-transport-tor-and-debian-onions [1] https://bits.debian.org/2016/08/debian-and-tor-services-available-as-onion-services.html [2] http://svnbook.red-bean.com/en/1.7/svn-book.html#svn.serverconfig.httpd.ssl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171208082503.cve4526nkwf7chef>