From owner-freebsd-security@freebsd.org Thu Oct 19 13:37:42 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8EF68E3BC9E for ; Thu, 19 Oct 2017 13:37:42 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:c:538::194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DFFE6A37A for ; Thu, 19 Oct 2017 13:37:42 +0000 (UTC) (envelope-from freebsd.lists@whitewinterwolf.com) X-Originating-IP: 93.26.153.77 Received: from [10.137.2.15] (77.153.26.93.rev.sfr.net [93.26.153.77]) (Authenticated sender: lists@whitewinterwolf.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id E6B4BC5A50; Thu, 19 Oct 2017 15:37:40 +0200 (CEST) Subject: Re: freebsd-security Digest, Vol 634, Issue 3 To: Walter Parker , freebsd-security@freebsd.org References: From: "WhiteWinterWolf (Simon)" Message-ID: <26ffd1eb-d8c2-0fdd-da38-b9e3790144ad@whitewinterwolf.com> Date: Thu, 19 Oct 2017 15:37:40 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Oct 2017 13:37:42 -0000 Hi Walter, Le 18/10/2017 à 22:52, Walter Parker a écrit : > SMB has supported authentication signing for a long time (more than a > decade). That can be used for basic security. > SMB3 supports encryption. To work with SMB3 encryption you will need > at least Windows 8. > The Samba project supports SMB3 and many of the security features in > it, but not share level encryption. Password authentication works with > signing and encryption. Until Samba supports the new share encryption > in SMB3, you will need to use something like stunnel (or an encrypted > VPN) to enable the privacy features that come with encryption. > > What that means is that the newest versions of Samba can talk to newer > Windows boxes with the authentication pieces (the username/password > exchange) done with encryption to make exploitation much harder. I agree with you. However, puts it in the context: the current thread is a malicious user acting as man-in-the-middle between a user and a server storing potentially sensitive files (as I said in my previous answers, for non-sensitive files such as media files a read-only SMB/NFS/whatever is perfectly fine). The threat here is not someone attempting to login to the file server. In this case, end-to-end encryption seems required to me (I don't want the content of personal or business-related documents to fall in wrong hands). As a side note, it may worth to highlight that Samba actually offered SMB encryption *before* Microsoft, but Microsoft preferred to create its own solution that Samba must now copy. All details can be found in my answer to Benjamin in the the same thread. In this case, for a low-tech people, I would tend to suggest using SFTP (a password-based access is enough) instead of a stunneled SMB share as I personally find it is easier to setup and more efficient. > Encryption on NFS appears to be by using stunnel or SSH to encrypt the > data (or using a VPN). Regarding NFS, Benjamin and Gary rightly highlighted that NFSv4 supports end-to-end authentication and encryption and is suitable for use over untrusted networks. However, I don't know if end-users' (and in particular Ronald's) NAS offers any easy-to-use NFSv4 feature. If this is the case, this is indeed a very interesting choice based purely on open standards, but I fear that there is no such feature which leaves us again with SFTP. Regards, Simon. -- WhiteWinterWolf https://www.whitewinterwolf.com