Date: Fri, 8 Dec 2017 09:26:16 -0500 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: TJ Varghese <tj@tjvarghese.com>, Dag-Erling Sm??rgrav <des@des.no>, Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>, Gordon Tetlow <gordon@tetlows.org>, freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> In-Reply-To: <3914.1512742033@critter.freebsd.dk> References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <3914.1512742033@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--bpuxygqdswlgqzb7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 08, 2017 at 02:07:13PM +0000, Poul-Henning Kamp wrote: > -------- > In message <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com>, TJ Varg= hese w > rites: >=20 > >I'm curious as to your take on electronic banking. >=20 > Good security is not "all or nothing", it is a carefully calibrated > application of security measures to the problem at hand. >=20 > By forcing all web-traffic onto HTTPS, the rabid IT-liberalist has > put governments in a position where they either have to break HTTPS > traffic open or give up on having a working criminal justice system. >=20 > Anybody with a daughter knows what that dice will roll. >=20 > If you've ever read Clausewitz, you will recognize this strategy > as really stupid: *Never* put your enemy in a position where their > only option is to defeat you. >=20 > Various governments are going about this in different ways, some > force a trojan root-cert on all their citzens, others pass law > where you can be jailed indefinitely until you hand over your > passwords, others again try force the IT-industry to "ensure > legal access". >=20 > Unfortunately this happens with little or no intelligent and > cooperative input from the IT-community, who seem hell-bent > on their "all or nothing" strategy. >=20 > I personally preferred it back when HTTPS was tolerated by governments, > because everybody could see that banking and e-commerce needed it, > over the situation now, where HTTPS is so trojaned, that my webbank > is no longer trustworthy via HTTPS. It really is a sad state that governments feel they must subvert secure communications channels used by citizens. I agree with you there. Please note that this is likely to be my only contribution to this thread. What if FreeBSD generated its own CA for use with critical infrastructure, like the svn repo. The trusted CA certificate would be distributed via multiple means: in the src tree and on the website. It would get installed on user's systems. The CA cert could have a long lifetime, say twenty years. FreeBSD would use key material generated by its CA to secure the comms channel for the critical infrastructure. This key material would have a significantly shorter lifetime, perhaps six months or one year. Thus, the private key material for the CA only needs to come out of cold storage to generate new key material only periodically (hence why the CA cert can have a long lifetime). This would accompish multiple goals: 1. It would secure the comms channels for critical infrastructure. 2. It would prevent FreeBSD from being tied to existing CAs, which could be compromised or coerced into misbehaving. 3. It keeps FreeBSD in full control of their infrastructure. FreeBSD already distributes key material for use with pkg (and perhaps freebsd-update and portsnap (I don't know how those two work under-the-hood with regards to dsigs)). Distributing one more piece of key material isn't going to create much overhead. We at HardenedBSD use a similar method as proposed above for our binary updates. We use X.509 certificates to create a chain of trust for our binary updates for base. We maintain our own CA, with the CA cert having a lifetime of twenty years. The key material used to sign the update gets regenerated every year on January 1st, but has a thirteen-month lifespan. The CA key material resides on an encrypted flash drive, stored in a place that requires two signatures from two parties and two physical keys, only one of which I hold. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --bpuxygqdswlgqzb7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAloqoQUACgkQaoRlj1JF bu5hOw/+KTkwMpcxGOYSk5jUbUOYFdQ+JqIiSQWKIEiiYlfhYFw/GCBhuMwyVq2l J4hKydkRFmgJWPnghkkQUnBkNu3r7s6BmbLmlaMn4rQU51z8Z5tnKT35N6YrmM9+ Xe5MoK/vvUgNVdUcxnNa59xlezFBt6XkE9YyV/0YWiuXMpjb5Ww5ST2/FJF1aN1p eaEnXZd3R8SLfv2DkFvPuUm/x7WAfBdPz10iMzAohA1RP5v/hPz5LOBT0djqv2w+ 0UZTh+YUGlj4dvfnLqIjZEET9pXXuDMmb7SoKJ5O7D2eS5vKPa8sI1LzPXQf3WbE hU0nThFoRqBoHK2YpBKEQk1gfd98fD5DMLzL4QRC2uXIG6qB9RgePWiwRUkQdXfi Vah3DookPCt/m+ydmaoSDLXwCFaigmMW3pQyrXt4odhio9rfmbkMTCWccv8gQmvR dQRXfO/WJ4s7eSL2AmCY/8RVMyjOMMEnIWKP3CJpgCxKqR0V07hDUHfUbEPSqPS7 qFEQs1JZFHyZw0f/tOrJ8/Wf2sU1R5C7tAH4JVnamIr6Z8lCnhPIatTj1qUwxZIQ /5nz8JLUQm9z3ivPrR/TSxCwkFYseS9FY/veNcmeIxSmYFEuKQyQVca293V3aQH4 /6S3/a2z9VgdQI1dw1UNmsx/B3jb2Ua25Oa2tgla8ZYbDIM0Was= =mFDi -----END PGP SIGNATURE----- --bpuxygqdswlgqzb7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171208142616.u56ntsf4zx5ns2ey>