From owner-freebsd-security@freebsd.org Fri Dec 8 14:26:43 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 735FDE84BFF for ; Fri, 8 Dec 2017 14:26:43 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DD8C773EC0 for ; Fri, 8 Dec 2017 14:26:42 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-lf0-x230.google.com with SMTP id x20so12104297lff.1 for ; Fri, 08 Dec 2017 06:26:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=JaiOpFkWj+c51HKqbxtBxMciam1sh6peEysw4rOPLvI=; b=Aa2txrKRsn7TTrW5hGKg0k3Ogv3x18rgUwkeFhaMYsMJTSUSC/DvSIXy14ZQxH73Wt Gczu7y0Hx2CBnfFD1mJRmV0U/zJzrLWWTgF8aojj2w8inK6RxmSaMkksH4aq8zBi6Rxn OhHThDJ3sseYj0J9LHkPH1nS+E38iviR6rze2FTcJmL0cMr5sw6K4vx3NVuX46kBujXZ 0swV3uQQzsDv4/6mnjImpf03/oaIBn0mHhl3pAo2YbxpeBvMcFU0JnklFrsuXbUF5p6J IuznTqvxQ2pA/eFwkyykB5uagfak0vk5NWp43X1N9fO/Y3HJIpoGXvMSLmQrejn71fie tYYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=JaiOpFkWj+c51HKqbxtBxMciam1sh6peEysw4rOPLvI=; b=r0b3dBOi/fLnkHvmKG9Mtc86QqOSyB9TGvz1ylgC2KbiEiCnoj+OU4LVWfDSKN+YAB z25jQ+CIU9RIpjTG9OApQ3GUhjbClISxU993F9SztkcRQ7D3weXJ2p3WZDnCjZWh+3su 5KmYftGAz+nyWLREj0O/UZy6VGfW2IKp2bLLcjzKTPTEQRDjUJOCxRpL3eZFOQlmWlfD WB8AZHYcO5AAObxYSyXWZnbxzMVSLOlKn91n9ENUGsCgNnh8u50a62I01aWxnr7JDefr lp3uqSF0eLxEKCLI0P9IZk6xUEgjeOGgbWlY74QhSs9K8qCQ+gVZbgA3po3mT+YH49PP ZIWw== X-Gm-Message-State: AJaThX6WhNTAh3xNVQkFj6IbJy2aXbS/PbEkpuMvxx7MhQWZ5p2Vx3WF WJsiGJ3x3XblAPXuNvm5+mgLygxHbaM= X-Google-Smtp-Source: AGs4zMbrXQ3fKegKjnJUMJbNZoCrVvN8FJ/LZc4hrUMu81SILDM0nJTpTIaCRPbfrD/raOw4rKdphQ== X-Received: by 10.25.100.18 with SMTP id y18mr15377681lfb.187.1512743200559; Fri, 08 Dec 2017 06:26:40 -0800 (PST) Received: from mutt-hbsd (exit0.liskov.tor-relays.net. [149.56.223.241]) by smtp.gmail.com with ESMTPSA id f67sm1460844lfb.20.2017.12.08.06.26.35 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 08 Dec 2017 06:26:39 -0800 (PST) Date: Fri, 8 Dec 2017 09:26:16 -0500 From: Shawn Webb To: Poul-Henning Kamp Cc: TJ Varghese , Dag-Erling Sm??rgrav , Dewayne Geraghty , Gordon Tetlow , freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171208142616.u56ntsf4zx5ns2ey@mutt-hbsd> References: <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <3914.1512742033@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bpuxygqdswlgqzb7" Content-Disposition: inline In-Reply-To: <3914.1512742033@critter.freebsd.dk> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20171027 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 14:26:43 -0000 --bpuxygqdswlgqzb7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 08, 2017 at 02:07:13PM +0000, Poul-Henning Kamp wrote: > -------- > In message <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com>, TJ Varg= hese w > rites: >=20 > >I'm curious as to your take on electronic banking. >=20 > Good security is not "all or nothing", it is a carefully calibrated > application of security measures to the problem at hand. >=20 > By forcing all web-traffic onto HTTPS, the rabid IT-liberalist has > put governments in a position where they either have to break HTTPS > traffic open or give up on having a working criminal justice system. >=20 > Anybody with a daughter knows what that dice will roll. >=20 > If you've ever read Clausewitz, you will recognize this strategy > as really stupid: *Never* put your enemy in a position where their > only option is to defeat you. >=20 > Various governments are going about this in different ways, some > force a trojan root-cert on all their citzens, others pass law > where you can be jailed indefinitely until you hand over your > passwords, others again try force the IT-industry to "ensure > legal access". >=20 > Unfortunately this happens with little or no intelligent and > cooperative input from the IT-community, who seem hell-bent > on their "all or nothing" strategy. >=20 > I personally preferred it back when HTTPS was tolerated by governments, > because everybody could see that banking and e-commerce needed it, > over the situation now, where HTTPS is so trojaned, that my webbank > is no longer trustworthy via HTTPS. It really is a sad state that governments feel they must subvert secure communications channels used by citizens. I agree with you there. Please note that this is likely to be my only contribution to this thread. What if FreeBSD generated its own CA for use with critical infrastructure, like the svn repo. The trusted CA certificate would be distributed via multiple means: in the src tree and on the website. It would get installed on user's systems. The CA cert could have a long lifetime, say twenty years. FreeBSD would use key material generated by its CA to secure the comms channel for the critical infrastructure. This key material would have a significantly shorter lifetime, perhaps six months or one year. Thus, the private key material for the CA only needs to come out of cold storage to generate new key material only periodically (hence why the CA cert can have a long lifetime). This would accompish multiple goals: 1. It would secure the comms channels for critical infrastructure. 2. It would prevent FreeBSD from being tied to existing CAs, which could be compromised or coerced into misbehaving. 3. It keeps FreeBSD in full control of their infrastructure. FreeBSD already distributes key material for use with pkg (and perhaps freebsd-update and portsnap (I don't know how those two work under-the-hood with regards to dsigs)). Distributing one more piece of key material isn't going to create much overhead. We at HardenedBSD use a similar method as proposed above for our binary updates. We use X.509 certificates to create a chain of trust for our binary updates for base. We maintain our own CA, with the CA cert having a lifetime of twenty years. The key material used to sign the update gets regenerated every year on January 1st, but has a thirteen-month lifespan. The CA key material resides on an encrypted flash drive, stored in a place that requires two signatures from two parties and two physical keys, only one of which I hold. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --bpuxygqdswlgqzb7 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAloqoQUACgkQaoRlj1JF bu5hOw/+KTkwMpcxGOYSk5jUbUOYFdQ+JqIiSQWKIEiiYlfhYFw/GCBhuMwyVq2l J4hKydkRFmgJWPnghkkQUnBkNu3r7s6BmbLmlaMn4rQU51z8Z5tnKT35N6YrmM9+ Xe5MoK/vvUgNVdUcxnNa59xlezFBt6XkE9YyV/0YWiuXMpjb5Ww5ST2/FJF1aN1p eaEnXZd3R8SLfv2DkFvPuUm/x7WAfBdPz10iMzAohA1RP5v/hPz5LOBT0djqv2w+ 0UZTh+YUGlj4dvfnLqIjZEET9pXXuDMmb7SoKJ5O7D2eS5vKPa8sI1LzPXQf3WbE hU0nThFoRqBoHK2YpBKEQk1gfd98fD5DMLzL4QRC2uXIG6qB9RgePWiwRUkQdXfi Vah3DookPCt/m+ydmaoSDLXwCFaigmMW3pQyrXt4odhio9rfmbkMTCWccv8gQmvR dQRXfO/WJ4s7eSL2AmCY/8RVMyjOMMEnIWKP3CJpgCxKqR0V07hDUHfUbEPSqPS7 qFEQs1JZFHyZw0f/tOrJ8/Wf2sU1R5C7tAH4JVnamIr6Z8lCnhPIatTj1qUwxZIQ /5nz8JLUQm9z3ivPrR/TSxCwkFYseS9FY/veNcmeIxSmYFEuKQyQVca293V3aQH4 /6S3/a2z9VgdQI1dw1UNmsx/B3jb2Ua25Oa2tgla8ZYbDIM0Was= =mFDi -----END PGP SIGNATURE----- --bpuxygqdswlgqzb7--