From owner-freebsd-security@FreeBSD.ORG Thu Jul 3 22:14:57 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8155E1E7 for ; Thu, 3 Jul 2014 22:14:57 +0000 (UTC) Received: from calvin.ustdmz.roe.ch (calvin.ustdmz.roe.ch [IPv6:2001:1620:98f:face::26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 00A332AA1 for ; Thu, 3 Jul 2014 22:14:56 +0000 (UTC) Received: from roe (ssh-from [213.144.130.143]) by calvin.ustdmz.roe.ch (envelope-from ) with LOCAL id 1X2pHE-0000H8-Df for freebsd-security@freebsd.org; Fri, 04 Jul 2014 00:14:48 +0200 Date: Fri, 4 Jul 2014 00:14:48 +0200 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140703221448.GA99094@calvin.ustdmz.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2014 22:14:57 -0000 Eitan Adler 2014-07-03: > On 3 July 2014 07:57, Jonathan Anderson wrote: > > Just my $.02, but if the FreeBSD project is to maintain a > > ca-root-freebsd.pem, I think it should have one certificate in it: the root > > FreeBSD Project cert. Beyond that, I'm not willing to vouch for the > > trustworthiness of any CA, and I don't think the Project should either. > > Perhaps we should remove HTTPS support from libfetch and require the > user to install wget or curl if they want to use SSL? Having a > *default* certificate bundle (that could be removed / edited, of > course) is not necessarily even making a trust claim about a > particular cert. [0] IMHO the position where the majority of SSL on > the internet is broken by default is not tenable. > > We support HTTP. We don't support HTTPS. [...] I share your view that there should be functional HTTPS capability in a base install. It boggles my mind how it should be better to not support HTTPS at all or only unauthenticated HTTPS, than having to ship a not perfect CA bundle [1] which, while putting trust in some CAs that don't deserve that trust, is still magnitudes more secure in any sense of the word. If you compare the risk between HTTP only or unauthenticated HTTPS, versus HTTPS with a browser's CA bundle, HTTPS with a CA bundle wins whichever way you look at it. I do agree that FreeBSD should not start maintaining its own CA bundle; but personally I don't think it matters whether we use Mozilla's, Google's or even Microsoft's CA bundle, as long as there is one included in a base install and HTTPS is functional by default. [1] There is no such thing as a perfect CA bundle (i.e. both secure *and* usable) given how broken the whole CA system is these days. -- Daniel Roethlisberger http://daniel.roe.ch/