From owner-freebsd-security@freebsd.org Thu Nov 12 01:05:50 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BB0FA2BD7C for ; Thu, 12 Nov 2015 01:05:50 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C18115EB for ; Thu, 12 Nov 2015 01:05:49 +0000 (UTC) (envelope-from marquis@roble.com) Date: Wed, 11 Nov 2015 17:05:48 -0800 (PST) From: Roger Marquis To: Leif Pedersen cc: Robert Simmons , "freebsd-security@freebsd.org" Subject: Re: OpenSSH HPN In-Reply-To: References: <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <20151111014102.GQ65715@funkthat.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 01:05:50 -0000 > Trustworthy networks do exist. They just aren't the same networks as 20 > years ago. They do of course but is that really relevant considering how rare verifyably trustworthy networks are, particularly in light of what we know about NONE cipher usage? The same logic applies to SCTP. It is little used, has been the source of multiple vulnerabilities, but still exists in GENERIC. Since both of these security issues can be easily compiled around I only wonder why FreeBSD doesn't default to the more secure defaults. Roger Marquis