From owner-freebsd-security@FreeBSD.ORG Fri Jul 4 07:04:48 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5B71D69F; Fri, 4 Jul 2014 07:04:48 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3776F26F6; Fri, 4 Jul 2014 07:04:47 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s6474j7K002767 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Jul 2014 00:04:46 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s6474jDU002766; Fri, 4 Jul 2014 00:04:45 -0700 (PDT) (envelope-from jmg) Date: Fri, 4 Jul 2014 00:04:45 -0700 From: John-Mark Gurney To: Mark Felder Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140704070445.GY45513@funkthat.com> Mail-Followup-To: Mark Felder , freebsd-security@freebsd.org References: <53B499B1.4090003@delphij.net> <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5c02fe3098089bf6d58834a66f2eeba7@mail.feld.me> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Fri, 04 Jul 2014 00:04:46 -0700 (PDT) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jul 2014 07:04:48 -0000 Mark Felder wrote this message on Thu, Jul 03, 2014 at 14:16 +0000: > There is always going to be skepticism about who to trust by default. The CA system is out of control and it worries me as well. However, if we do not make an effort to provide a default trust store why do we enforce verification by default? I feel it would be more consistent to disable verification requiring those who know what they're doing to create their own trust store and pass --verify-peer to fetch manually. I'm on the verge of breaking my keyboard every time I jump onto a random FreeBSD server and try to fetch something over https. > > --no-verify-peer is now muscle memory; that isn't a good sign. I eagerly await verification through DNSSEC to take off. Maybe an interesting compromise is if there is no symlink/root of trust cert(s) is to issue a warning, but go ahead anyways as if --no-verify-peer is specified? That is assuming we don't install one by default... I normally use wget which has the same issue, so I usually spell it --no-check-certificate... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."