From owner-freebsd-security@freebsd.org Tue Dec 12 04:08:33 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E87F3E8B639 for ; Tue, 12 Dec 2017 04:08:33 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A17F36A748 for ; Tue, 12 Dec 2017 04:08:33 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x232.google.com with SMTP id u42so44218830qte.7 for ; Mon, 11 Dec 2017 20:08:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=gWunwW8ZNFWkYxrMNsbv78dIj9gcElbbRJJ++b1Z9BY=; b=CXHBglWgkK4rUXUScbpz4CbYStDACDHI+b45qd0koSRhH2Wr7aS/35vFynsKvfCD1u lRRoMURL/GTx1HiPOm3KBISvKeFM+vjJoHqjE0zGbolSERJxRe1kxkjzLtrZcDFP1USm geXlXT4oqNxYhOKX6/VcAeMOpB3JwQbEuDKqKCQoxoLJMaTCQE7aCguxMMOCKeE8QtG1 olWBwExtTbsh6V6EVQ+gEfU1XeV4XEy19+kTHc1ANzsOOxLLfbcNLFJqMsqQ4Egwxpuh yQj+UJTUaaWa3viJqnuYKG0c84KvgHH10JF3vIAFA14qk0tMI+WZ5yiqUkpxqFgiCVVo ht+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=gWunwW8ZNFWkYxrMNsbv78dIj9gcElbbRJJ++b1Z9BY=; b=kSM6JKpS3g2lrszl/N9N1S3653HRsv1xQRgG1xtERd2UVRHRyDU0iTL5f5tr6DddnX CfK0dSJYMa1FMtQeRa5vepykAfe0ychuDBPPqOLpE9QWAimHUuNOeNs8drnK17/7otSI MNC432Za/NtR0FBnnnFydyPNM83R+PIEal48KZNnrz04oh4SR4AZWkNaIeC2GO6ui4Fq hU112ytR7IeBELPD0dHpQB2Feok80WDDLTQ3HwlxQ5oV9/nUUMaoLv+TSHNFX7JvJOyT 601eUOFzM1e5jhxE0HUKVZvGrTNJ5zqxB50y+J0em5HFtFRwYvFZS+jUYlUC2UwQQhOY lgMQ== X-Gm-Message-State: AKGB3mIl3K1D+e8bzBaepIX7OZnP0blsM4BB/PZ5M+aEykm8PutewuTZ xKS2dDqp1+wTOGA761XAIKHYvY1F X-Google-Smtp-Source: ACJfBotk55FcEhUpUSbKEOI4yOJHz/rxP091es5cFlhHFKXWfh15OGaZ9h9I+3v5KGAzI/0Cnlr4Gg== X-Received: by 10.55.20.139 with SMTP id 11mr3838398qku.89.1513051712565; Mon, 11 Dec 2017 20:08:32 -0800 (PST) Received: from localhost (ool-18e477b0.dyn.optonline.net. [24.228.119.176]) by smtp.gmail.com with ESMTPSA id a35sm5957327qka.34.2017.12.11.20.08.31 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Dec 2017 20:08:31 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Tue, 12 Dec 2017 04:08:29 +0000 To: Karl Denninger Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171212040829.2nn6etffkcentglm@localhost> References: <24153.1512513836@critter.freebsd.dk> <1C30FE91-753A-47A4-9B33-481184F853E1@tetlows.org> <867etyzlad.fsf@desk.des.no> <1291.1512658230@critter.freebsd.dk> <2a8d9a0a-7a64-2dde-4e53-77ee52632846@tjvarghese.com> <632cd44e-2072-8abf-ef3c-86701881e723@whitewinterwolf.com> <20171211180839.ycc7es5ekstq44gn@localhost> <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <63cb70da-4e6f-af20-af3a-9741afaf03b9@denninger.net> User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 04:08:34 -0000 On Mon, Dec 11, 2017 at 12:18:27PM -0600, Karl Denninger wrote: > > On 12/11/2017 12:08, Matthew Finkel wrote: > > On Mon, Dec 11, 2017 at 05:34:48PM +0100, WhiteWinterWolf wrote: > > > >> This is a reason why I personally like software and system updates to be > >> served through HTTP instead of HTTPS. You don't need to fetch the same > >> update for each environment each time from the remote vendor's system, > >> you just need them to be somehow signed by him to ensure their authenticity. > > That's fine, you should have this ability if you understand the > > risks/consequences, but this should not be forced on other users. > It is NOT forced.  You can use SVN now over http OR https. Yes, sorry, my mistake. I saw portsnap only uses http (with signed snapshots from mirrors), and I misread the website documentation (where it does specify https for `svn checkout https://[...]`). And no, I didn't look at the ticket first. > >> This was just to give an example of why one would prefer to use HTTP > >> over HTTPS, and how as highlighted by Karl Denninger a system which does > >> too much may actually be harmful. > > I disagree with this. The importance of message confidentiality doesn't > > magically disappear because someone is retrieving public information. > Again, let's target the actual problem. > > Advocating the FORCING of https is IMHO utterly ridiculous for the > reasons I pointed out. I understand why some people believe a resource should be available over http. It makes life easier in many situations. However, Yuri is correct, serving svn with http over the Internet is dangerous and should be discontinued. It is too easy for someone to make a mistake and checkout the ports repo over http (if they type it by hand instead of copying and pasting it from the handbook). That being said, if users can checkout the svn repos over an onion service, then the threat of tampering with the traffic in-transit is mitigated. The simple and undeniable fact of this matter is users make mistakes. As it was already mentioned multiple times, the recent trend by organizations on this topic is disabling access over plaintext HTTP entirely. It's obvious FreeBSD are unwilling to follow this pattern based on the presumption "That isn't tenable, far too many people around the world have limited internet access as it is."[0] Sure. [0] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224097#c3 > > Today you CAN use https with svn if you wish.  You are not *forced* to.  > There are good reasons not to, including caching.  The problem with not > knowing if what you got is authentic and not tampered with is simply not > resolved by forcing https; it's an out-of-scope hack that fails to > target the actual issue. Correct. TLS accomplishes a different goal, it does not provide any guarantee about the whether the data is authentic. It simply provides assurance the data was not tampered in transit and it significantly increases the probability none of the intermediate parties learned what data was transmitted. > > A forced election of something that doesn't actually solve the problem > is IMHO a political argument rather than a technical one.  The issue of > potentially-tampered-with source code not only can't be dealt with > correctly through the use of https (at least not with the public CA > infrastructure that "everyone" relies on for "pedestrian" https) there > ARE other means of dealing with it correctly that do not require using > https. Yes. On the other hand, code authenticity isn't the reason software projects use TLS. I fully agree another mechanism should be put in place for this. Whether hacking a Merkle Hash Tree on top of SVN is the correct decision is an entirely different discussion. > > That's where attention should be focused.