From owner-freebsd-security@freebsd.org Fri Dec 15 05:04:34 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D829E9B0C1 for ; Fri, 15 Dec 2017 05:04:34 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5284D67833 for ; Fri, 15 Dec 2017 05:04:34 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-qt0-x233.google.com with SMTP id r39so10710798qtr.13 for ; Thu, 14 Dec 2017 21:04:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tetlows.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=FFjxdLgYROs4diLkwKiofC0hivzhUWjs4tDShcIJ/y4=; b=TrgiV8nnuKnIIarQuobz2t5ddcncEVpIZv1CTcMgqEf8LBTZ92yo51pV4F1BEvnVhh 69FFMwQ47kXNEA7yu0HNb3ON9vZdyaw1RiQn6g7gSnqUfJiE6AmpKIEgtiE0+NJkBxGh 1OPuNEpBgcMqofv+2I7Q+H2g0J5wafRY19kxs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=FFjxdLgYROs4diLkwKiofC0hivzhUWjs4tDShcIJ/y4=; b=NptWdhnoVwz2UZTcL3m8MSiCTptFCTqXX6mZAzbeY6Gi43wMxmBuCsh6mn9cj5OB9m WLxOqnCI+D72dZdY8wKovi6qkNZiVgCf8zWRUuU6t4wyZPqjPYAGIZBEUe43i1Jxh6dn ZcgBXVD7ej/1IG+3L2beiKCXRYxM/naWuYSPyhJj4NtPBizt1EtZjmYawc9kB/xQj9h5 GOAierk7Xu5+f/v+RhCjtXnkgbtV3HQAtCQVSU9d3641PAokioqhpVFRfDmKFgEo3DI0 VyDn1AzgjIEbNraQTJ+OQ7Fa2WRQhPgmgZXPKXWAl/pE+33QTwKKmxrgt7nSQY2buqSd GAbA== X-Gm-Message-State: AKGB3mIW73vWA7zVNmFgYhISX6ArsrEEaEuICPIRkkmDTQ+L8q+OfCg2 DWqmlOdpisb+DJd1xCxFBhVTZEjeCtQA X-Google-Smtp-Source: ACJfBosS1UhaZz1WMRXrC8hBL3TGOWR6oLyTXlKnmLrL38NCfgyFAxVnp5JWD7AaIlKvACvd6NPwcg== X-Received: by 10.200.25.207 with SMTP id s15mr19901605qtk.94.1513314273318; Thu, 14 Dec 2017 21:04:33 -0800 (PST) Received: from gmail.com ([2607:fc50:0:7900:0:dead:beef:cafe]) by smtp.gmail.com with ESMTPSA id g8sm3431254qth.68.2017.12.14.21.04.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2017 21:04:32 -0800 (PST) Date: Thu, 14 Dec 2017 21:04:30 -0800 From: Gordon Tetlow To: Peter Wemm Cc: Yuri , freebsd-security@freebsd.org, RW , Igor Mozolevsky Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171215050430.GT9701@gmail.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A303453.9050705@grosbein.net> <6c9d028c-ac1c-3fc6-8ea2-7ee22c7ffbe8@rawbw.com> <3138231.uiVPfnS2VB@overcee.wemm.org> <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <34c748a4-acc5-f80b-29b7-7554389fa44c@wemm.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 05:04:34 -0000 On Wed, Dec 13, 2017 at 01:29:26PM -0800, Peter Wemm wrote: > On 12/12/17 5:38 PM, Yuri wrote: > > On 12/12/17 16:37, Peter Wemm wrote: > >> I think you're missing the point.  It is a sad reality that SSL/TLS > >> corporate > >> (and ISP) MITM exists and is enforced on a larger scale than we'd like.  But > >> it is there, and when mandated/enforced you have to go through the MITM > >> appliance, or not connect at all.  Private CA's generally break those > >> appliances - an unfortunate FreeBSD user in this situation is cut off. > >> How is > >> this better? > > > > > > This is certainly better for users because it informs the user. Now he has > > a choice to use a special override key to use MITMed https anyway or > > refuse, vs. with http he is not informed. > > You misunderstand the problem. > > A well-behaving corporate with TLS MITM will *block* connections to the > freebsd-ca signed services as they will fail it's validation. > > The user is left with: > * can't connect on 443 (proxy blocks failed validations), or > * can't connect on 80 (because you don't like people having options). > .. which leads to stop using FreeBSD. I'm going to put my SO hat on here for a second, put on the flame retardant suit, and make the following statement: I want to move the default for svn to be HTTPS. This would mean setting up a redirect on http://svn.freebsd.org -> https://svn.freebsd.org. For those people that are unable (for whatever reason) to use HTTPS, we can make a vhost they are able to use HTTP on. I would suggest something like: http://i-love-waffles-and-svn-over-http.freebsd.org. (Waffles are awesome.) The CA for this HTTPS server should be the standard publicly trusted CA we use for everything (Let's Encrypt). We can debate the brokeness of the current CA system (and I completely agree there is a ton of brokeness there), but it is the system we have today. We should follow industry best practice here. Running a Root CA brings a huge amount of baggage and we are not mature enough in policy to build in a manner that would align with established practice for running a Root CA. Gordon