From owner-freebsd-current@freebsd.org Tue Jul 12 09:12:51 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 01C2FB9294E for ; Tue, 12 Jul 2016 09:12:51 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9A13214C5 for ; Tue, 12 Jul 2016 09:12:50 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from ox-dell39.ox.adestra.com (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id D63DD5366 for ; Tue, 12 Jul 2016 09:12:45 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/D63DD5366; dkim=none; dkim-atps=neutral Subject: Re: GOST in OPENSSL_BASE To: freebsd-current@freebsd.org References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> From: Matthew Seaman Message-ID: Date: Tue, 12 Jul 2016 10:12:29 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="4rbbCmwV6Van18dkEA4BM8mJKX77O7T0K" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 09:12:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --4rbbCmwV6Van18dkEA4BM8mJKX77O7T0K Content-Type: multipart/mixed; boundary="Q4ujP9mpfW5HmQWdIcJqMKq6D0hsiKLIE" From: Matthew Seaman To: freebsd-current@freebsd.org Message-ID: Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> In-Reply-To: --Q4ujP9mpfW5HmQWdIcJqMKq6D0hsiKLIE Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07/12/16 06:48, Kevin Oberman wrote: > In case people are not aware of it, Russian law now requires ALL encryp= ted > traffic must either be accessible by the FSB or that the private keys m= ust > be available to the FSB. I have always assumed that GOST has a hidden > vulnerability/backdoor that the FSB is already using, but this makes it= > mandatory. Putin gave the FSB 2 weeks to implement the law, which is > clearly impossible, but I suspect that there will be a huge effort to p= ick > all low-hanging fruit. As a result, I suspect no one outside of Russia = will > touch GOST. (Not that they do now, either.) I'd hate to see its support= > required for any protocol except in Russia as someone will be silly eno= ugh > to use it. Agreed that it should be possible to use GOST crypto readily on FreeBSD, but I dislike the idea of shipping with 'known vulnerable' ciphers enabled by default. It should take a positive act to enable them, given the circumstances. Whether that should entail installing something from ports, or recompiling the system with specific settings in src.conf or it could just be down to tweaking a config file somewhere I wouldn't care to venture an opinion though. I'm also curious as to how far these regulations are supposed to extend. Presumably traffic which is merely transiting Russian territory isn't covered, at least in a practical sense. How about people from Russia accessing foreign websites? I can't see any of the big Internet players implementing GOST in any locations outside Russia any time soon. Neither would I as a non-Russian have GOST capabilities client-side, so what happens if I go and look at say a YandX website over HTTPS? Putin and his advisors aren't stupid, and they'd already have considered all this; plus, as you say, the timetable is clearly impossible; so there must be something else going on here. Of course, now there's fairly good evidence that there's some sort of backdoor in the GOST ciphers, all bets are off on how long it will be until they get broken in a very public manner. Cheers, Matthew --Q4ujP9mpfW5HmQWdIcJqMKq6D0hsiKLIE-- --4rbbCmwV6Van18dkEA4BM8mJKX77O7T0K Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXhLSDAAoJEABRPxDgqeTnfM8P/3T4NbU06OpRdxmHOTEs+qi6 Y/b3fFyzY5k2B7t22JxBZ0Etw5ykudW5ViKAiSFquTOTtgaebr633sBLW/vryfli 5AtK3M3RG/ZK16EJBBiYYTjUL5VN0JUrs6k9nhnbUWbbf06qgis8OiMYlJ60FQnu lgY7hCKk/759oOm2G2Bw1pvq0KXDWRK5Z/8vwjl0+cg1lFXjvrP6LEXbAIB4pIZz eRfwCegHk81oH9gEe/kkJ/S8j4qzJEH/zQ8Ta5W7hzoMcBvdV0BCESsVqzaexKTc MALTpTs/beIfUsL02OIiOj2AqptatWA/4iAVeq8HrsgjA6THeyw+8HCspI5+02qw hG0DCtJlR2T74BQTfhYoSF6NN8pGoIWo8FDIz5HZvFMp7ult6xbXw6pe4EU5cNss 4wDCyT0r6FrDVBmaYzdy5mY21n3Y5A7+o+qjZ8uXTtAmwlHIO7LixnUTmQ7IqDDp oKo9dnBEwO1DxmF8mcpSpDhFezww2rwEwbmRCCII3sSNkI+RBn6iMHspjNMzQVW8 YS9TcT8H/e1yJ+21vMF+ap/ipk+lwFtQ95wg6l5Lj7dkLvlhcFBezeMqx1h0puXX knTOmz1NUlr6XChHr+rWvho/D7rzUow1kHCZzkUu4Uvl1q+cvLUnsJy3fwbIXnUk simYOb3J+IR96XljFAqa =eDTx -----END PGP SIGNATURE----- --4rbbCmwV6Van18dkEA4BM8mJKX77O7T0K--