From owner-freebsd-security@freebsd.org Fri Feb 26 01:07:59 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 713AF55050B; Fri, 26 Feb 2021 01:07:59 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Dms331vbsz4Vyf; Fri, 26 Feb 2021 01:07:58 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 11Q17pTX069165 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 Feb 2021 17:07:51 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 11Q17pTp069164; Thu, 25 Feb 2021 17:07:51 -0800 (PST) (envelope-from jmg) Date: Thu, 25 Feb 2021 17:07:50 -0800 From: John-Mark Gurney To: grarpamp Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: CA's TLS Certificate Bundle in base = BAD Message-ID: <20210226010750.GY5246@funkthat.com> Mail-Followup-To: grarpamp , freebsd-security@freebsd.org, freebsd-questions@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Thu, 25 Feb 2021 17:07:51 -0800 (PST) X-Rspamd-Queue-Id: 4Dms331vbsz4Vyf X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2021 01:07:59 -0000 grarpamp wrote this message on Wed, Feb 24, 2021 at 23:38 -0500: > FYI... > > Third party CA's are an untrusted automagical nightmare of global and > local MITM risk... Do you delete all the CA's from your browsers then? Having tried to verify the certificate for a bank when verisign f'd up their cert really doesn't work, trust me I've tried it, the support has zero clue what you're talking about, and they have no process to handle such a question... > - CA's issuer gone wrong... Govt, Corp, Bribe, Rogue, Court, War, > Force Majeure, Crime, Hack, Spies, Lulz, etc. > - CA's store bundler gone wrong... Mozilla, Microsoft, Apple, BSD, etc > in same ways above. > - Undetected stolen unrevoked unchecked CA's, intermediates, server keys, etc. > - Total/targeted IP/DNS traffic user interception by agents, vpn's, > proxies, tor, mitmproxy, sslstrip, etc. > - Base asserting trust over all that, when reality none is due. It's even worse if you disable ALL cert checking, and force people to use --no-verify-peer, as then anyone can MitM the connection instead of a reduced set of people.. Considering that pkg used to, by default, d/l packages in clear text, it was very easy to know if a FreeBSD box has CA installed or not, making someone who wants to MitM FreeBSD hosts have an idea of what machines they could likely MitM w/o getting caught making this even MORE dangerous... > There should be no non-FreeBSD.Org/Foundation CA's shipped in base. Except that FreeBSD.org doesn't have it's own CA. This means that either there isn't ANY certificate, and people couldn't securely d/l from www.freebsd.org out of the box, OR, we use let's encrypt cert, which means that 240 million+ websites would be supported out of the box... And as you say below, you really have a axe to grind w/ Let's Encrypt, despite them being more secure because of the short expiration of certs... Because CRL's are pretty much universally ignored... so, even if a CA (or a user) revokes a certificate, it's still likely mostly valid... > Its shipped pubkey fingerprint sets can bootstrap TLS infra pubkeys/prints > off bsd keyserver, to then pubkey pin TLS fetch(1) / pkg(8) / git(1) to reach > pkg ca_root_cert, git src ports repos, update, iso, etc. > See curl(1) --pinned-pubkey, GPG, etc. pkg install ca_root_cert was already able to be securely installed before this using a similar method.. > Users should delete all those ~139 garbage CA's, > only add in the ones they find they need during use, > easily scripted and tooled, start with say the... > - LetsEncrypt chain That's what the certctl tool is for, to let users easily able to do this.. certctl list | tail -n +2 | awk '{ print $1 }' | xargs -n 1 certctl blacklist > And force TLS pubkey fingerprint pin check on critical services. > > Search web for howtos. > > At minimum require user / install to ack before use... > mv /etc/ssl/certs.shipped_disabled /etc/ssl/certs Last I checked no browser requires users to ack to install those CA's have you attempted to pressure them to? I'm personally much happier to have them installed by default then before where people were using --no-verify-peer to d/l stuff. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."