From owner-freebsd-security@FreeBSD.ORG Fri Apr 1 20:46:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 9E3401065672 for ; Fri, 1 Apr 2011 20:46:40 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 198901506AA; Fri, 1 Apr 2011 20:46:40 +0000 (UTC) Message-ID: <4D9639B0.1070302@FreeBSD.org> Date: Fri, 01 Apr 2011 13:46:40 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Istv=E1n?= References: <20110401153300.GA85392@guilt.hydra> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security , Chad Perrin Subject: Re: SSL is broken on FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2011 20:46:40 -0000 István wrote: > cool, i decided I need everything what I have on windows or on J random > operating system with firefox. I install the corresponding package which is > broken and therefore, so I can't verify if somebody i doing a MITM while I > am shopping on Amazon. Massive win! If your concern is the CA list in firefox, no additional work is required beyond installing firefox. If you are ultra-concerned about security you can examine the source, and compile it locally. If the FreeBSD package is not functional, you should of course report that, and we will address that issue. OTOH, it's not 100% clear to me what your actual goals are, or what problems you're having. If you would like to write up something along the lines of, "Here is what I'm trying to accomplish, and here are the problems I'm experiencing along the way" I'm sure that we can work on that. > I understand you do not care about usability. Nothing could be further from the truth. I think Chad addressed that topic well. I would simply like to add that it's pretty common for us to see people report things along the lines of, "When I try to do XYZ thing that I did on Linux it doesn't work on FreeBSD." What is generally the case in these situations is that there are alternate ways to accomplish the same goal on FreeBSD, and some polite discussion about that can usually resolve the issue. > Thank you anyway. I am going to copy that file from Linux ;) If Linux works for you, you should seriously consider sticking with it. There are lots of operating systems out there, not all of them are suitable for all users. > Yep, SSL is broken. > This why the top500 companies are using it to secure their business. Before you rely too heavily on this particular line of argument you might want to consider that up until recently there have not been viable alternatives. > I hope you have something better what we could implement tomorrow deprecating SSL. http://datatracker.ietf.org/wg/dane/charter/ http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html Enjoy, Doug PS, while asking strangers to volunteer their time to assist you, it's usually a good idea to refrain from rudeness and sarcasm. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/