From owner-freebsd-current@freebsd.org Tue Jul 12 10:54:26 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 60B05B93618 for ; Tue, 12 Jul 2016 10:54:26 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: from mail-lf0-f52.google.com (mail-lf0-f52.google.com [209.85.215.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D85B11A5B for ; Tue, 12 Jul 2016 10:54:25 +0000 (UTC) (envelope-from mailing-machine@vniz.net) Received: by mail-lf0-f52.google.com with SMTP id h129so9567944lfh.1 for ; Tue, 12 Jul 2016 03:54:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=kwh6MASbvsJ6Zn24fKSZ0QbBAoMTSSl/0xX/KtSCYQw=; b=D6xRpT+ykNHFIhFg1kB3RjheJ+LuxG0wTSJqEu+UKIX8INfpVv88374aWXS/Rno1WG h/Y2LrnVKfWhk5+OWU+Xkk9ZsWsEyp62G6CRB3zfS3JwabpaUazMZMOHJvBNvT7HlPm3 E6dQkwhoyJwFjxw06uIC93UDNgmW1PUp/3ivFaghiWns/4MZtYbW55IXSRy/HfSWz+HH 5hBw+XxpXdm051SflBAaYXE+6ZjWQWQhLryuvagIiDzqptJ/F7Q6Ss0euvqdk3UVcuHK RvijjCycGyxrXttyotnmJg3mafzfqQfsh1utFnm7h827UcgWl/84zcWK94Uwpn2PFWfS onVQ== X-Gm-Message-State: ALyK8tLC+GPEthBFuzho2zEtC5gUma71J7Ik4wCu6K7+PXUs0duLe3Q1V4sw0Wg009KUMg== X-Received: by 10.25.162.138 with SMTP id l132mr620023lfe.137.1468320863612; Tue, 12 Jul 2016 03:54:23 -0700 (PDT) Received: from [192.168.1.2] ([89.169.173.68]) by smtp.gmail.com with ESMTPSA id f69sm1935659lji.19.2016.07.12.03.54.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jul 2016 03:54:22 -0700 (PDT) Subject: Re: GOST in OPENSSL_BASE To: Daniel Kalchev , Matthew Seaman References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> Cc: freebsd-current@freebsd.org From: Andrey Chernov Message-ID: <6c8de30c-50dd-4d01-724a-24e1c134406e@freebsd.org> Date: Tue, 12 Jul 2016 13:54:21 +0300 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 10:54:26 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1 Content-Type: multipart/mixed; boundary="8BW0r3JCBRlD4g3baHxJRJCaVpkLToKXt" From: Andrey Chernov To: Daniel Kalchev , Matthew Seaman Cc: freebsd-current@freebsd.org Message-ID: <6c8de30c-50dd-4d01-724a-24e1c134406e@freebsd.org> Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> In-Reply-To: --8BW0r3JCBRlD4g3baHxJRJCaVpkLToKXt Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12.07.2016 12:59, Daniel Kalchev wrote: > The standard HTTPS implementation is already sufficiently broken, with = the door wide open by the concept of =E2=80=9Cmultiple CAs=E2=80=9D. The = protocol design is flawed, as any CA can issue certificate for any site. = Applications are required to trust that certificates, as long as they tru= st the CA that issued them. >=20 > It is trivial to play MTIM with this protocol and in fact, there are co= mmercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring on= e=E2=80=99s corporate network=E2=80=9D that doe exactly that. Some believ= e this is with the knowledge and approval of the corporation, but who is = to say what the black box actually does and whose interests it serves? >=20 > There is of course an update to the protocol, DANE, that just shuts thi= s door off. But=E2=80=A6 it faces heavy resistance, as it=E2=80=99s accep= tance would mean the end of the lucrative CA business and the ability to = intercept =E2=80=9Csecure=E2=80=9D HTTPS communication. Those relying on = the HPPTS flaws will never let it become wide spread. >=20 > In summary =E2=80=94 anyone can sniff HTTPS traffic. No need for any ci= pher backdoors here. Nor any need for GOST to be involved. You forget to mention that CA must already be in the trusted root list to allow it happens. --8BW0r3JCBRlD4g3baHxJRJCaVpkLToKXt-- --E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJXhMxeAAoJEKUckv0MjfbKLYcH/iF/OawBMjAwDSKOMTXAFVky 7Y6jO1rO0fDIIl65jGUPXMuNcvCesFLhOUDYmF6jdT3x3E1ARjH4aFBJGa971dea GAT6cVH1sGXFCCLD52nToCsHQLYdqNBAef2tHL4yVwUBpgZ8AZB2Q42zOy5XbDGn O5RiTnpTgwZfGoFev+uLmh0PaLqqmGrkOOt8oWePJIP4nAhqm8tgd5aj/csxXwxv ZhFXu8DGYyTsvaWyEI9UqHqcXm7kSkzfAFM/XHdq1zsTKmBxNk54VI6B/fFh3rQg MXhui8dKXGamFtX6VjbyETEq7rhVuUWHW17q8k7pmkqMfljDEwNWg6VT2J3EJrQ= =F617 -----END PGP SIGNATURE----- --E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1--