Date: Tue, 12 Jul 2016 13:54:21 +0300 From: Andrey Chernov <ache@freebsd.org> To: Daniel Kalchev <daniel@digsys.bg>, Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: GOST in OPENSSL_BASE Message-ID: <6c8de30c-50dd-4d01-724a-24e1c134406e@freebsd.org> In-Reply-To: <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8%2BaY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org> <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1 Content-Type: multipart/mixed; boundary="8BW0r3JCBRlD4g3baHxJRJCaVpkLToKXt" From: Andrey Chernov <ache@freebsd.org> To: Daniel Kalchev <daniel@digsys.bg>, Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-current@freebsd.org Message-ID: <6c8de30c-50dd-4d01-724a-24e1c134406e@freebsd.org> Subject: Re: GOST in OPENSSL_BASE References: <20160710133019.GD20831@zxy.spb.ru> <f35c1806-c06d-0d46-1c8a-58a56adef9a7@freebsd.org> <a4f0585d-cc99-e44a-7f59-0dd23e3c969f@FreeBSD.org> <20160711184122.GP46309@zxy.spb.ru> <98f27660-47ff-d212-8c50-9e6e1cd52e0b@freebsd.org> <c0bb5ae3-fee6-d40c-86bd-988c843d757b@freebsd.org> <CAN6yY1sOrL42ssbfGUKz8+aY0VvKPDHPx2S0ZRNpmmgdB0V8Tg@mail.gmail.com> <a8214f32-ce90-3b97-678a-faad7c6d0b69@freebsd.org> <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> In-Reply-To: <C2F596E2-B417-4DC2-A195-60CFAB6399F5@digsys.bg> --8BW0r3JCBRlD4g3baHxJRJCaVpkLToKXt Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 12.07.2016 12:59, Daniel Kalchev wrote: > The standard HTTPS implementation is already sufficiently broken, with = the door wide open by the concept of =E2=80=9Cmultiple CAs=E2=80=9D. The = protocol design is flawed, as any CA can issue certificate for any site. = Applications are required to trust that certificates, as long as they tru= st the CA that issued them. >=20 > It is trivial to play MTIM with this protocol and in fact, there are co= mmercially available =E2=80=9Csolutions=E2=80=9D for =E2=80=9Csecuring on= e=E2=80=99s corporate network=E2=80=9D that doe exactly that. Some believ= e this is with the knowledge and approval of the corporation, but who is = to say what the black box actually does and whose interests it serves? >=20 > There is of course an update to the protocol, DANE, that just shuts thi= s door off. But=E2=80=A6 it faces heavy resistance, as it=E2=80=99s accep= tance would mean the end of the lucrative CA business and the ability to = intercept =E2=80=9Csecure=E2=80=9D HTTPS communication. Those relying on = the HPPTS flaws will never let it become wide spread. >=20 > In summary =E2=80=94 anyone can sniff HTTPS traffic. No need for any ci= pher backdoors here. Nor any need for GOST to be involved. You forget to mention that CA must already be in the trusted root list to allow it happens. --8BW0r3JCBRlD4g3baHxJRJCaVpkLToKXt-- --E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJXhMxeAAoJEKUckv0MjfbKLYcH/iF/OawBMjAwDSKOMTXAFVky 7Y6jO1rO0fDIIl65jGUPXMuNcvCesFLhOUDYmF6jdT3x3E1ARjH4aFBJGa971dea GAT6cVH1sGXFCCLD52nToCsHQLYdqNBAef2tHL4yVwUBpgZ8AZB2Q42zOy5XbDGn O5RiTnpTgwZfGoFev+uLmh0PaLqqmGrkOOt8oWePJIP4nAhqm8tgd5aj/csxXwxv ZhFXu8DGYyTsvaWyEI9UqHqcXm7kSkzfAFM/XHdq1zsTKmBxNk54VI6B/fFh3rQg MXhui8dKXGamFtX6VjbyETEq7rhVuUWHW17q8k7pmkqMfljDEwNWg6VT2J3EJrQ= =F617 -----END PGP SIGNATURE----- --E9WxndxvfNUV0gnR0XHDKMulTx7j40ij1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6c8de30c-50dd-4d01-724a-24e1c134406e>