From owner-ctm-users@freebsd.org Thu Aug 20 20:32:57 2015 Return-Path: Delivered-To: ctm-users@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 954609BF31F for ; Thu, 20 Aug 2015 20:32:57 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from rs149.luxsci.com (rs149.luxsci.com [64.49.224.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 602B2CC7 for ; Thu, 20 Aug 2015 20:32:57 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from rs149.luxsci.com (localhost.localdomain [127.0.0.1]) by rs149.luxsci.com (8.14.4/8.14.9) with ESMTP id t7KKQqnC003517; Thu, 20 Aug 2015 16:27:00 -0400 Received: (from root@localhost) by rs149.luxsci.com (8.14.4/8.14.9/Submit) id t7KKQMCe002774; Thu, 20 Aug 2015 20:26:22 GMT Received: (from sender 74627) (rs149.luxsci.com [127.0.0.1]) by LuxSci SP; Thu, 20 Aug 2015 20:26:06 +0000 Content-Type: text/plain; charset=us-ascii Subject: Re: Do you still need CTM? From: "Isaac (.ike) Levy" In-Reply-To: <201508201537.t7KFbdnd002206@sep.oldach.net> Date: Thu, 20 Aug 2015 16:25:16 -0400 Cc: ctm-users@freebsd.org Content-Transfer-Encoding: quoted-printable References: <201508201537.t7KFbdnd002206@sep.oldach.net> To: Helge Oldach X-Lux-Comment: Message t7KKPGB2001462 sent by user #74627 Message-Id: <1440102382-5935549.7941101.ft7KKPGB2001462@rs149.luxsci.com> X-Comment: LuxSci SP Message ID - 1440102382-5935549.7941101 X-BeenThere: ctm-users@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: CTM User discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 20:32:57 -0000 Hi, > On Aug 20, 2015, at 11:37 AM, Helge Oldach wrote: > Roman Kurakin wrote on Thu, 20 Aug 2015 15:04:52 +0200 (CEST): >> On 08/20/2015 03:59 PM, Helge Oldach wrote: >>> Julian H. Stacey wrote on Thu, 20 Aug 2015 14:01:03 +0200 (CEST): >>>> If an axer asserts >>>> there's a security issue, original author phk@ may be interested. >>>> may also be interested to fix it, but >>>> axe propenet has Not provided us detail. >>> I suspects it's related to a potential MITM threat: Both = freebsd-update as well as svn deliver mechanisms to detect such attacks = and refuse to update. CTM doesn't - actually it's fairly easy to tamper = with deltas shipped by unencrypted e-mail. (No, md5 sums don't help.) >> So, signing emails would be enough? >=20 > IMHO signing e-mails is the easy part. >=20 > On the e-mail receiver side you actually want something similar to = "certificate pinning" to get the same level of confidentiality as = freebsd-update or svn (through https) deliver. That would involve quite = a bit of hacking the CTM receiver I guess. >=20 > But CTM deltas are also available through http(s) and ftp and mirrored = to a lot of sites. How do we deal with the confidentialty issue here = without losing functionality? Again quite a bit of hacking I think. >=20 > Note I am still just guessing about the security issues mentioned. = Maybe they are actually different. >=20 > Regards, > Helge I'm also not aware of the actual security issues raised, yet I believe = CTM is not rendered completely useless because of the plain-text nature = of the distribution. As far as security goes, I'm a firm supporter of diversity above any = monoculture- even when diversity means unsigned or unencrypted = transmission. For that alone, I'd be very sad to see CTM go. -- Additionally, one small idea: instead of signing all emails, is there = any way to leverage mtree(8) files signed by a trusted source, which = people could use to validate the sources after CTM patches have been = applied? The mtree(8) digests could be signed with simple utilities = like OpenBSD's signify(1), or some other similar mechanism which works = from seeding trust. Just a thought, trying to reduce the need to = re-work the existing CTM machinery. Best, .ike