From owner-freebsd-current@freebsd.org Fri Jan 1 14:09:01 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 33B8F4C969E for ; Fri, 1 Jan 2021 14:09:01 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D6n2417JRz4rl9 for ; Fri, 1 Jan 2021 14:09:00 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qv1-xf2c.google.com with SMTP id p5so10007188qvs.7 for ; Fri, 01 Jan 2021 06:08:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=2E4UgLL7gN7hqb3R4sagHhWjz5PwI/5tYC2pmB/qA7M=; b=H1rwB/XS6TSSUEqny4XWUeslPcgBWGB9lJLBOPGYm+sGpTpRQiJ+7DCebQuEBv/+QL db2qlGZMmTr24/2nY2u9WWVwqI6ne/1MIQAoWVzSu+1kAWaCJTlLzhb+PTItbLuRZPae C9sW5n4I8SusYqTxvYJGdvNZI+v1Abl34hLY6fZ+7g5KX18t6UTFNTidWK+dbnHlyLh0 juc4k+jiTcr3e9rH0QFQZRwxnN/bt8ET7K1Y7ze/Maj9lRLRCpKJhtVo38USaQNzq0Ml YZrDHlLDXHxjEjKFhLSCALFbDgw7nqFJemtKlJ7UbgPhTOkSr+0DBgNaMAZYo8hVbnQO DwPw== X-Gm-Message-State: AOAM530AyFsuexXsEpiVc/f8kKOiCa+Dz7UFUdLyOX8ZEgH+Ln8XJYS1 l9WTldmHiSKxvlFAKFGpoWPInOCyDU3RVw== X-Google-Smtp-Source: ABdhPJzciDCaQkaoMke5xaJlAWLr4HZeMpcsrkHUCo/0FoxckdZutoeeD6qnf5rm3MUZhOER4ni66A== X-Received: by 2002:ad4:4c8c:: with SMTP id bs12mr66526920qvb.11.1609510139161; Fri, 01 Jan 2021 06:08:59 -0800 (PST) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id c7sm30568494qtw.70.2021.01.01.06.08.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Jan 2021 06:08:58 -0800 (PST) Date: Fri, 1 Jan 2021 09:08:57 -0500 From: Shawn Webb To: grarpamp Cc: freebsd-current@freebsd.org Subject: Re: HEADS UP: FreeBSD src repo transitioning to git this weekend Message-ID: <20210101140857.x3hbci6c4nwi7gl7@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA References: <20201218175241.GA72552@spindle.one-eyed-alien.net> <20201218182820.1P0tK%steffen@sdaoden.eu> <20201223023242.GG31099@funkthat.com> <20201223162417.v7Ce6%steffen@sdaoden.eu> <20201229011939.GU31099@funkthat.com> <20201229210454.Lh4y_%steffen@sdaoden.eu> <20201230004620.GB31099@funkthat.com> <20201231193908.GC31099@funkthat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7dl3yj5s7cp5rsmt" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4D6n2417JRz4rl9 X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::f2c:from]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RECEIVED_SPAMHAUS_PBL(0.00)[100.16.222.53:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; DMARC_NA(0.00)[hardenedbsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::f2c:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f2c:from]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jan 2021 14:09:01 -0000 --7dl3yj5s7cp5rsmt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 31, 2020 at 09:25:08PM -0500, grarpamp wrote: > > There is already HTTPS to protect the "authenticity" of the magnet > > link. >=20 > No. FreeBSD fails to publish signed fingerprints of their TLS pubkeys, > therefore users can't pin them down, therefore any MITM can bypass > CA game and MITM attack users at will, feed them bogus infohash, > isos, git repo tofu, pkg, etc. MITM is bad, MITM is in use, > and MITM fails when sig'd, verified, and pinned. There's also nation states that require use of a nation state-owned root CA cert so that they can MITM every single SSL/TLS connection. Connections that don't use/support their custom trusted root cert are either blocked or reported (or both). In this case, MITM isn't theoretically broken, it's broken in practice. And, it's broken in the worst case scenario: downloading source code that the nation state can modify in-transit. This is why I asked FreeBSD to provide anonymous read-only ssh:// support for git. I'm very grateful they support it. I also use it for HardenedBSD's sync scripts due to my own distrust of browser-based SSL/TLS PKI, even in the USA. One thing that I need to do with the HardenedBSD infrastructure is publish on our site the ssh pubkeys of the server (both RSA and ed25519). I plan to do that sometime this coming week. I wonder if it would be a good idea for FreeBSD to do the same (note: I'm not trying to commit FreeBSD to do any work; I'm just spitballing ideas.) Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --7dl3yj5s7cp5rsmt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl/vLPYACgkQ/y5nonf4 4fqaCw/8CLlZU4TxT9TimCS8ZMivSECH4qcuZeKdWwpKqmy/xDHpwjLdCAHf+Wkq 6jY721xJEXe23yfhRunwaGwiKkIJuXbLdypMtIEe8UTCFB9ojsNs4fZEwMoj8raO 2w+OdX/cNmbSNTknDM5FNnmCEYfDbU8IyAwV4gALEUPCPjJFTX0EXfpWbj3orrD/ iWQewFBoOKinGzdd2pXQGCzq0/Uxl4jXfx9jkhnb9rVSEs0RpXWATaJv/eFrEEpW fA4rtYxwg1bjfwrxUjOIrS5JDU/USQoHVcbX31EFLI+PcgzFeSMMyR63LRQp02l9 kxvzedQ+DkiBVT68BTSQHPlRs9IlOP9vInyswVBoNuct8+sWs0CauXgpiHOX3HZD AWxDDlaJ0RDIAmESXLy2v7zmiJaaEbij4/TtHy66RzlWYRgJczuJk+6yH9N3TthL PycrT13uaamk5l/rgCiJJ1uNuCGWH/DoA/3S0QMRzXlMRFdIu7BXb4vrPMPZiuA+ tNnPqas+w6Cfq1dr7QONuvDtmgZv99iHzDh6Ieo+iKJgPu8e7iV95xU+C1c+2lb4 VBheZyS2wV/3C/rz06l/3G47NoXmhH9MFgwSYvtTTMimCwUe+Joohrl97Cj9Nwx7 5qMy/1YV1NGSR6B1p4ihAulSutUMmVVZUCUe8rwvAguPcbJoRNg= =cRl3 -----END PGP SIGNATURE----- --7dl3yj5s7cp5rsmt--