Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 26 Feb 2021 15:49:32 -0800
From:      John-Mark Gurney <jmg@funkthat.com>
To:        Dan Lukes <dan@obluda.cz>
Cc:        freebsd-security <freebsd-security@freebsd.org>
Subject:   Re: CA's TLS Certificate Bundle in base = BAD
Message-ID:  <20210226234932.GA5246@funkthat.com>
In-Reply-To: <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz>
References:  <CAD2Ti28EPBshbVEJbT8WE-OiWq_qMTS3b=LeQSfJrOfkFT4VJg@mail.gmail.com> <20210226010750.GY5246@funkthat.com> <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz>

next in thread | previous in thread | raw e-mail | index | archive | help
Dan Lukes wrote this message on Fri, Feb 26, 2021 at 08:41 +0100:
> On 26.2.2021 2:07, John-Mark Gurney wrote:
> >> Third party CA's are an untrusted automagical nightmare of global and
> >> local MITM risk...
> > 
> > Do you delete all the CA's from your browsers then?
> 
> Yes, I'm cleaning them from browser, then I'm adding few CA as needed.
> 
> Despite of it, I'm not on grarpamp's side.
> 
> People are installing FreeBSD system on it's computer - it require a lot 
> of trust. Most of users can trust even CA list that's part of FreeBSD 
> system.
> 
> And those paranoid users like me ? We will check pre-installed CA list 
> all the times. We do it now and we will do it even in the future. 
> Because we trust no one. So we don't care what's content of file in 
> stock install.
> 
> So I don't vote for grarpamp's proposal. It will decrease effective 
> security of "standard user" and it will not help to the paranoid ones.
> 
> But it would be nice to know how it works. What CA are included into 
> distributed bundle ? Who is making the final decision ? What rules he is 
> obliged to follow ?
> 
> It should be documented somewhere.

I do agree that it should be documented better.  There is this file
that helps answers most of them:
https://cgit.freebsd.org/src/tree/secure/caroot/README

The short answer is that it's managed by secteam/security-officer,
and follows the Mozilla store...

This is likely the best option, as Mozilla is quite public about
various CA issues over the years, and how they are managed..

> > Having tried to verify the certificate for a bank when verisign f'd
> > up their cert really doesn't work, trust me I've tried it, the
> > support has zero clue what you're talking about, and they have no
> > process to handle such a question...
> 
> My bank have defined process you are speaking of here. I has been IT 
> security officer of such bank and I defined process in question. For 
> about ten years, there has been one (!) call asking verification of the 
> certificate. And it has been call from my friend that has been curious 
> to verify if it works ...

I think I tried this 15+ years ago. :)

> Despite of it, it's not the argument related to the topic we are 
> speaking of about.  Certificates are just tool. It can be used properly 
> or improperly. The proper use of tool depends on goal, so the goal needs 
> to be discussed first.

The certctl command was written specifically to address the issue of making
it easy for users, like yourself, to blacklist various CA's...

Yes, there are lots of packages that are installed by users, but at the
same time, FreeBSD has prided itself on being a "complete" operating
system out of the box, and IMO, the lack of certs made the security out
of the box not good.

Also, the number of users who didn't KNOW to install ca_root_nss to
resolve the issue was another problem as well...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210226234932.GA5246>