From owner-freebsd-security@freebsd.org Fri Feb 26 23:49:37 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7176A55316D for ; Fri, 26 Feb 2021 23:49:37 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DnRG82jJpz3LKn for ; Fri, 26 Feb 2021 23:49:35 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id 11QNnXrf048879 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 26 Feb 2021 15:49:33 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id 11QNnWZa048878; Fri, 26 Feb 2021 15:49:32 -0800 (PST) (envelope-from jmg) Date: Fri, 26 Feb 2021 15:49:32 -0800 From: John-Mark Gurney To: Dan Lukes Cc: freebsd-security Subject: Re: CA's TLS Certificate Bundle in base = BAD Message-ID: <20210226234932.GA5246@funkthat.com> Mail-Followup-To: Dan Lukes , freebsd-security References: <20210226010750.GY5246@funkthat.com> <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <77c6d5bf-a213-5fae-df0d-542aa9a4a0a5@obluda.cz> X-Operating-System: FreeBSD 11.3-STABLE amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Fri, 26 Feb 2021 15:49:33 -0800 (PST) X-Rspamd-Queue-Id: 4DnRG82jJpz3LKn X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of jmg@gold.funkthat.com has no SPF policy when checking 208.87.223.18) smtp.mailfrom=jmg@gold.funkthat.com X-Spamd-Result: default: False [-1.76 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[jmg]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[208.87.223.18:from]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[funkthat.com]; AUTH_NA(1.00)[]; SPAMHAUS_ZRD(0.00)[208.87.223.18:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.96)[-0.956]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[jmg@funkthat.com,jmg@gold.funkthat.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:32354, ipnet:208.87.216.0/21, country:US]; FROM_NEQ_ENVFROM(0.00)[jmg@funkthat.com,jmg@gold.funkthat.com]; MAILMAN_DEST(0.00)[freebsd-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2021 23:49:37 -0000 Dan Lukes wrote this message on Fri, Feb 26, 2021 at 08:41 +0100: > On 26.2.2021 2:07, John-Mark Gurney wrote: > >> Third party CA's are an untrusted automagical nightmare of global and > >> local MITM risk... > > > > Do you delete all the CA's from your browsers then? > > Yes, I'm cleaning them from browser, then I'm adding few CA as needed. > > Despite of it, I'm not on grarpamp's side. > > People are installing FreeBSD system on it's computer - it require a lot > of trust. Most of users can trust even CA list that's part of FreeBSD > system. > > And those paranoid users like me ? We will check pre-installed CA list > all the times. We do it now and we will do it even in the future. > Because we trust no one. So we don't care what's content of file in > stock install. > > So I don't vote for grarpamp's proposal. It will decrease effective > security of "standard user" and it will not help to the paranoid ones. > > But it would be nice to know how it works. What CA are included into > distributed bundle ? Who is making the final decision ? What rules he is > obliged to follow ? > > It should be documented somewhere. I do agree that it should be documented better. There is this file that helps answers most of them: https://cgit.freebsd.org/src/tree/secure/caroot/README The short answer is that it's managed by secteam/security-officer, and follows the Mozilla store... This is likely the best option, as Mozilla is quite public about various CA issues over the years, and how they are managed.. > > Having tried to verify the certificate for a bank when verisign f'd > > up their cert really doesn't work, trust me I've tried it, the > > support has zero clue what you're talking about, and they have no > > process to handle such a question... > > My bank have defined process you are speaking of here. I has been IT > security officer of such bank and I defined process in question. For > about ten years, there has been one (!) call asking verification of the > certificate. And it has been call from my friend that has been curious > to verify if it works ... I think I tried this 15+ years ago. :) > Despite of it, it's not the argument related to the topic we are > speaking of about. Certificates are just tool. It can be used properly > or improperly. The proper use of tool depends on goal, so the goal needs > to be discussed first. The certctl command was written specifically to address the issue of making it easy for users, like yourself, to blacklist various CA's... Yes, there are lots of packages that are installed by users, but at the same time, FreeBSD has prided itself on being a "complete" operating system out of the box, and IMO, the lack of certs made the security out of the box not good. Also, the number of users who didn't KNOW to install ca_root_nss to resolve the issue was another problem as well... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."