From owner-freebsd-security@freebsd.org  Fri Sep 18 14:32:36 2015
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B23449CFD00;
 Fri, 18 Sep 2015 14:32:36 +0000 (UTC) (envelope-from na@rtfm.net)
Received: from iad1-shared-relay1.dreamhost.com
 (iad1-shared-relay1.dreamhost.com [208.113.157.50])
 by mx1.freebsd.org (Postfix) with ESMTP id 8BA1F1BFB;
 Fri, 18 Sep 2015 14:32:36 +0000 (UTC) (envelope-from na@rtfm.net)
Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com
 [66.33.212.129])
 by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id 80CF3B40094;
 Fri, 18 Sep 2015 07:32:35 -0700 (PDT)
Received: by cloudburst.dreamhost.com (Postfix, from userid 99172)
 id 5CAA3260C5F; Fri, 18 Sep 2015 07:32:35 -0700 (PDT)
Date: Fri, 18 Sep 2015 10:32:34 -0400
From: Nathan Dorfman <na@rtfm.net>
To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Cc: Mark Felder <feld@FreeBSD.org>, freebsd-security@freebsd.org,
 Daniel Feenberg <feenberg@nber.org>, grarpamp <grarpamp@gmail.com>,
 freebsd-questions@freebsd.org
Subject: Re: HTTPS on freebsd.org, git, reproducible builds
Message-ID: <20150918143233.GA15068@vane>
References: <CAD2Ti2_YNkNi2b=PzFCwu3PVaP8hOzADys3=-k0AqvsDRhJpzA@mail.gmail.com>
 <alpine.LRH.2.11.1509180646470.14490@nber4.nber.org>
 <86r3lvdeah.fsf@nine.des.no>
 <1442584818.1834563.387314497.1AD169D2@webmail.messagingengine.com>
 <86k2rnddqk.fsf@nine.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <86k2rnddqk.fsf@nine.des.no>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2015 14:32:36 -0000

On Fri, Sep 18, 2015 at 04:05:39PM +0200, Dag-Erling Smørgrav wrote:
> Then again, if you have the means to mount a MITM attack you probably
> have the means to get a valid certificate.

If you're that paranoid, there's a nice Firefox extension called CertPatrol
that will alert you to any changes in the certificate's details, or if you
prefer, just the CA chain. Obviously, it won't help you on the first visit --
it's an advanced version of ssh's known_hosts.

-nd.

> DES
> -- 
> Dag-Erling Smørgrav - des@des.no