Date: Mon, 13 Sep 2021 00:07:06 +0000 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: "Tomasz CEDRO" <tomek@cedro.info>, "Dan Lukes" <dan@obluda.cz> Cc: freebsd-security <freebsd-security@freebsd.org>, "Gordon Tetlow" <gordon@tetlows.org>, "Karl Denninger" <karl@denninger.net> Subject: Re: Important note for future FreeBSD base system OpenSSH update Message-ID: <e831b57d-de53-4579-8098-e32d26f1c2be@www.fastmail.com> In-Reply-To: <CAM8r67DdZJphWGvmoHjZmkcF2ormUWus3VZTF-dQJkZ=2KRN2g@mail.gmail.com> References: <CAPyFy2A390kS_C3g=Y9QhQcJ06z_FKUxXsNvi9g2CdWF24pukg@mail.gmail.com> <CAPyFy2B04b0GtWoHFQwxht5vK4_cnApPXpDLXU%2BRvcR=2L9YxA@mail.gmail.com> <CAPyFy2Aw8Z3ngiM8YHApjjPRLZVC5MCN8TRQkh6pj2fSeM1zqw@mail.gmail.com> <8169A4A8-B8D1-4265-87C8-74ED4D34FBC8@fasel.at> <2bb56783-2727-9bea-7810-58969d91c00f@denninger.net> <A8BD4882-6DCD-4A5B-BFEF-139C778FE82C@tetlows.org> <0c3a5f3c-fb07-fae3-22f3-28703c842deb@obluda.cz> <CAM8r67DdZJphWGvmoHjZmkcF2ormUWus3VZTF-dQJkZ=2KRN2g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Blaming the browser and other client providers (OpenSSH, etc) for a > > > problem that is 100% because the devices are now abandoned by the > > > manufacturer is the wrong place to focus your anger. We have an > > > enormous problem in the industry of crappy embedded devices (like the Obviously just my humble opinion, but FreeBSD should, for new releases, turn the security *UP* to 11. No harm with knobs in installers, release notes, pointing out how to turn it down to 0 again. But it's 2020 now, and with hindsight, we see the long term cumulative effects of small poor security choices across the industry. If you refuse, or can't, upgrade the other infrastructure, and I totally respect that for a host of reasons, then don't upgrade this one either. Or stick a pi zero jump host in the middle (5$ maybe) to cater for this case if you want new shiny secure here, and old compat there. Where possible, we should enable easy backward compatibility. But, if like OpenSSH (or OpenSSL) if you need stuff that simply isn't acceptable anymore in a modern secure by default OS, then please don't drag the rest of FreeBSD back. By all means step up and help maintain ports that facilitate this use case! As dropbear only addded ed25519 keys in 2020, this is probbably a very suitable candidate for that. The argument that we will lose users "because backward compatibility" is equally as valid as "because insecure defaults that fail audits". Which is to say, not at all valid. The very definition of a straw man argument. Let's not sweep under the rug the very real effort and security risk that we introduce in favour of eternal backwards compatibility. If you *need* SSH 1.0, or TLS 1.1, or whatever the non-secure thing is, just DON'T UPGRADE. Just stay on 11.x or 12.x (supported to 2024), or worst case, install a jail or VM just for this. Or, do the work, help maintain an ever increasing swathe of patches to re-add what has been removed. But we all know that this path is both painful, and introduces security risks. I'd like less CVEs in my life. just my 0.05c for the other positions in this thread. A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e831b57d-de53-4579-8098-e32d26f1c2be>