From owner-freebsd-security@freebsd.org Fri Sep 18 21:12:05 2015 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03C39A0046F for ; Fri, 18 Sep 2015 21:12:05 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D890E1547 for ; Fri, 18 Sep 2015 21:12:04 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t8ILBvMX028309 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Sep 2015 14:11:57 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t8ILBvvH028308; Fri, 18 Sep 2015 14:11:57 -0700 (PDT) (envelope-from jmg) Date: Fri, 18 Sep 2015 14:11:57 -0700 From: John-Mark Gurney To: Ben Bailess Cc: freebsd-security@freebsd.org Subject: Re: HTTPS on freebsd.org, git, reproducible builds Message-ID: <20150918211157.GQ33167@funkthat.com> References: <7BAECC2B-5001-47D6-9199-8549697E7807@spam.lifeforms.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Fri, 18 Sep 2015 14:11:58 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2015 21:12:05 -0000 Ben Bailess wrote this message on Fri, Sep 18, 2015 at 10:07 -0400: > I have to echo this sentiment -- authentication is important, and so is > integrity. HTTPS would provide both -- to be sure you're talking to the > "real" FreeBSD and give you confidence that your page content has not been > altered in transit by a network adversary (e.g. if you are using Tor)*. > > *I honestly don't see that being a realistic defense against NSA/GCHQ-level > attackers, though... the coercive power they have over CAs would probably > be the weak point there, in my opinion. Then you get projects like certificate pinning and SSL Observatory that helps ensure that the cert that is presented is also presented to others... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."