From owner-freebsd-security@FreeBSD.ORG Mon May 18 13:52:29 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 673BD93C for ; Mon, 18 May 2015 13:52:29 +0000 (UTC) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 383CF1BCF for ; Mon, 18 May 2015 13:52:29 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 4A0B920BBB for ; Mon, 18 May 2015 09:52:28 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute5.internal (MEProxy); Mon, 18 May 2015 09:52:28 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=UXABVGyeRyMqW4b W2S9T1Wk9MRA=; b=Cc3Pt8iSe0prLRcqIjTduYPsNqZ8ITsFBGaxNIPRYXBzp0o hkRPU6KhK16vEZfL9VcLws3fkmJXQ7aKNcnQe/bD7bgk39S08ovo8j9UcGuUnsp0 LIaIFoS9p+o/4AvmTm9HpEbbCEzQiL+sxftccXhfK9QAZvgiJjqMPh3Jvh+Y= Received: by web3.nyi.internal (Postfix, from userid 99) id 27A001071A6; Mon, 18 May 2015 09:52:28 -0400 (EDT) Message-Id: <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> X-Sasl-Enc: Ytybg76VOq+tSXPShNu4jaNr/tg4OJl7xFjy4hNcgtOf 1431957148 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fd425702 Subject: Re: Forums.FreeBSD.org - SSL Issue? Date: Mon, 18 May 2015 08:52:28 -0500 In-Reply-To: <55591EE8.9070101@obluda.cz> References: <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2015 13:52:29 -0000 On Sun, May 17, 2015, at 18:06, Dan Lukes wrote: > On 05/18/15 00:00, Mark Felder: > >> If TLS 1.0 is considered severe security issue AND system utilities are > >> using it, why there is no Security Advisory describing this system > >> vulnerability ? > >> > > > > It's not a vulnerability in software, it's weakness in the protocol > > design. > > Like protocol protocol downgrade triggered by MITM attack flaw or > protocol design flaw in session renegotiation support. The first one > addressed in FreeBSD-SA-14:23.openssl, the second one in > FreeBSD-SA-09:15.ssl > > So the "is it protocol flaw or implementation bug" seems not to be true > major criteria. > > OK, I wish I got best answer to my question possible. I'm not going to > discuss SA issuing policy in this thread. > FreeBSD-SA-14:23: primarily backported a new feature (TLS_FALLBACK_SCSV) to help prevent those with stronger crypto from being forced to downgrade to weak crypto via a MITM attack FreeBSD-SA-09:15: fixes some bugs dealing with potential MITM attacks Neither of these directly address a broken protocol, such as warning all users that "using SSL 3.0 or TLS 1.0 is dangerous" I mean, should we have an SA because our libc supports strcpy and people can use that and create severe vulnerabilities? Or the fact that there is no firewall enabled by default, so you should probably enable one? That seems a bit extreme. You could write a whole book and still not cover all of these topics :-) Hope that helps