Date: Wed, 18 Oct 2017 17:43:44 -0500 From: Benjamin Kaduk <kaduk@mit.edu> To: "WhiteWinterWolf (Simon)" <freebsd.lists@whitewinterwolf.com> Cc: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-security@freebsd.org Subject: Re: WPA2 bugz - One Man's Quick & Dirty Response Message-ID: <20171018224344.GA96685@kduck.kaduk.org> In-Reply-To: <53010303-bd65-26a1-64b9-6eefa325ca46@whitewinterwolf.com> References: <32999.1508299211@segfault.tristatelogic.com> <53010303-bd65-26a1-64b9-6eefa325ca46@whitewinterwolf.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I fear I must wade into this thread, despite it being thick with FUD. On Wed, Oct 18, 2017 at 07:27:42PM +0200, WhiteWinterWolf (Simon) wrote: > Hi Ronald, > > Le 18/10/2017 à 06:00, Ronald F. Guilmette a écrit : > > > > In message <49252eda-3d48-f7bc-95e7-db716db4ed91@whitewinterwolf.com>, > > "WhiteWinterWolf (Simon)" <freebsd.lists@whitewinterwolf.com> wrote: > > > >> Ideally, you would use a specific protection for each of these layers, > >> so that an vulnerability affecting one layer would be compensated by > >> other layers. > > > > A good point. > > > > Right about now, I wish that I knew one hell of a lot more about both > > NFS and SMB than I do... and also SSH and TLS. I suspect that the > > file sharing protocols I am most concerned about (NFS & SMB) could > > perhaps be run in a manner such that both initial volume mounts and > > also data blocks (to & from) the share volumes would be additionally > > encrypted, so that I could be running everything securely, even if > > some attacker managed to do maximally evil things to my WiFi/WPA2 > > network. > > > > Do NFS and/or SMB have their own built-in encryption? > > No, not really. > > NFS has no built-in encryption, it may be possible to tunnel it but this > is out-of-scope here (using a VPN and tunnel everything would be easier > than nitpicking and tunnel only the NFS data flow). This statement is either false or highly misleading. NFS (both v3 and v4) is an RPC protocol, and RPCSEC_GSS exists and can provide per-message confidentiality protection. It may be true that Kerberos is basically the only GSS-API mechanism implemented for RPCSEC_GSS, and the necessary Kerberos setup is far more painful to set up than it needs to be, but all modern NFS implementations support it. > SMB has no widely compatible encryption: > > - Microsoft has built its own, proprietary encryption available and > compatible only with the latest Windows versions. > - Open source implementations rely on TLS, natively supported by some > client but requiring (AFAIK) `stunnel` server-side. I am not a SMB/CIFS expert, but (e.g.) https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1670508 seems to indicate that "proprietary" is false, and does not give much support to the claim that it requires TLS. (I believe in-kernel TLS support had not landed by June, when Xenial was getting its fix.) I am aware that this is a FreeBSD list and the offerings on FreeBSD for SMB are somewhat limited, but you did not scope your statement to FreeBSD and so neither do I. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171018224344.GA96685>