Date: Mon, 18 May 2015 13:04:38 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <1431972278.2880231.271899561.7D0CC1CF@webmail.messagingengine.com> In-Reply-To: <555A228B.8080807@obluda.cz> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz> <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> <555A228B.8080807@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 18, 2015, at 12:34, Dan Lukes wrote: > On 05/18/15 15:52, Mark Felder: > > I mean, should we have an SA because our libc supports strcpy and people > > can use that and create severe vulnerabilities? > > No, but we should have SA whenever other system component is using > strcpy() the way that may affect system security. > > System utility 'fetch' is willing negotiate known-to-be-insecure > protocol with no warning and by default. Sensitive user's data may be > transferred by base system utility via insecure protocol. I consider it > bug in fetch code. A system utility must not allow silent transfer of > data via known insecure protocol if secure transfer has been requested. > > I see no reason to keep the issue in the dark, even in the case the > issue will not be patched on 8-R & 9-R. OK, I'm former bank IT security > officer, so I my expectations related to handling of security issues may > be set so high. > > It seems there is nothing more to say about this (slightly off-)topic. I > wish the vulnerability should be disclosed to public, you wish it is not > necessary because it's known bug in a protocol design and users doesn't > expect secure channel from 'fetch'. > > Two men, two opinions. It's not necessary to reach consent. > > Thank you for all comments and responses. > > Dan > Fetch also doesn't have a certificate trust store out of the box. It's very dependent on the sysadmin to make good decisions. Much like Apache with mod_ssl will *accept* connections on SSLv3 unless you manually configure the protocols. FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this behavior in fetch. If you add this to your base system image you can lock this down pretty reliably. Keep in mind that changing this default behavior in fetch would be a POLA violation and possibly break scripts for countless users. Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't decide. :-(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1431972278.2880231.271899561.7D0CC1CF>