Date: Fri, 4 Jul 2014 00:14:48 +0200 From: Daniel Roethlisberger <daniel@roe.ch> To: freebsd-security@freebsd.org Subject: Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default? Message-ID: <20140703221448.GA99094@calvin.ustdmz.roe.ch> In-Reply-To: <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com> References: <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Eitan Adler <lists@eitanadler.com> 2014-07-03: > On 3 July 2014 07:57, Jonathan Anderson <jonathan@freebsd.org> wrote: > > Just my $.02, but if the FreeBSD project is to maintain a > > ca-root-freebsd.pem, I think it should have one certificate in it: the root > > FreeBSD Project cert. Beyond that, I'm not willing to vouch for the > > trustworthiness of any CA, and I don't think the Project should either. > > Perhaps we should remove HTTPS support from libfetch and require the > user to install wget or curl if they want to use SSL? Having a > *default* certificate bundle (that could be removed / edited, of > course) is not necessarily even making a trust claim about a > particular cert. [0] IMHO the position where the majority of SSL on > the internet is broken by default is not tenable. > > We support HTTP. We don't support HTTPS. [...] I share your view that there should be functional HTTPS capability in a base install. It boggles my mind how it should be better to not support HTTPS at all or only unauthenticated HTTPS, than having to ship a not perfect CA bundle [1] which, while putting trust in some CAs that don't deserve that trust, is still magnitudes more secure in any sense of the word. If you compare the risk between HTTP only or unauthenticated HTTPS, versus HTTPS with a browser's CA bundle, HTTPS with a CA bundle wins whichever way you look at it. I do agree that FreeBSD should not start maintaining its own CA bundle; but personally I don't think it matters whether we use Mozilla's, Google's or even Microsoft's CA bundle, as long as there is one included in a base install and HTTPS is functional by default. [1] There is no such thing as a perfect CA bundle (i.e. both secure *and* usable) given how broken the whole CA system is these days. -- Daniel Roethlisberger http://daniel.roe.ch/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140703221448.GA99094>