HTTPS on freebsd.org, git, reproducible builds

Sat Sep 19 03:48:34 UTC 2015

> On Sep 18, 2015, at 10:44 AM, Brett Glass <brett at lariat.org> wrote:
> 
> At 08:07 AM 9/18/2015, Ben Bailess wrote:
> 
>> I have to echo this sentiment -- authentication is important, and so is
>> integrity. HTTPS would provide both -- to be sure you're talking to the
>> "real" FreeBSD and give you confidence that your page content has not been
>> altered in transit by a network adversary (e.g. if you are using Tor)*.
> 
> I'd mainly be concerned about downloads of distros or updates being
> tampered with. Worms are appearing that infect not only PCs but also
> routers (e.g. the "Moon" worm, which affected most Linksys models available
> at the time), setting up a perfect scenario for an MITM attack that could
> substitute an infected file AND a forged checksum for the originals. If
> an HTTPS download site were available, I would absolutely prefer it to
> an HTTP one. Just my $0.02 USD.
> 
> --Brett Glass 

We have HTTPS and its benefits even if you've downloaded via insecure FTP. See https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc and the rest of the links found on https://www.freebsd.org/releases/10.2R/signatures.html or https://www.freebsd.org/releases/9.3R/signatures.html

How did this topic of the conversation start? Because http://freebsd.org doesn't issue a redirect to https://? Such a thing does not increase security, it only obscures the fact the user came in through http. HSTS, HPKP and even DANE are all non-solutions to this and related problems, or half-solutions at best, if you ask me.

Beyond the quasi-security of HTTPS more important is the security we get from PGP with its web of trust as well as the multitude of public key servers in various jurisdictions worldwide.

If security is what you're after, diligence will always be part of the cost. I'm not against the layering of additional security, but to believe HTTPS is a one stop security shop, a silver bullet for confidentiality or integrity, is a complacent mindset.

I may be missing the boat as to the concerns you're having. I don't purport to know the ins and outs of freebsd-update or the binary pkg repos since, besides the occasional download of a full release ISO, I've been building all else from source for a long time and I'm stuck in my ways.

I will say this though: I can't seem to find the svn server key fingerprints signed by anything [useful] (even if you count the FreeBSD web site) because I only find the web servers' keys signed by a random one of the thousands of [as far as I'm concerned, untrustworthy] certificate authorities. I see merit in additionally having a secteam PGP signature over all fingerprints of relevant https keys in use, made available at a convenient location, even if it's only at the very web servers it's signing. 

The secteam's public PGP key has proliferated across the globe for many years now and it's next to impossible to replace that without raising the alarm of someone exercising a modicum of diligence. HTTPS on the other hand, how it is implemented and typically used, will betray you right under your nose and mislead you right to your face. You need both of course because without HTTPS (or TLS in general and really the hierarchy of anointed CAs) you can't talk to any PGP key severs with any reasonable assurance.

You really should get the secteam's PGP key and assure it's identical from as many varied sources as is prudent for your threat model. It's best to verify a multitude of sources while also varying your own perspective as much as possible over space (i.e. network), time, chosen hardware, chosen software, etc.