> On Sep 18, 2015, at 10:44 AM, Brett Glass <brett at lariat.org>
wrote:
>
> At 08:07 AM 9/18/2015, Ben Bailess wrote:
>
>> I have to echo this sentiment -- authentication is important, and so is
>> integrity. HTTPS would provide both -- to be sure you're talking to
the
>> "real" FreeBSD and give you confidence that your page content
has not been
>> altered in transit by a network adversary (e.g. if you are using Tor)*.
>
> I'd mainly be concerned about downloads of distros or updates being
> tampered with. Worms are appearing that infect not only PCs but also
> routers (e.g. the "Moon" worm, which affected most Linksys models
available
> at the time), setting up a perfect scenario for an MITM attack that could
> substitute an infected file AND a forged checksum for the originals. If
> an HTTPS download site were available, I would absolutely prefer it to
> an HTTP one. Just my $0.02 USD.
>
> --Brett Glass
We have HTTPS and its benefits even if you've downloaded via insecure FTP.
See
https://www.freebsd.org/releases/10.2R/CHECKSUM.SHA256-FreeBSD-10.2-RELEASE-amd64.asc
and the rest of the links found on
https://www.freebsd.org/releases/10.2R/signatures.html or
https://www.freebsd.org/releases/9.3R/signatures.html
How did this topic of the conversation start? Because http://freebsd.org
doesn't issue a redirect to https://? Such a thing does not increase
security, it only obscures the fact the user came in through http. HSTS, HPKP
and even DANE are all non-solutions to this and related problems, or
half-solutions at best, if you ask me.
Beyond the quasi-security of HTTPS more important is the security we get from
PGP with its web of trust as well as the multitude of public key servers in
various jurisdictions worldwide.
If security is what you're after, diligence will always be part of the cost.
I'm not against the layering of additional security, but to believe HTTPS is
a one stop security shop, a silver bullet for confidentiality or integrity, is a
complacent mindset.
I may be missing the boat as to the concerns you're having. I don't
purport to know the ins and outs of freebsd-update or the binary pkg repos
since, besides the occasional download of a full release ISO, I've been
building all else from source for a long time and I'm stuck in my ways.
I will say this though: I can't seem to find the svn server key fingerprints
signed by anything [useful] (even if you count the FreeBSD web site) because I
only find the web servers' keys signed by a random one of the thousands of
[as far as I'm concerned, untrustworthy] certificate authorities. I see
merit in additionally having a secteam PGP signature over all fingerprints of
relevant https keys in use, made available at a convenient location, even if
it's only at the very web servers it's signing.
The secteam's public PGP key has proliferated across the globe for many
years now and it's next to impossible to replace that without raising the
alarm of someone exercising a modicum of diligence. HTTPS on the other hand, how
it is implemented and typically used, will betray you right under your nose and
mislead you right to your face. You need both of course because without HTTPS
(or TLS in general and really the hierarchy of anointed CAs) you can't talk
to any PGP key severs with any reasonable assurance.
You really should get the secteam's PGP key and assure it's identical
from as many varied sources as is prudent for your threat model. It's best
to verify a multitude of sources while also varying your own perspective as much
as possible over space (i.e. network), time, chosen hardware, chosen software,
etc.