Poul-Henning Kamp
2017-Dec-12 14:28 UTC
http subversion URLs should be discontinued in favor of https URLs
-------- In message <c27552cf-45d8-7686-c60d-256537780edc at denninger.net>, Karl Denninger writes:>Now the question becomes this -- is the proper means to handle this via >TLS (using that root cert) OR should the *transport* be fixed so that >https doesn't need to be used?I certainly would caution against inventing more encrypted transports than we already have. The only feasible alternative I see is SSH, provided we can persuade it somehow to not authenticate the client. If this requires a hacked sshd(8) which just says "welcome" I would be very worried about it coexisting with a untainted sshd on any system.>I argue the second, because the goal when it comes to source >distributions is ensuring that the code you transfer is bit-wise >identical to the code on the FreeBSD project repositories *which can be >mirrored.*I am personally a very big fan of integrity checks which does not also encrypt the content with an ephemeral key for exactly that reason. Most of the people who try to force everything behind HTTPS don't even know you can do that. For the FreeBSD SVN tree, this could almost be as simple as posting an email, maybe once a week, with the exact revision checked out and the PGP signed output of: svn co ... && find ... -print | sort | xargs cat | sha256 Such an archive would also be invaluable for reauthenticating in case, somebody ever manages to do something evil to our repo.>Solve the problem at the correct location -- either fix svn to sign and >verify updates or dump it for something that can and use that existing >mechanism (e.g. git)As I mentioned humoursly to you in private email, I don't think this particular problem will reach consensus any sooner if you also tangling it in the SVN vs GIT political issue. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk at FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Karl Denninger
2017-Dec-12 14:48 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12/12/2017 08:28, Poul-Henning Kamp wrote:> -------- > In message <c27552cf-45d8-7686-c60d-256537780edc at denninger.net>, Karl Denninger > writes: > >> Now the question becomes this -- is the proper means to handle this via >> TLS (using that root cert) OR should the *transport* be fixed so that >> https doesn't need to be used? > I certainly would caution against inventing more encrypted transports > than we already have. > > The only feasible alternative I see is SSH, provided we can persuade > it somehow to not authenticate the client. > > If this requires a hacked sshd(8) which just says "welcome" I would > be very worried about it coexisting with a untainted sshd on any > system.I generally disagree with doing this at the transport level *at all* since it's quite-arguably the wrong place to do it and further it provides an alleged "verification" you not only don't need but maybe don't want (e.g. do you CARE if the bits come from the project's server directly or not?? No.? You only care that they weren't tampered with.)>> I argue the second, because the goal when it comes to source >> distributions is ensuring that the code you transfer is bit-wise >> identical to the code on the FreeBSD project repositories *which can be >> mirrored.* > I am personally a very big fan of integrity checks which does not > also encrypt the content with an ephemeral key for exactly that > reason. > > Most of the people who try to force everything behind HTTPS don't > even know you can do that. > > For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > > svn co ... && find ... -print | sort | xargs cat | sha256 > > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo.That's a halfway hack but a pretty easy one.....>> Solve the problem at the correct location -- either fix svn to sign and >> verify updates or dump it for something that can and use that existing >> mechanism (e.g. git) > As I mentioned humoursly to you in private email, I don't think > this particular problem will reach consensus any sooner if you > also tangling it in the SVN vs GIT political issue.Fair enough but I think my underlying point -- that svn ought to provide the ability to distribute signed bits, and if it can't then it should either be wrapped or augmented to do so if possible, and tossed if not, remains valid. Offering encrypted transport as an option is good but it fails at providing the actual attestation you want (that the bits the project committed and has on its disk are the bits you received and stored on your disk, unaltered.) Removing unencrypted transport is thus IMO a net bad as it *claims* to address this but doesn't.? That's bad because you now lead people to *believe* they have a secure means of tracking the project's bits but that's factually false. Specifically if I have a mirror of the svn repo today and I intentionally corrupt it (e.g. to insert a back door in "su") then I can have a perfectly-valid TLS/SSL certificate and serve you an exact copy of the bits on my disk but since I corrupted the bits on the disk you still get screwed! Signed commits prohibit this sort of chicanery in that I cannot generate the project's signature.? They thus make possible known-good mirrors of the code repo that do not have to be under the physical control of the FreeBSD project.? This extends the existing capability to verify -RELEASE distributions on a mirror to the source, which IMHO is a net good and thus if we're talking about the context of source distribution security it is where attention should be focused. -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4897 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20171212/efdc8806/attachment.bin>
Jan Bramkamp
2017-Dec-12 17:22 UTC
http subversion URLs should be discontinued in favor of https URLs
On 12.12.17 15:28, Poul-Henning Kamp wrote:> For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > > svn co ... && find ... -print | sort | xargs cat | sha256 > > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo. > >> Solve the problem at the correct location -- either fix svn to sign and >> verify updates or dump it for something that can and use that existing >> mechanism (e.g. git) > > As I mentioned humoursly to you in private email, I don't think > this particular problem will reach consensus any sooner if you > also tangling it in the SVN vs GIT political issue.How about an uncompressed tarball signed with signify? It could be replicated with rsync (or zsync) and getting security patches wouldn't require lots of network bandwidth. I still prefer to encrypt every transfer with PFS only protocols, but even with transport encryption in place content authentication is still valuable because it allows the use of caching proxies.
Bakul Shah
2017-Dec-12 18:00 UTC
http subversion URLs should be discontinued in favor of https URLs
On Tue, 12 Dec 2017 14:28:08 +0000 "Poul-Henning Kamp" <phk at phk.freebsd.dk> wrote:> > For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > > svn co ... && find ... -print | sort | xargs cat | sha256 > > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo.Sort of a public ledger. I have a vague memory of some project *publishing* a crypto fingerprint of a collection of documents in a well-known newspaper.... I think it was this one: https://www.technologyreview.com/s/402961/fingerprinting-your-files/ Computing hashes of hashes is also the basis of a secure timestamp service invented by Stuart Haber and Scott Stornetta while the two were at Bellcore in 1990. The service, called Surety, makes it possible to generate a cryptographically secure and unforgeable proof that a given document, photograph, or other file existed at a particular time on a particular date and that it hasnt been changed since. The Surety technique works by computing a hash tree based on the hash codes of every document being time-stamped. The root of the tree is then published in a well-known locationit could, for example, be printed in a classified advertisement in the New York Times. You can prove that your document existed on the day in question by showing that your documents fingerprint was needed to generate the fingerprint-of-fingerprints that appeared in the newspaper. Nowadays can you even trust NYT?!