SSL is broken on FreeBSD

Doug Barton dougb at FreeBSD.org
Fri Apr 1 20:46:40 UTC 2011 

István wrote:

> cool, i decided I need everything what I have on windows or on J random
> operating system with firefox. I install the corresponding package which is
> broken and therefore, so I can't verify if somebody i doing a MITM while I
> am shopping on Amazon. Massive win!

If your concern is the CA list in firefox, no additional work is 
required beyond installing firefox. If you are ultra-concerned about 
security you can examine the source, and compile it locally. If the 
FreeBSD package is not functional, you should of course report that, and 
we will address that issue.

OTOH, it's not 100% clear to me what your actual goals are, or what 
problems you're having. If you would like to write up something along 
the lines of, "Here is what I'm trying to accomplish, and here are the 
problems I'm experiencing along the way" I'm sure that we can work on that.

> I understand you do not care about usability.

Nothing could be further from the truth. I think Chad addressed that 
topic well. I would simply like to add that it's pretty common for us to 
see people report things along the lines of, "When I try to do XYZ thing 
that I did on Linux it doesn't work on FreeBSD." What is generally the 
case in these situations is that there are alternate ways to accomplish 
the same goal on FreeBSD, and some polite discussion about that can 
usually resolve the issue.

> Thank you anyway. I am going to copy that file from Linux ;)

If Linux works for you, you should seriously consider sticking with it. 
There are lots of operating systems out there, not all of them are 
suitable for all users.

> Yep, SSL is broken.
> This why the top500 companies are using it to secure their business.

Before you rely too heavily on this particular line of argument you 
might want to consider that up until recently there have not been viable 
alternatives.

> I hope you have something better what we could implement tomorrow deprecating SSL.


http://datatracker.ietf.org/wg/dane/charter/

http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html


Enjoy,

Doug

PS, while asking strangers to volunteer their time to assist you, it's 
usually a good idea to refrain from rudeness and sarcasm.

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

More information about the freebsd-security mailing list