Do you still need CTM?

Isaac (.ike) Levy ike at blackskyresearch.net
Thu Aug 20 20:32:57 UTC 2015 

Hi,

> On Aug 20, 2015, at 11:37 AM, Helge Oldach <freebsd at oldach.net> wrote:
> Roman Kurakin wrote on Thu, 20 Aug 2015 15:04:52 +0200 (CEST):
>> On 08/20/2015 03:59 PM, Helge Oldach wrote:
>>> Julian H. Stacey wrote on Thu, 20 Aug 2015 14:01:03 +0200 (CEST):
>>>> If an axer asserts
>>>> there's a security issue, original author phk@ may be interested.
>>>> <ctm-users at freebsd.org> may also be interested to fix it, but
>>>> axe propenet has Not provided us detail.
>>> I suspects it's related to a potential MITM threat: Both freebsd-update as well as svn deliver mechanisms to detect such attacks and refuse to update. CTM doesn't - actually it's fairly easy to tamper with deltas shipped by unencrypted e-mail. (No, md5 sums don't help.)
>> So, signing emails would be enough?
> 
> IMHO signing e-mails is the easy part.
> 
> On the e-mail receiver side you actually want something similar to "certificate pinning" to get the same level of confidentiality as freebsd-update or svn (through https) deliver. That would involve quite a bit of hacking the CTM receiver I guess.
> 
> But CTM deltas are also available through http(s) and ftp and mirrored to a lot of sites. How do we deal with the confidentialty issue here without losing functionality? Again quite a bit of hacking I think.
> 
> Note I am still just guessing about the security issues mentioned. Maybe they are actually different.
> 
> Regards,
> Helge

I'm also not aware of the actual security issues raised, yet I believe CTM is not rendered completely useless because of the plain-text nature of the distribution.

As far as security goes, I'm a firm supporter of diversity above any monoculture- even when diversity means unsigned or unencrypted transmission.  For that alone, I'd be very sad to see CTM go.

--
Additionally, one small idea: instead of signing all emails, is there any way to leverage mtree(8) files signed by a trusted source, which people could use to validate the sources after CTM patches have been applied?  The mtree(8) digests could be signed with simple utilities like OpenBSD's signify(1), or some other similar mechanism which works from seeding trust.  Just a thought, trying to reduce the need to re-work the existing CTM machinery.

Best,
.ike

More information about the ctm-users mailing list