CA's TLS Certificate Bundle in base = BAD

grarpamp grarpamp at
Thu Feb 25 04:38:39 UTC 2021


Third party CA's are an untrusted automagical nightmare of global and
local MITM risk...
- CA's issuer gone wrong... Govt, Corp, Bribe, Rogue, Court, War,
Force Majeure, Crime, Hack, Spies, Lulz, etc.
- CA's store bundler gone wrong... Mozilla, Microsoft, Apple, BSD, etc
in same ways above.
- Undetected stolen unrevoked unchecked CA's, intermediates, server keys, etc.
- Total/targeted IP/DNS traffic user interception by agents, vpn's,
proxies, tor, mitmproxy, sslstrip, etc.
- Base asserting trust over all that, when reality none is due.

There should be no non-FreeBSD.Org/Foundation CA's shipped in base.
Its shipped pubkey fingerprint sets can bootstrap TLS infra pubkeys/prints
off bsd keyserver, to then pubkey pin TLS fetch(1) / pkg(8) / git(1) to reach
pkg ca_root_cert, git src ports repos, update, iso, etc.
See curl(1) --pinned-pubkey, GPG, etc.

Users should delete all those ~139 garbage CA's,
only add in the ones they find they need during use,
easily scripted and tooled, start with say the...
- LetsEncrypt chain

And force TLS pubkey fingerprint pin check on critical services.

Search web for howtos.

At minimum require user / install to ack before use...
mv /etc/ssl/certs.shipped_disabled /etc/ssl/certs

More information about the freebsd-questions mailing list