svn commit: r331618 - head/share/man/man7

Conrad Meyer cem at freebsd.org
Tue Mar 27 15:30:11 UTC 2018 

Thinking of the network as attacker-controlled is fine, but without
the CA certificate database in ports, TLS provides neither data
integrity nor confidentiality.[0]

Even with certificate validation, it's unlikely that TLS provides
meaningful confidentiality for svn.freebsd.org — IP still exposes the
server's address:

$ host 8.8.178.107
107.178.8.8.in-addr.arpa domain name pointer svnmir.ysv.freebsd.org

Even a naive network attacker can determine that you are interacting
with a FreeBSD source mirror, and can determine the direction of the
flow of information based on simple count of upload / download bytes.

Best,
Conrad

P.S., we should probably ship a CA database in base.  Maybe with an
override version in ports to match our release model.  But, base
should be able to authenticate certificates out of the box.

[0]: https://github.com/moxie0/sslsniff

On Tue, Mar 27, 2018 at 8:01 AM, Benjamin Kaduk <bjkfbsd at gmail.com> wrote:
> On Tue, Mar 27, 2018 at 9:57 AM, Rodney W. Grimes
> <freebsd at pdx.rh.cn85.dnsmgr.net> wrote:
>>
>> > Author: trasz
>> > Date: Tue Mar 27 14:51:19 2018
>> > New Revision: 331618
>> > URL: https://svnweb.freebsd.org/changeset/base/331618
>> >
>> > Log:
>> >   Use https:// instead of http://.
>> >
>> >   MFC after:  2 weeks
>> >
>> > Modified:
>> >   head/share/man/man7/development.7
>> >
>> > Modified: head/share/man/man7/development.7
>> >
>> > ==============================================================================
>> > --- head/share/man/man7/development.7 Tue Mar 27 14:50:12 2018
>> > (r331617)
>> > +++ head/share/man/man7/development.7 Tue Mar 27 14:51:19 2018
>> > (r331618)
>> > @@ -57,7 +57,7 @@ can be found at:
>> >  FreeBSD src development takes place in the CURRENT branch in
>> > Subversion,
>> >  located at:
>> >  .Pp
>> > -.Lk http://svn.FreeBSD.org/base/head
>> > +.Lk https://svn.FreeBSD.org/base/head
>> >  .Pp
>> >  There is also a read-only GitHub mirror at:
>> >  .Pp
>>
>> Why do we want to run the load of TLS for what are public bits?
>> And fyi a default install of FreeBSD can not use https, you have
>> to install certs from ports before any of these https links
>> can even work, and that can be a royal pita in some situations.
>
>
> Many of us are used to thinking of the network as controlled by an attacker.
> Running http-not-s to fetch the sources lets "the attacker" supply an
> arbitrary
> collection of bits under the name FreeBSD without a good way for the user to
> check that the bits on their disk match what the FreeBSD Project expects
> them to be.
> TLS provides data integrity as well as confidentiality...
>
> -Ben

More information about the svn-src-head mailing list