Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Jul 2014 00:14:48 +0200
From:      Daniel Roethlisberger <daniel@roe.ch>
To:        freebsd-security@freebsd.org
Subject:   Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?
Message-ID:  <20140703221448.GA99094@calvin.ustdmz.roe.ch>
In-Reply-To: <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>
References:  <53B499B1.4090003@delphij.net> <53B4B7FB.6070407@FreeBSD.org> <53B56F49.7030109@FreeBSD.org> <CAF6rxgmsoJCnCpnGKUXe0jnPEgGNm3BB_SF73vLOkK5X9pOoPw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Eitan Adler <lists@eitanadler.com> 2014-07-03:
> On 3 July 2014 07:57, Jonathan Anderson <jonathan@freebsd.org> wrote:
> > Just my $.02, but if the FreeBSD project is to maintain a
> > ca-root-freebsd.pem, I think it should have one certificate in it: the root
> > FreeBSD Project cert. Beyond that, I'm not willing to vouch for the
> > trustworthiness of any CA, and I don't think the Project should either.
> 
> Perhaps we should remove HTTPS support from libfetch and require the
> user to install wget or curl if they want to use SSL?  Having a
> *default* certificate bundle (that could be removed / edited, of
> course) is not necessarily even making a trust claim about a
> particular cert. [0]   IMHO the position where the majority of SSL on
> the internet is broken by default is not tenable.
> 
> We support HTTP.  We don't support HTTPS. [...]

I share your view that there should be functional HTTPS
capability in a base install.  It boggles my mind how it should
be better to not support HTTPS at all or only unauthenticated
HTTPS, than having to ship a not perfect CA bundle [1] which,
while putting trust in some CAs that don't deserve that trust, is
still magnitudes more secure in any sense of the word.  If you
compare the risk between HTTP only or unauthenticated HTTPS,
versus HTTPS with a browser's CA bundle, HTTPS with a CA bundle
wins whichever way you look at it.

I do agree that FreeBSD should not start maintaining its own CA
bundle; but personally I don't think it matters whether we use
Mozilla's, Google's or even Microsoft's CA bundle, as long as
there is one included in a base install and HTTPS is functional
by default.

[1] There is no such thing as a perfect CA bundle (i.e. both
    secure *and* usable) given how broken the whole CA system is
    these days.

-- 
Daniel Roethlisberger
http://daniel.roe.ch/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140703221448.GA99094>