Date: Sun, 13 Apr 2014 22:24:45 -0700 From: Xin Li <delphij@delphij.net> To: David.I.Noel@gmail.com, =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>, freebsd-security@freebsd.org, security@freebsd.org Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Message-ID: <534B711D.5060109@delphij.net> In-Reply-To: <CAHAXwYCYq6_S6P3Z56LNdpVgUj2y53U0Xd3_aOQfXECQ73FzJQ@mail.gmail.com> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <53472B7F.5090001@FreeBSD.org> <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com> <53483074.1050100@delphij.net> <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA@mail.gmail.com> <44bnw5uwmm.fsf@lowell-desk.lan> <CAHAXwYBDWEUH2yDR59Aurbsrjn4W0JAH87Qk7Oumncwagu45Bg@mail.gmail.com> <86zjjosxyy.fsf@nine.des.no> <CAHAXwYBWScbTOkdYFDRrh0faKb3BjX2gXmWhNbG-Gjfn4DLf0A@mail.gmail.com> <CAHAXwYCYq6_S6P3Z56LNdpVgUj2y53U0Xd3_aOQfXECQ73FzJQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 4/13/14, 10:04 PM, David Noel wrote: > On 4/13/14, David Noel <david.i.noel@gmail.com> wrote: >>> So by your definition, every single Apache server on the planet >>> runs "a closed source fork of the open source Apache project" >>> because they do not use the exact same httpd.conf? >> >> Ah, you're right. That's from build.conf. My mistake. > > Though if it's using spiped I'm not sure how it would doing that > from purely a config file change. Let's focus on the more important points :) To answer your question -- The actual portsnap build server setup is more complex than the one in svn repository. Using spiped needs the other side of server (which serves svn repository). So no, it's not a pure configuration change, but a configuration change plus other setup to support it. That's said, we can confidently say "Yes" if the question is whether portsnap build server have trustworthy direct access to FreeBSD ports subversion repository. No MITM attack can happen without being noticed almost immediately in this chain. The other points you have raised are more important, though. One thing that we can easily implement to mitigate the freeze attack would probably to make portsnap snapshots expire after a reasonable amount of time (that is, publish a timestamp signed with the portsnap key, e.g. expires after 4 hours, so instead of "No updates found" you get "Snapshot was expired, something bad happen"), but that only narrows down the window and does not fully eliminate it. For freebsd-update I don't have a good idea at this time for the freeze attack. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTS3EdAAoJEJW2GBstM+nss60P/1nHbnjp09Qmtev6zGUJv979 yKNZNYTKY8wLtVrA/Y/nasW7oWwf37etFRrBiLds22F2wDRAVobEUVURoYAJJKMp +QRcQPaxMVPU5rZnF1+eHqp+n8LeTCfWrIaoHM3yeW/xD8O2tBgG7+YdOcIzCud8 OR3bOPwToebMnjck00fmYE8bxMs2vzJrDZCaY7b+6jrbNVbnPBZIywB50QaaaQih +I8Qekg6zBGWXciGaVISKMUTcAVXGFhN3qxsRisBvIxIOzBeho/EwwW+3ZW0LxfY 4pZouf6++HOhSh4Jf++TtgPjwmBgFWeZxTvTtag3VzEun9KXqVGvKQnUUj508Te/ GJA/pPAIDOqvxwaVi47EZD5aVd3xmgIUy/a1x8PS+iN3REvqh+y4dOYlTl2GqG7+ 5piWBygC+tqGV5oiXLKdzqnshN5KxY+lX3aCfXWlXEtH6Nnb8C+GmyA46XzNqP6N WYAmKPqC9Zv+z0nYJxy+nNoDpAiMmj/BjhtBkDSkEYoHx8d4bT5YUotiX43V2lnZ duJPyLbXfk4gUi7UrezOu3rQ2Cxxw/adsklVxKiEb6vzFby2+0C/PS8dOX12Gw1R XJ6vgviXjjxGQnuhyRf+7gyXEBZ5Hpk6B2Yfbt8+WORwnREk1anp0SsrJ4llBO0M AWwM/g92+yToCsP7CC4D =YOTq -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?534B711D.5060109>