On 05/18/15 20:04, Mark Felder:
Fetch also doesn't have a certificate trust store out of the box.
fetch (nor SSL protocol itself) claim there is one here
FYI, you can set SSL_NO_SSL3 and SSL_NO_TLS1 in your env to stop this
behavior in fetch. If you add this to your base system image you can
lock this down pretty reliably.
I'm not using fetch for transfer of secure data at all. But yes, the
countermeasures you described can be part of SA I'm calling for.
Keep in mind that changing this default behavior in fetch would be a
POLA violation and possibly break scripts for countless users.
Comparatively, is the forums HTTPS also a POLA violation? Maybe! I can't
decide. :-(
If I will be called to decide between POLA to be violated and security
to be violated, I will vote for POLA violation all the times. Security
have higher priority to be maintained. I'm sure it's not necessary to
compare possible damages for those two scenarios.
And no broken user script may happen in advance. No system will change
behavior unless upgraded to patched version by responsible admin. He
should be allowed to configure patched system to start fetch in former
"security violation" mode (but not by default) if it will fit better
their wishes.
I consider it better than silence about the issue.
But to say true, it's not my war - and no one seems to be with me here ;-)
I have own source repository with custom system patches so I'm not tied
to "official" decisions. No offense to FreeBSD team in any way! I'm just
not average user. ;-)
Dan
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
