FYI... Third party CA's are an untrusted automagical nightmare of global and local MITM risk... - CA's issuer gone wrong... Govt, Corp, Bribe, Rogue, Court, War, Force Majeure, Crime, Hack, Spies, Lulz, etc. - CA's store bundler gone wrong... Mozilla, Microsoft, Apple, BSD, etc in same ways above. - Undetected stolen unrevoked unchecked CA's, intermediates, server keys, etc. - Total/targeted IP/DNS traffic user interception by agents, vpn's, proxies, tor, mitmproxy, sslstrip, etc. - Base asserting trust over all that, when reality none is due.
There should be no non-FreeBSD.Org/Foundation CA's shipped in base. Its shipped pubkey fingerprint sets can bootstrap TLS infra pubkeys/prints off bsd keyserver, to then pubkey pin TLS fetch(1) / pkg(8) / git(1) to reach pkg ca_root_cert, git src ports repos, update, iso, etc. See curl(1) --pinned-pubkey, GPG, etc. https://www.zdnet.com/article/surveillance-firm-asks-mozilla-to-be-included-in-firefoxs-certificate-whitelist/ https://en.wikipedia.org/wiki/Edward_Snowden https://duckduckgo.com/?q=rogue+CA+root+certificate https://www.win.tue.nl/hashclash/rogue-ca/ Users should delete all those ~139 garbage CA's, only add in the ones they find they need during use, easily scripted and tooled, start with say the... - LetsEncrypt chain And force TLS pubkey fingerprint pin check on critical services. Search web for howtos. At minimum require user / install to ack before use... mv /etc/ssl/certs.shipped_disabled /etc/ssl/certs _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
