On Mon, Nov 18, 2013 at 05:07:08PM -0200, Giancarlo Razzolini wrote: > One thing I've been doing is using dnscrypt, because my ISP did use > transparent dns proxying
Nice! I use DNSCurve. > Now, I'd like to ask why the openbsd infrastructure servers (www, > anoncvs, packages), do not make use of SSL certs, SSHFP DNS records, > etc. One of the recent changes of OpenSSH was to trust SSHFP records by > default when the domain zone is using DNSSEC. But the main anoncvs > server, which is the source of all code, do not have such record. DNSSEC is a massive outage risk, is fragile, and attracts DDoS due to record sizes. You say you are concerned about spying (me too). If the concern is over a global, *passive* adversary, then DNSSEC doesn't solve anything, since DNSSEC is not encrypted. Instead it glues you into a system that seems to have gone out of its way to allow surveillance. > Not even on the anoncvs page there isn't the fingerprint published. http://www.openbsd.org/anoncvs.html Fingerprints for most servers are listed. > I know that the most secure way is to buy the CD's and use then. But > what about the errata patches? Errata patches are included in the -stable branch. > And security related packages updates? Security updates are in ports but not packages. You can see recent updates including to ports here: https://twitter.com/OpenBSD_stable > None of those can be reliably verified. I know and use the binpatches + > packages updates from M:Tier. But the trust is placed on a third party, > not on the OpenBSD project itself. Great job M:Tier, by the way. It's worth noting that M:Tier employs at least one OpenBSD developer, so it's not like they're a random organization that just happens to be trustworthy. :) > But if we could at least verify the signature with an OpenBSD provided > cert that is installed with the release itself, this would be awesome. This could be relatively easy for AnonCVS. For AnonCVS maintainers who support it, key fingerprints could be listed in a local file for easy comparison. (The blunt approach would be to pre-populate root's known keys, but that could provoke irritation for various reasons.) I recall a previous discussion about signing packages (did you check the archives?) and it sounded like it would be a lot of work that developers were not keen on. > Anyway, these are just suggestions, and I would be happy to help > implement them. What you guys think? Implement something on your own, pretending your server(s) are responsible for OpenBSD's http, ftp, anoncvs, etc. Then show (not say) how you did it and that it works correctly with real OpenBSD machines of various configurations. That will get more attention. Actually this should always be the route for making suggestions. DIY and then show and tell. Nicolai
