Em 19-11-2013 16:04, Nicolai escreveu: > On Mon, Nov 18, 2013 at 05:07:08PM -0200, Giancarlo Razzolini wrote: > >> One thing I've been doing is using dnscrypt, because my ISP did use >> transparent dns proxying > Nice! I use DNSCurve.
First, thank your for your response Nicolai. DNSCurve adds a lot in security for the client and prevent eavesdropping and increase the confidentiality in general, provided that you trust the server. > >> Now, I'd like to ask why the openbsd infrastructure servers (www, >> anoncvs, packages), do not make use of SSL certs, SSHFP DNS records, >> etc. One of the recent changes of OpenSSH was to trust SSHFP records by >> default when the domain zone is using DNSSEC. But the main anoncvs >> server, which is the source of all code, do not have such record. > DNSSEC is a massive outage risk, is fragile, and attracts DDoS due to > record sizes. > > You say you are concerned about spying (me too). If the concern is over a > global, *passive* adversary, then DNSSEC doesn't solve anything, since > DNSSEC is not encrypted. Instead it glues you into a system that seems > to have gone out of its way to allow surveillance. Yes dns is insecure and yes dnssec left many things unsolved. But it is better to have than not. I am speaking from the client point of view. The other two major BSD projects have it, and not that many linux distributions have it, but some do. DDoS attacks can be mitigated. > >> Not even on the anoncvs page there isn't the fingerprint published. > http://www.openbsd.org/anoncvs.html > > Fingerprints for most servers are listed. The only anoncvs server in Canada do not have it's fingerprints published. It's under openbsd.org domain. >> I know that the most secure way is to buy the CD's and use then. But >> what about the errata patches? > Errata patches are included in the -stable branch. Which have the same issue. > >> And security related packages updates? > Security updates are in ports but not packages. You can see recent > updates including to ports here: > > https://twitter.com/OpenBSD_stable > >> None of those can be reliably verified. I know and use the binpatches + >> packages updates from M:Tier. But the trust is placed on a third party, >> not on the OpenBSD project itself. Great job M:Tier, by the way. > It's worth noting that M:Tier employs at least one OpenBSD developer, so > it's not like they're a random organization that just happens to be > trustworthy. :) Yes, I am aware of that. I do trust them.I use their binpatches on my machines. > >> But if we could at least verify the signature with an OpenBSD provided >> cert that is installed with the release itself, this would be awesome. > This could be relatively easy for AnonCVS. For AnonCVS maintainers > who support it, key fingerprints could be listed in a local file for > easy comparison. (The blunt approach would be to pre-populate > root's known keys, but that could provoke irritation for various > reasons.) > > I recall a previous discussion about signing packages (did you check > the archives?) and it sounded like it would be a lot of work that > developers were not keen on. Signing packages or even releases would be a bonus, but not strictly necessary, provided the possibility of checking the source securely. > >> Anyway, these are just suggestions, and I would be happy to help >> implement them. What you guys think? > Implement something on your own, pretending your server(s) are > responsible for OpenBSD's http, ftp, anoncvs, etc. Then show (not say) > how you did it and that it works correctly with real OpenBSD machines of > various configurations. That will get more attention. > > Actually this should always be the route for making suggestions. DIY > and then show and tell. I can do all of that, I already done so in the past with the exception of the anoncvs. But my point was to push for it on the main domain, so at least one link in the chain can be trusted (as much as anything on the web can be). As things are now, if someone was eavesdropping when you checked the source tree, and changed anything, you are screwed (unless you always review, all the code). If you go for the releases, and changes happen on the way, the same thing. As I mentioned, what I do to mitigate this today is to download releases and hashes from different mirrors, using two different ISP's and check things. There are a lot of other issues, trusting trust, evil developer attacks, but the goal is to improve the way to get access to the most secure operating system on this planet. > > Nicolai > Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
