Is there some reason "freebsd.org" and all it's
subdomains don't immediately 302 over to
https foreverafter?
Same goes for use of svn, which has no native
signable hashed commit graph, as freebsd's
canonical repo... instead of git which does.
Not to mention the irreproducible builds / pkgs / ISO'
On Thu, Sep 17, 2015, at 22:20, grarpamp wrote:
> Is there some reason "freebsd.org" and all it's
> subdomains don't immediately 302 over to
> https foreverafter?
>
What good does https on freebsd.org provide except checking a box that
some people are obsessed about right now? You're adding ano
On Fri, Sep 18, 2015, at 07:21, Mark Felder wrote:
>
> > Same goes for use of svn, which has no native
> > signable hashed commit graph, as freebsd's
> > canonical repo... instead of git which does.
> >
>
> svn is available over https
>
I got caught up in the https discussion and didn't cove
On Thu, 17 Sep 2015, grarpamp wrote:
Is there some reason "freebsd.org" and all it's
subdomains don't immediately 302 over to
https foreverafter?
Is there a reason to encrypt something that is completely public? Perhaps
to allow the visitor to conceal the fact that they are interested in
F
In message <1442578892.1807598.387215049.07156...@webmail.messagingengine.com>,
Mark Felder writes:
>There are two different opinions on this matter throughout the project:
>
>* Encrypt all the things
>* Encrypt what is necessary
I can recommend the book "Command & Control" as a very in
grarpamp writes:
> Not to mention the irreproducible builds / pkgs / ISO's.
The base system build is 99% reproducible. ISOs should be reproducible
as well, modulo timestamps.
Reproducible packages are extremely difficult to get right. Baptiste
spent a lot of time and effort trying to get them
>
>> Is there some reason "freebsd.org" and all it's
>> subdomains don't immediately 302 over to
>> https foreverafter?
>
> Is there a reason to encrypt something that is completely public? Perhaps to
> allow the visitor to conceal the fact that they are interested in FreeBSD?
> That won't work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
well, encryption does not cost much, most mobile devices are now fast enough
for IP obfuscation there vpn providers or anonymity networks like Tor
you should look for "when leaken metadata", customized Firefox
versionslike the "torbundle" package o
On Fri, Sep 18, 2015 at 02:49:01PM +0200, Dag-Erling Smørgrav wrote:
> > These days these flaws are more than a bit ridiculous,
>
> You seem to be implying that everybody else is doing it except us. This
> is not true. Debian and Fedora are or have been working on it but with
> no success to dat
On Fri, Sep 18, 2015 at 02:49:01PM +0200, Dag-Erling Smorgrav wrote:
> grarpamp writes:
> > Not to mention the irreproducible builds / pkgs / ISO's.
>
> The base system build is 99% reproducible. ISOs should be reproducible
> as well, modulo timestamps.
freebsd-update builds is inreproducible
Daniel Feenberg writes:
> Is there a reason to encrypt something that is completely public?
Watering hole attacks.
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebs
On Fri, Sep 18, 2015, at 08:53, Dag-Erling Smørgrav wrote:
> Daniel Feenberg writes:
> > Is there a reason to encrypt something that is completely public?
>
> Watering hole attacks.
Watering hole attack describes the *site* being compromised because it's
popular and you know the target(s) will
Mark Felder writes:
> Dag-Erling Smørgrav writes:
> > Daniel Feenberg writes:
> > > Is there a reason to encrypt something that is completely public?
> > Watering hole attacks.
> Watering hole attack describes the *site* being compromised because it's
> popular and you know the target(s) will go
On Fri, Sep 18, 2015 at 07:45:29AM -0400, Daniel Feenberg wrote:
> Is there a reason to encrypt something that is completely public?
> Perhaps to allow the visitor to conceal the fact that they are
> interested in FreeBSD? That won't work, since the IP address of the
> server can't be encrypted. I
I have to echo this sentiment -- authentication is important, and so is
integrity. HTTPS would provide both -- to be sure you're talking to the
"real" FreeBSD and give you confidence that your page content has not been
altered in transit by a network adversary (e.g. if you are using Tor)*.
*I hone
Glen Barber wrote:
In fact, Debian has been kind enough to even provide a page that shows
which parts of the FreeBSD build are non-reproducible.
https://reproducible.debian.net/freebsd/freebsd.html
This issue is one of the reasons secure sites do not use binary packages
or freebsd-update. It
On Fri, Sep 18, 2015 at 04:05:39PM +0200, Dag-Erling Smørgrav wrote:
> Then again, if you have the means to mount a MITM attack you probably
> have the means to get a valid certificate.
If you're that paranoid, there's a nice Firefox extension called CertPatrol
that will alert you to any changes i
On Fri, Sep 18, 2015 at 04:05:39PM +0200, Dag-Erling Smørgrav wrote:
> Then again, if you have the means to mount a MITM attack you probably
> have the means to get a valid certificate.
If you're that paranoid, there's a nice Firefox extension called CertPatrol
that will alert you to any changes i
On 09/18/15 08:47, Daniel DP. Plominski wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
well, encryption does not cost much, most mobile devices are now fast enough
for IP obfuscation there vpn providers or anonymity networks like Tor
you should look for "when leaken metadata", customize
On 2015-09-18 Fri 09:09:05 + William A. Mahaffey III ,
wrote:
> On 09/18/15 08:47, Daniel DP. Plominski wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > well, encryption does not cost much, most mobile devices are now fast enough
> > for IP obfuscation there vpn providers
Ben Bailess wrote this message on Fri, Sep 18, 2015 at 10:07 -0400:
> I have to echo this sentiment -- authentication is important, and so is
> integrity. HTTPS would provide both -- to be sure you're talking to the
> "real" FreeBSD and give you confidence that your page content has not been
> alte
Slawa Olhovchenkov writes:
> freebsd-update builds is inreproducible by the freebsd-update-server bug[s].
freebsd-update will most likely be gone in 11.
DES
--
Dag-Erling Smørgrav - d...@des.no
___
freebsd-security@freebsd.org mailing list
https://lis
Roger Marquis writes:
> This issue is one of the reasons secure sites do not use binary packages
> or freebsd-update. It also illustrates problems admins have when
> required to buildworld/installworld when all they should need to do is
> "cd /usr/src/crypro/openssh&&make install" (for example).
At 08:07 AM 9/18/2015, Ben Bailess wrote:
I have to echo this sentiment -- authentication is important, and so is
integrity. HTTPS would provide both -- to be sure you're talking to the
"real" FreeBSD and give you confidence that your page content has not been
altered in transit by a network adv
> On Sep 18, 2015, at 10:44 AM, Brett Glass wrote:
>
> At 08:07 AM 9/18/2015, Ben Bailess wrote:
>
>> I have to echo this sentiment -- authentication is important, and so is
>> integrity. HTTPS would provide both -- to be sure you're talking to the
>> "real" FreeBSD and give you confidence that
25 matches
Mail list logo
