.plan
@400000004b75d20c0392063c Project: SSL and open source fools Plan: As much as I'm involved with and enjoy using open source software, the open source ``community'' is largely incompetent when it comes to security. Take for example the thread at: http://article.gmane.org/gmane.comp.misc.suckless/920 There is a long-standing and disastrously false belief that there is some benefit to encrypting communications without bothering to check who you're encrypting them to. THERE ISN'T. None whatsoever. Middle-person attacks happen ALL the TIME, and the tools to do it are just as easy, if not easier, than using tcpdump. Even security people get bitten by this, including one prominent one who had his entire mail spool stolen because he used fetchmail to retrieve it: fetchmail silently failed to validate certificates. However, I keep running into this idea, especially with open source cranks. The FreeBSD security team refused to consider it an issue that libfetch, which is used to retrieve files by pkg_add(1) by default, silently establishes SSL connections without performing any verification. A patch to fix the problem was ignored, and I was requested to go fuck myself for impugning the quality of the code in the first place. It seems these developers want to beat on their chests about how untrustworthy public CAs are (they are), but do nothing to actually help solve the problem except to pretend that SSL will magically work on its own, thus exposing users to even greater risk than just refusing to do SSL at all. A CA does not have to be a public CA: it can be a corporate or personal CA. You don't have to even use CA verification -- you can use SSH-style fingerprint verification. You can use both. Or any number of other things. But righteously ignoring the problem is asinine behavior.
Comment Link