Hi All,
I've been a user of OpenBSD for almost 10 years now and always
advocated it, as the most free and secure OS in the world (which it is).
But some things have been bugging me even more on the last few months.
In light of the recent events that changed the way the entire world
see the internet, aka, spying, I've been paying even more attention to
any form of surveillance and monitoring. One thing I've been doing is
using dnscrypt, because my ISP did use transparent dns proxying, as I
confirmed it using several methods, including the wonderful site
www.dnsleaktest.com. Needless to say, that I changed my ISP. And I'm
using dnscrypt with opendns.
Now, I'd like to ask why the openbsd infrastructure servers (www,
anoncvs, packages), do not make use of SSL certs, SSHFP DNS records,
etc. One of the recent changes of OpenSSH was to trust SSHFP records by
default when the domain zone is using DNSSEC. But the main anoncvs
server, which is the source of all code, do not have such record. Not
even on the anoncvs page there isn't the fingerprint published.
I know that the most secure way is to buy the CD's and use then. But
what about the errata patches? And security related packages updates?
None of those can be reliably verified. I know and use the binpatches +
packages updates from M:Tier. But the trust is placed on a third party,
not on the OpenBSD project itself. Great job M:Tier, by the way.
I volunteer myself to donate a wildcard ssl cert to the openbsd.org
domain (I use on in my company). And I also have a script that uses the
sshfp tool to update the ssh fingerprints on a named zone file. One
thing that the dnscrypt project uses is TXT dns records to store sha256
sums of their releases. This, on top of dnssec, is one of the most
secure ways of distributing hashes that I'm aware of.
Today, to "verify" the releases, I randomly download the SUMS files
and releases ones from different mirrors and using different internet
links, but this method isn't 100% interception proof, but it is what can
be done now, with the current infrastructure.
On the packages side, I know that not all the mirrors can't have
dnssec nor ssl on top of them. But if we could at least verify the
signature with an OpenBSD provided cert that is installed with the
release itself, this would be awesome.
Anyway, these are just suggestions, and I would be happy to help
implement them. What you guys think?
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
