Re: Trusting the Installation
we tried those certs. they are not trusted by mobile devices. and those certificates are free only for 3 months (you are supposed to buy them after that). so, it's marketing stuff, not a real deal. 5 MARTA 2012 G. 13:49 POLXZOWATELX Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar NAPISAL: On 2012-03-04 07:05, P P;Q Q P(P8P?P8Q P8P= wrote: if you mean public SSL certs, it's about $500/year. are you willing to pay for SSL certs ? I can do the rest. I have installed tens ssl-enabled services. Slightly OT: StartSSL offers free certificates trusted by every browser, so you're just exagerating - a lot. -- Hugo Osvaldo Barrera
Re: Trusting the Installation
On Sunday 04 March 2012 12:12:19 Anonymous Remailer (austria) wrote: the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code You can but nobody does. If the entire OpenBSD team can't finish a complete audit of OpenBSD in one release cycle how long do you suppose it would take one person to do that? Not very practical. If someone thinks he has to audit the whole tree, he is not practical already. It is not difficult to get a trusted source rep and compare the downloaded source with that and investigate the differences if they think it is needed. What is trusted? Until some trusted group or person audits the source and signs it there is nothing to compare anything to. If they don't even trust the source code on the DVD, they have bigger problems than just secure downloads. Agreed, just arguing against the absurd idea quoted at the top.
Re: Trusting the Installation
On 2012-03-05 06:08, iLXQ {IPICIN wrote: we tried those certs. they are not trusted by mobile devices. and those certificates are free only for 3 months (you are supposed to buy them after that). so, it's marketing stuff, not a real deal. That's totally wrong. They last a year, and you can get a new one (again, for free) after they expire. I'm not sure what mobile device distrusts them, most do. And how often do you download OpenBSD ISOs from mobile devices? -- Hugo Osvaldo Barrera
Re: Trusting the Installation
Am Montag, 5. MC$rz 2012, 10:12:02 schrieb PP;QQ P(P8P?P8QP8P=: P.S. I'm not a paranoic, but I respect people to be paranoic if they want to. You can be paranoid about the sources and binaries all you want, but you still don't know the CPU which executes all that code. Even if Intel/AMD would give you full access to their CPU blue prints, the chip foundry could add things you would not notice. That's the reason why companies which make secure encryption devices would never trust any CPU/OS combo. Depending on paranoia they offer you either an FPGA based solution or a hard wired one from logic ICs. And even if you create the most trusted device, using nothing but 100 year old relays and passive components, you are still prone to the we will whack you with a wrench if you don't give me your keys attack. Very, very effective.
Re: Trusting the Installation
* Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 12:01]: That's the reason why companies which make secure encryption devices would never trust any CPU/OS combo. Depending on paranoia they offer you either an FPGA based solution or a hard wired one from logic ICs. dream on. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Trusting the Installation
I'd agree that 100% paranoic will never trust hardware vendor as well. Only own manufactured components should be used in conjunction with md5/sha1 checksum evaluation and source code audit. 5 MARTA 2012 G. 17:00 POLXZOWATELX Rudolf Leitgeb rudolf.leit...@gmx.atNAPISAL: Am Montag, 5. MC$rz 2012, 10:12:02 schrieb P P;Q Q P(P8P?P8Q P8P=: P.S. I'm not a paranoic, but I respect people to be paranoic if they want to. You can be paranoid about the sources and binaries all you want, but you still don't know the CPU which executes all that code. Even if Intel/AMD would give you full access to their CPU blue prints, the chip foundry could add things you would not notice. That's the reason why companies which make secure encryption devices would never trust any CPU/OS combo. Depending on paranoia they offer you either an FPGA based solution or a hard wired one from logic ICs. And even if you create the most trusted device, using nothing but 100 year old relays and passive components, you are still prone to the we will whack you with a wrench if you don't give me your keys attack. Very, very effective.
Re: Trusting the Installation
Am Montag, 5. Mdrz 2012, 12:36:56 schrieb Henning Brauer: * Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 12:01]: That's the reason why companies which make secure encryption devices would never trust any CPU/OS combo. Depending on paranoia they offer you either an FPGA based solution or a hard wired one from logic ICs. dream on. Feel free to trust an Intel Core 2 :) Theo, for whatever reason, doesn't
Re: Trusting the Installation
* Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 13:21]: Am Montag, 5. Mdrz 2012, 12:36:56 schrieb Henning Brauer: * Rudolf Leitgeb rudolf.leit...@gmx.at [2012-03-05 12:01]: That's the reason why companies which make secure encryption devices would never trust any CPU/OS combo. Depending on paranoia they offer you either an FPGA based solution or a hard wired one from logic ICs. dream on. Feel free to trust an Intel Core 2 :) you completely missed the point of my remark. most secure encryption devices on the market run linux. their security is snake oil. you don't wanna know what I have seen (and I can't talk about it in most cases)... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Trusting the Installation
Am Montag, 5. Mdrz 2012, 13:30:14 schrieb Henning Brauer: you completely missed the point of my remark. most secure encryption devices on the market run linux. their security is snake oil. you don't wanna know what I have seen (and I can't talk about it in most cases)... This mailing list is not about snake oil products on sale somewhere. The post I replied to asked how one can be sure he runs trusted software and my reply was it doesn't help you if you aren't 100% sure your hardware is kosher. And for all practical purposes you can't. One doesn't have to be 100% paranoid to distrust hardware. Look where almost all desktop and laptop CPUs come from. And where these devices plus their peripherals are made. And again: even 100% secure hardwaresoftware won't protect you against extortion/torture/whatever means to get that piece of info.
Re: Trusting the Installation
Rudolf Leitgeb wrote [2012-03-05 13:51+0100]: Look where almost all desktop and laptop CPUs come from. And where these devices plus their peripherals are made. Oh yes! You really just can't trust America. Really. --steffen
Re: Trusting the Installation
This mailing list is not about snake oil products on sale somewhere. The post I replied to asked how one can be sure he runs trusted software and my reply was it doesn't help you if you aren't 100% sure your hardware is kosher. And for all practical purposes you can't. True but I think it should be enough for most people if the OpenBSD team posts hashes or sigs on their sites and you download from a mirror and check against those hashes or sigs. If someone has enough power to p0wn the OpenBSD site as well as various mirrors you may as well quit while you're ahead. (Yes I realize they already do that. Apparently the OP does not realize that)
Re: Trusting the Installation
2012/3/5 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com: I'd agree that 100% paranoic will never trust hardware vendor as well. Only own manufactured components should be used in conjunction with md5/sha1 md5 - YMMD :-)
Re: Trusting the Installation
On 2012-02-29 01:13, Nico Kadel-Garcia wrote: This just came up in the Scientific Linux mailing list. While checksums are useful, they're not helpful if both the checksum and the file itself are corrupted. Someone (namely me!) also pointed out the possibility of manipulating the FTP or HTTP transmission en route, and I pointed out the risk of a Trojan infested mirror, Bittorrent, or other popular network access source. It's why I'm happy to use Bittorrent to get ISO's in a speedy fashion, but *ALWAYS* check the checksums against the original source when download is complete. I had never though of this. Using torrents for the file itself, and HTTP for the checksum seems to be quite secure (at least compared to the alternatives). Especially if the torrent file have hundeds of seeders. -- Hugo Osvaldo Barrera
Re: Trusting the Installation
29 FEWRALQ 2012 G. 8:44 POLXZOWATELX Nathan Stiles stiles.nat...@gmail.comNAPISAL: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. if you mean public SSL certs, it's about $500/year. are you willing to pay for SSL certs ? I can do the rest. I have installed tens ssl-enabled services. I'm sure theres a good reason why this isn't necessary? the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code I wonder why you are not doing that with every ISO (which you prefer to download via torrent). I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? other are doing what they want :-) it's an opensource. you can also do what you want. Thanks, Nathan
Re: Trusting the Installation
the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code You can but nobody does. If the entire OpenBSD team can't finish a complete audit of OpenBSD in one release cycle how long do you suppose it would take one person to do that? Not very practical.
Re: Trusting the Installation
2012/3/4 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com: the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code Who does that? Did _you_ check the code? Best Martin
Re: Trusting the Installation
On Sun, Mar 04, 2012 at 12:12:19PM +0100, Anonymous Remailer (austria) wrote: the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code You can but nobody does. If the entire OpenBSD team can't finish a complete audit of OpenBSD in one release cycle how long do you suppose it would take one person to do that? Not very practical. He obviously is not providing any useful input but pretending to be a pro.
Re: Trusting the Installation
On Sunday 04 March 2012 12:12:19 Anonymous Remailer (austria) wrote: the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code You can but nobody does. If the entire OpenBSD team can't finish a complete audit of OpenBSD in one release cycle how long do you suppose it would take one person to do that? Not very practical. If someone thinks he has to audit the whole tree, he is not practical already. It is not difficult to get a trusted source rep and compare the downloaded source with that and investigate the differences if they think it is needed. If they don't even trust the source code on the DVD, they have bigger problems than just secure downloads.
Re: Trusting the Installation
I do not check the code :-) but every paranoid user who doesn't trust to ISP (they could swap ISO image), who doesn't trust to public SSL companies (they are known to sell google certificate to Iranian goverment), who doesn't trust post office (they could swap CDs), who doesn't trust to developers (they can leave backdoor in code) can do that. it is open source, you can do whatever you want actually. P.S. I'm not a paranoic, but I respect people to be paranoic if they want to. 4 PP0QQP0 2012 P3. 18:07 P?PP;QP7PP2P0QP5P;Q Martin SchrC6der mar...@oneiros.deP=P0P?P8QP0P;: 2012/3/4 P P;Q Q P(P8P?P8Q P8P= chipits...@gmail.com: the reason is you can download source code, look at it, make sure for yourself there's no backdoors, build your own ISO from source code Who does that? Did _you_ check the code? Best Martin
Re: Trusting the Installation
On 2012-03-04 07:05, PP;QQ P(P8P?P8QP8P= wrote: if you mean public SSL certs, it's about $500/year. are you willing to pay for SSL certs ? I can do the rest. I have installed tens ssl-enabled services. Slightly OT: StartSSL offers free certificates trusted by every browser, so you're just exagerating - a lot. -- Hugo Osvaldo Barrera
Re: Trusting the Installation
On Wed, Feb 29, 2012 at 10:44 AM, Nathan Stiles stiles.nat...@gmail.com wrote: Also I've noticed that HTTPS isn't implemented on openbsd.org. Why would it be? There is no user login or accout information exchanged with openbsd.org. Are you worrying that someone would, almost magically, insert malicious code in the ISO while you download it? There's good paranoia and bad paranoia... Cheers, Lars
Re: Trusting the Installation
On Tue, Feb 28, 2012 at 10:11 PM, Nick Holland n...@holland-consulting.net wrote: On 02/28/12 21:43, Nathan Stiles wrote: Hello, Also I've noticed that HTTPS isn't implemented on openbsd.org. buy a CD. Really. The chains of rust you were putting your trust in has flaws. I'm hoping Nathan saw that a bunch of root cert owners got 0wned and all their certs cannot be trusted any more, especially since those certs have been used in man-in-the-middle attacks. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Trusting the Installation
Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. I'm sure theres a good reason why this isn't necessary? I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? Thanks, Nathan
Re: Trusting the Installation
On 02/28/12 21:43, Nathan Stiles wrote: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. And it is. Imagine that. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. I'm sure theres a good reason why this isn't necessary? I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? buy a CD. Really. The chains of rust you were putting your trust in has flaws. Nick.
Re: Trusting the Installation
On Tue, Feb 28, 2012 at 9:44 PM, Nathan Stiles stiles.nat...@gmail.comwrote: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. I'm sure theres a good reason why this isn't necessary? I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? Thanks, Nathan There is a SHA256 file published in the same directory, which lists checksums of the ISO's and other files. This just came up in the Scientific Linux mailing list. While checksums are useful, they're not helpful if both the checksum and the file itself are corrupted. Someone (namely me!) also pointed out the possibility of manipulating the FTP or HTTP transmission en route, and I pointed out the risk of a Trojan infested mirror, Bittorrent, or other popular network access source. It's why I'm happy to use Bittorrent to get ISO's in a speedy fashion, but *ALWAYS* check the checksums against the original source when download is complete. Even a shipped CD has some subtle, secondary risks: if I put that copy in my software box and put the ISO image online locally for building virtual hosts (which I've done ion the last year), what prevents some weasel at work from replacing my ISO? Yes, I trust the people I work with, but assuring the provenance of an ISO image can be a useful bit of extra certainty. This is especially the case when your local mirror is *not* as secure as you might like.
Re: Trusting the Installation
On Tue, Feb 28, 2012 at 09:44:15PM -0500, Nathan Stiles wrote: Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? Buying CDs. It's not just a donation as some characterize it. You get multiple architectures, initial source and ports trees, and loads of packages. Having the official CDs not only funds the project but also saves you a bunch of time on installs and upgrades. Nicolai
Re: Trusting the Installation
On Wed, Feb 29, 2012 at 3:44 AM, Nathan Stiles stiles.nat...@gmail.com wrote: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. They are Also I've noticed that HTTPS isn't implemented on openbsd.org. $ host openbsd.org openbsd.org has address 199.185.137.3 openbsd.org mail is handled by 10 cvs.openbsd.org. openbsd.org mail is handled by 6 shear.ucar.edu. $ host www.openbsd.org www.openbsd.org has address 142.244.12.42 use www.openbsd.org , reasons why are in archives (hint - it's not security/privacy related) I was also expecting the checksum to be served over HTTPS. Some exact reason for that? Especially regarding a lot of issues and flaws discovered during last months/years in various implementations of SSL/certificates/CAs? BTW it's open source project and there's eg. CVS web where anyone can see code. If you are really interesting target for someone then checksums served over HTTPS can slow him down only by seconds. I'm sure theres a good reason why this isn't necessary? I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. B What are others doing? Eg. with snapshots there are times when checksums are not correct on mirrors and still snasphots are correct (details in FAQ). Thanks, Nathan
Re: Trusting the Installation
On Tue, Feb 28, 2012 at 09:44:15PM -0500, Nathan Stiles wrote: Hello, I've recently installed 5.0 and based upon my experience I expected a checksum to be posted for the ISO. Also I've noticed that HTTPS isn't implemented on openbsd.org. I was also expecting the checksum to be served over HTTPS. I'm sure theres a good reason why this isn't necessary? I want to check the files I've downloaded against something? Obviously I can check a few random mirrors to ensure that files are identical. What are others doing? man release jirib
Re: Trusting the Installation
2012/2/29 Tomas Bodzar tomas.bod...@gmail.com: On Wed, Feb 29, 2012 at 3:44 AM, Nathan Stiles stiles.nat...@gmail.com I was also expecting the checksum to be served over HTTPS. Some exact reason for that? Especially regarding a lot of issues and flaws discovered during last months/years in various implementations of SSL/certificates/CAs? [...] What are others doing? Other, like the rest of the internet are using those certificate authorities (all 600+ of them?) as if they work, and make users believe that since my browser says Chunghwa Telecom or NetLock Halozatbiztonsagi Kft.is to be trusted, mylocalbank.com showing one of their certs must be fine and dandy Doing what others do isn't always adding to real security. As everyone says, buying the CD is a solution for the really paranoid. Going to a BSD conference where obsd devs and affiliates sell such CDs even mitigate the evil post office CD-swapper issue. If you aren't ready to shell out the bucks for one CD set, then it can't really be important. -- To our sweethearts and wives. May they never meet. -- 19th century toast