Em 27-03-2014 11:28, Shawn K. Quinn escreveu: > On Thu, Mar 27, 2014, at 09:14 AM, Jiri B wrote: >> On Thu, Mar 27, 2014 at 08:10:05AM -0600, Theo de Raadt wrote: >>>> TdR> ... placing openssl there is not part of any solution that would work. >>>> TdR> What are other possible solutions? >>>> >>>> Do you think sftp would fit? Can you replace ftp with sftp? >>>> I'd prefer to maintain a limited access sftp server rather than a http >>>> one. >>>> >>> Wow. No. >> Could you please elaborate why not sftp for sets (and/or >> for pkg_add)? > My educated guess is that ssh and sftp would not fit on the install > disks. Though there are probably other reasons as well, including the > fact that to truly be secure you'd have to verify the host keys > beforehand as they could not be stored on the install disks. > Yes, and although the crypto algorithms that ssh uses are better than tls/ssl, there also side channel attacks on them to infer things, although things would be better obfuscated. So if you can't authenticate the host, nor the client in the installation, there isn't really a point in having sftp on the installer. I believe that it would even hurt security since you could be much more susceptible to impersonation attacks since many many people blindly accepts ssh host keys. Signify, provided you trust the initial key, completely solves the problem of the insecure medium. If you want to obfuscate what you are installing, you're better off using a proxy.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
