Bug 224336 - /etc/pkg/FreeBSD.conf should use HTTPS by default
Summary: /etc/pkg/FreeBSD.conf should use HTTPS by default
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2017-12-14 11:56 UTC by Wolfram Schneider
Modified: 2021-10-06 19:45 UTC (History)
6 users (show)

See Also:

patch (385 bytes, patch)
2017-12-14 11:57 UTC, Wolfram Schneider
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schneider freebsd_committer 2017-12-14 11:56:02 UTC
In /etc/pkg/FreeBSD.conf is the config for the pkg server:

url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"

we should switch to the more secure HTTPS protocol by default:

url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest"
Comment 1 Wolfram Schneider freebsd_committer 2017-12-14 11:57:05 UTC
Created attachment 188821 [details]
Comment 2 Baptiste Daroussin freebsd_committer 2017-12-14 12:13:26 UTC
This will mean everything will fail to bootstrap because there is no root ca.
The root ca is installed by pkg, chicken egg problem.

How would it be more secure here, given everything is signed aka, all you get would be verified?
Comment 3 Conrad Meyer freebsd_committer 2017-12-14 18:37:08 UTC
Packages are individually signed.  I don't think it matters, as long as the indices and stuff pkg(1) trusts are also signed.  The only real protection is that ISPs could not tell what packages were being fetched; except, this isn't even true, as they can correlated transfer sizes.
Comment 4 Conrad Meyer freebsd_committer 2017-12-14 18:37:33 UTC
(In reply to Conrad Meyer from comment #3)
> I don't think it matters
Comment 5 Wolfram Schneider freebsd_committer 2017-12-16 09:52:08 UTC
(In reply to Baptiste Daroussin from comment #2)

Good point about the "chicken egg problem". This needs to be resolved at some time. Not short term, but mid term. I want a system which is secure from the beginning, right after installation.
Comment 6 Baptiste Daroussin freebsd_committer 2017-12-18 09:51:25 UTC
Again from what has been said above, Can you state what is insecure in the process, given the signatures?
Comment 7 Daniel Ebdrup Jensen freebsd_committer 2021-10-06 19:45:08 UTC
I'm going to ignore whether or not it should be done, as it really isn't up to me.

However, it should perhaps be noted that switching from HTTP to HTTPS makes it impossible to set up a simple HTTP cache server.
This not only saves a lot of bandwidth for both the package servers and the individual clients, but also means that once the files have been cached, it's a lot faster on the clients using the cache.

For what it's worth, it is possible by setting up a fake root certificate and MITMing ones own traffic, with the modifications that this requires to trust self-signed root certificates, but that's quite a bit more involved even in the best-case scenario.

It might also be worth noting that freebsd-update uses the exact same idea of key fingerprinting, for much the same reason too.