In /etc/pkg/FreeBSD.conf is the config for the pkg server:
we should switch to the more secure HTTPS protocol by default:
Created attachment 188821 [details]
This will mean everything will fail to bootstrap because there is no root ca.
The root ca is installed by pkg, chicken egg problem.
How would it be more secure here, given everything is signed aka, all you get would be verified?
Packages are individually signed. I don't think it matters, as long as the indices and stuff pkg(1) trusts are also signed. The only real protection is that ISPs could not tell what packages were being fetched; except, this isn't even true, as they can correlated transfer sizes.
(In reply to Conrad Meyer from comment #3)
> I don't think it matters
(In reply to Baptiste Daroussin from comment #2)
Good point about the "chicken egg problem". This needs to be resolved at some time. Not short term, but mid term. I want a system which is secure from the beginning, right after installation.
Again from what has been said above, Can you state what is insecure in the process, given the signatures?
I'm going to ignore whether or not it should be done, as it really isn't up to me.
However, it should perhaps be noted that switching from HTTP to HTTPS makes it impossible to set up a simple HTTP cache server.
This not only saves a lot of bandwidth for both the package servers and the individual clients, but also means that once the files have been cached, it's a lot faster on the clients using the cache.
For what it's worth, it is possible by setting up a fake root certificate and MITMing ones own traffic, with the modifications that this requires to trust self-signed root certificates, but that's quite a bit more involved even in the best-case scenario.
It might also be worth noting that freebsd-update uses the exact same idea of key fingerprinting, for much the same reason too.