Re: HEADS UP: FreeBSD src repo transitioning to git this weekend

From: grarpamp <grarpamp_at_gmail.com>
Date: Thu, 31 Dec 2020 21:25:08 -0500
> There is already HTTPS to protect the "authenticity" of the magnet
> link.

No. FreeBSD fails to publish signed fingerprints of their TLS pubkeys,
therefore users can't pin them down, therefore any MITM can bypass
CA game and MITM attack users at will, feed them bogus infohash,
isos, git repo tofu, pkg, etc. MITM is bad, MITM is in use,
and MITM fails when sig'd, verified, and pinned.

> Yes, someone could vandalize the wiki page but I'm now
> subscribed and will notice it...

Only if they go through your front door.

> Also, magnet links are not officially supported the project.
> provide them because I think it's useful, and there are some people
> who request them...

transmission-bt, aria2, etc fast, easy, distributed sharing.
But needs backed by real sigs.

> It's difficult to educate people on these points..

Especially when poor examples to observe and learn from
continue among infrastructures and even educators.

> snapaid was designed to make it even easier...

So they've learned some provider specific edge tool,
not general gpg, or even wider security. Oh well.

> Is there any reason to think [bittorrent] insecure?

Cost under $50k of compute to break sha-1, multiply
that by SolarWinds size distribution clouds under tofu,
collect your winnings based on your node count.
Received on Fri Jan 01 2021 - 01:25:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC