Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72357 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27959 invoked from network); 7 Feb 2014 00:43:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Feb 2014 00:43:37 -0000 Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Received: from [173.1.104.101] ([173.1.104.101:61339] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/B0-24187-83C24F25 for ; Thu, 06 Feb 2014 19:43:37 -0500 Received: from gw02 ([172.56.35.253]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id TCY97528 for ; Thu, 06 Feb 2014 16:43:28 -0800 Date: Thu, 6 Feb 2014 19:43:22 -0500 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <765772707.20140206194322@cypressintegrated.com> To: Daniel Lowrey In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Re: Windows Peer Verification From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) > If you don't trust the data or want to be more certain: run the > script yourself. Offering the data over HTTPS would give you a > chicken-and-egg problem as which CAs would you trust when > you download the bundle? Thanks for posting this. I find their excuse entirely fallacious. There is no chicken-and-egg "problem" as all OSes and browsers ship with trusted CAs, and every single one of us works under the assumption that it is possible to securely download and/or purchase an OS. You don't assume that the first site you visit in IE or Safari (probably to get Firefox or Chrome!), or the first connection to the Microsoft or Apple Update server, is not a peer-verified TLS connection to the best of the browser's current ability. To suggest that the list of trusted CAs might as well be initialized over plain-text is an embarrassment. If we didn't have any starting point of trust, whether that be sneakernet from Red Hat HQ or whatever, there could be no such thing as "trusted CAs". They also imply the main vulnerability is that _their copy_ will be altered in transit from their site... ? That's not the point. The problem is using plain text *broadens* the attack surface so that it is even easier to make someone download your substitute copy rather than hitting their server at all (DNS cache poisoning, IP spoofing to direct you to attacker's DNS, straight-up compromising a DNS server and adding a fake zone, or one-second mod of HOSTS when someone is at the water cooler, for some examples). All that and *also* being able to rewrite the plain-text response if you intercept it. -- S.