Re: A couple of questions and concerns about Emacs network security

[Perry E. Metzger]

On Sat, 23 Jun 2018 09:40:56 +0300 Eli Zaretskii <address@hidden> wrote:
> > From: Noam Postavsky <address@hidden>
> > Date: Fri, 22 Jun 2018 22:17:56 -0400
> > Cc: Lars Magne Ingebrigtsen <address@hidden>,
> >     Jimmy Yuen Ho Wong <address@hidden>,
> >     Emacs developers <address@hidden>
> > 
> > On 22 June 2018 at 18:43, Paul Eggert <address@hidden>
> > wrote:  
> > > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote:  
> > >>
> > >> 1. Can we update the default network security settings?  
> > >
> > >
> > > Yes, I would think so, in the master branch. As you say, the
> > > current defaults are inappropriate for today's users.  
> > 
> > Can we bump gnutls-min-prime-bits to 1024 on the release branch?  
> 
> No, I don't think so.  Changing these settings needs a prolonged
> testing period to uncover any subtle problems with non-conforming
> servers that users must be able to access, and such testing is
> unlikely to happen on emacs-26 before the next bug-fix release.

All modern browsers set 1024 as a minimum. There is no need for Emacs
to worry about this as it has been years since you could connect to a
web site with less than 1024 bits security. It should be changed as
soon as possible. Even 1024 bits is too small, but this is at least
better than the current situation.

Generally speaking, if a security setting is the default in Chrome,
Firefox, Safari, and Edge, you can feel reasonably certain that it is
safe to have Emacs turn on such a setting as well without fear that
it will cause inconvenience to the user community.

> If we change this now on emacs-26, we should probably not release
> Emacs 26.2 before a year goes by.

Perry
-- 
Perry E. Metzger                address@hidden