[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Jimmy Yuen Ho Wong |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Sun, 8 Jul 2018 19:31:45 +0100 |
On Sun, Jul 8, 2018 at 6:47 PM Lars Ingebrigtsen <address@hidden> wrote:
>
> Jimmy Yuen Ho Wong <address@hidden> writes:
>
> > No we don't let GnuTLS always establish the connection. We don't set
> > the priority string to the lowest level possible, i.e. "LEGACY". Are
> > you suggesting you want to do that?
>
> That's my preference, but others don't agree. And it's basically a moot
> point, since there are virtually no (legitimate real-world) connections
> that fall between the nil and "LEGACY" settings of
> `gnutls-algorithm-priority'.
>
There is also no legitimate real-world connection that fall between
min-prime-bit 0 and 512-bits. In fact, exactly 0 top Alexa 150k site
demands 256 bit.
https://www.ssllabs.com/ssl-pulse/.
I'll reply to the problem with setting gnutls-algorithm-priority to
LEGACY in other email.
> > Setting `gnutls-min-prime-bits` to 256 as the standard value suggests
> > to me that Emacs' network security level is so relaxed that a TLS
> > connection with a DH prime 256-bits should go through, but in reality
> > NSM still warns. This yet again contradicts the intention of the
> > standard value. If the intention is to warn about prime-bit < 1024
> > bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should
> > not warn.
> >
> > Just switch it back to `nil` and let GnuTLS do the right thing
> > according to the priority string for crying out loud. This also has no
> > adverse effect.
>
> I don't understand what you're saying here. We've chosen 256 since
> that's the way to say "don't stop any connections on the gnutls level
> because of this stuff". nil currently means 1008 bits, if I read the
> docs right.
>
That is correct, for consistency's sake. Since we'e decided on a
default NORMAL:%DUMB_FW priority string, which means let the GnuTLS
version you've built Emacs with to decide what cipher suites to allow,
it follows that we should also default `gnutls-min-prime-bits` to nil,
which also lets GnuTLS decide.
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Robert Pluim, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security,
Jimmy Yuen Ho Wong <=
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Paul Eggert, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Richard Stallman, 2018/07/06