[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Jimmy Yuen Ho Wong
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 8 Jul 2018 19:31:45 +0100

On Sun, Jul 8, 2018 at 6:47 PM Lars Ingebrigtsen <address@hidden> wrote:
> Jimmy Yuen Ho Wong <address@hidden> writes:
> > No we don't let GnuTLS always establish the connection. We don't set
> > the priority string to the lowest level possible, i.e. "LEGACY". Are
> > you suggesting you want to do that?
> That's my preference, but others don't agree.  And it's basically a moot
> point, since there are virtually no (legitimate real-world) connections
> that fall between the nil and "LEGACY" settings of
> `gnutls-algorithm-priority'.

There is also no legitimate real-world connection that fall between
min-prime-bit 0 and 512-bits. In fact, exactly 0 top Alexa 150k site
demands 256 bit.

I'll reply to the problem with setting gnutls-algorithm-priority to
LEGACY in other email.

> > Setting `gnutls-min-prime-bits` to 256 as the standard value suggests
> > to me that Emacs' network security level is so relaxed that a TLS
> > connection with a DH prime 256-bits should go through, but in reality
> > NSM still warns. This yet again contradicts the intention of the
> > standard value. If the intention is to warn about prime-bit < 1024
> > bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should
> > not warn.
> >
> > Just switch it back to `nil` and let GnuTLS do the right thing
> > according to the priority string for crying out loud. This also has no
> > adverse effect.
> I don't understand what you're saying here.  We've chosen 256 since
> that's the way to say "don't stop any connections on the gnutls level
> because of this stuff".  nil currently means 1008 bits, if I read the
> docs right.

That is correct, for consistency's sake. Since we'e decided on a
default NORMAL:%DUMB_FW priority string, which means let the GnuTLS
version you've built Emacs with to decide what cipher suites to allow,
it follows that we should also default `gnutls-min-prime-bits` to nil,
which also lets GnuTLS decide.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]