[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From: Perry E. Metzger
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Sat, 25 Oct 2014 10:33:45 -0400

On Sat, 25 Oct 2014 03:31:49 -0400 Richard Stallman <address@hidden>
> In an issue of security vulnerability, giving users the right
> defaults is paramount.  Allowing users to customize is no
> substitute. Most users don't know about the issue.  We need to DTRT
> for them.


My proviso is that I generally think giving them an easy to use knob
to let them do the wrong thing is also a mistake, because social
engineering will often be used to convince them to turn off their
security. If you can't avoid providing the knob, at the very
least, you need to make the default correct and make the knob hard
to turn by accident.

On social engineering: I'm aware of people having been attacked
by having their TLS encrypted connections disrupted by injected
traffic while unencrypted ones were left unmolested. This convinced
the users that there was some sort of problem with the encryption and
that they should drop to the clear by unchecking the "use TLS" box
in their GUI (the implications of which they didn't understand in the
first place). Having done so, their (sensitive) connection and login
credentials were then examined by the attackers. If unencrypted mode
had not been permitted, the attack would not have succeeded. This
was, in effect, a socially engineered downgrade attack.

I recognize that some will again say "but most people face no
such attacks and are doing nothing sensitive", but again, the problem
is that the same software is used in sensitive and non-sensitive
situations. Your software will not psychically intuit that you are a
journalist doing a chat with an Iranian dissident while most
people are just discussing video games with the same chat program.

So, yes, at the very least, the default must be fully secure, but it
is always best that there only be one mode, and it should be the
secure mode. If you need to provide a knob, make sure the user has to
do something inconvenient to get at it.

Perry E. Metzger                address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]