[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From: Florian Weimer
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Sun, 26 Oct 2014 09:15:48 +0100

* Lars Magne Ingebrigtsen:

> The proposed security manager would store certificate fingerprints, so
> detecting when a known server drops from TLS 1.2 to SSL 3.0 would
> presumably also be something we could warn about, just like we would
> warn when we drop from STARTTLS to unencrypted.
> "You are talking to imap:dea.gov via SSL 3.0 now, while last time you
> did this via TLS 1.2.  This might mean that you're suffering from a
> Man-In-The-Middle attack.  Still connect?"

Uhm, if this happens, the server has been downgraded.  The handshake
will fail if a man-in-the-middle attempts to force the use of SSL 3.0,
and both ends support something newer.  (As far as I can tell, Emacs
does not implement the vulnerable protocol downgrade code, unlike

reply via email to

[Prev in Thread] Current Thread [Next in Thread]