Re: Network security manager

[Ted Zlatanov]

On Tue, 18 Nov 2014 11:12:32 +0100 Toke Høiland-Jørgensen <address@hidden> 
wrote: 

TH> incidentally, does Emacs check the cipher mode of the connection
TH> itself (I'm assuming this warning pertains to the certificate
TH> itself, not the connection encryption).

No, after establishing the connection we don't check its properties.  In
many cases, depending on the priority string, it could be very different
from what we expected IIUC, so this is neither simple nor very useful.

TH> I have (setq gnutls-algorithm-priority "PFS") in my .emacs, but
TH> AFAIK that is not the default (and it does fail in some cases). For
TH> instance, in light of POODLE, turning off SSLv3 completely would
TH> probably be a good idea, at least as a default?

This was discussed recently here and in the GnuTLS mailing list.  With
the default settings in Emacs, it's not vulnerable to POODLE.

TH> Finally, doing DANE verification (and trusting that more than the CA)
TH> would be nice; but not sure how viably it is presently.

Can you clarify?  What are the requirements and benefits in your opinion?

Also, would you like to integrate your TOFU patch with the new nsm branch?

Thanks
Ted