[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Additional network security

From: Lars Magne Ingebrigtsen
Subject: Additional network security
Date: Fri, 05 Dec 2014 16:10:19 +0100
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

It kinda looks like the world didn't end when the NSM was switched on,
so perhaps it's time to discuss whether we should add additional
security, and if so, what and how.

Some other browsers are discussing switching off "weak" encryption in
one form or another.  I don't think that's a good idea, because
sometimes you want to visit web sites and don't care whether they use
"good" encryption or not.

But it might make sense to warn users that this is happening.  Perhaps
by default, perhaps only if they have switched to `high' security.

Candidates for these warnings would be

* low prime-bits used in the Diffie-Hellman handshake
* SSL1, SSL2 and SSL3
* usage of RC4 anywhere

Can anybody think of anything else that's considered "weak" these days?

Perhaps it might make sense to allow users to specify high-grained
security policies?  That is

(setq network-security-level '(starttls-downgrade ssl3 rc4))

or something?  Where `medium' would just be an alias for the default
things we check for...

On the other hand, perhaps not.  There's a temptation in Emacs to make
everything configurable, and I think that's a mistake.  Instead of
implementing a feature, we end up implementing a framework for creating
the feature, so the user ends up having to do all the work to get things
into a reasonable state.

And allowing users to configure stuff means that we don't have to be as
thorough in getting things just right, because "they can always switch
it off" or something, which is a cop-out.  And making stuff configurable
inevitably means that it's more prone to bugs, because there are code
paths almost never taken.

Users also gets frustrated by this endless variety.  I've seen people
say "oh, Emacs is so awful.  I have a 70K big .emacs, and then I
switched to Sublime Text, and I'm so much happier".  (Because they have
to take it or leave it.)

How about a new policy: Unless it really obviously should be
configurable, nothing get to be configurable until at least 100 users
have asked for it?  :-)

(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

reply via email to

[Prev in Thread] Current Thread [Next in Thread]