[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Additional network security

From: Ted Zlatanov
Subject: Re: Additional network security
Date: Sun, 07 Dec 2014 12:03:54 -0500
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On Sun, 07 Dec 2014 17:41:06 +0100 Lars Magne Ingebrigtsen <address@hidden> 

LMI> Ted Zlatanov <address@hidden> writes:
>> Given this precedent, I think it would make sense to offer some
>> fine-grained control over NSM checks as well, similar to
>> `gnutls-verify-error' as I mentioned.  We've gone Lispy with the NSM
>> configuration, but if we were consistent with the GnuTLS approach, the
>> NSM tuning would be simply a string like "paranoid:-crazy" (paranoid but
>> not crazy, heh heh).  This is still possible:
>> * map a symbol to its symbol-name
>> * parse NSM security levels like GnuTLS priority strings
>> * allow setting these strings per host regex
>> WDYT?

LMI> I think we should require 100 users demanding this before we implement
LMI> it.  :-)

I am basing it on the way GnuTLS allows users to control things, not
inventing something new.  Asking for 100 Emacs users to agree on
anything will result in:

* 3 frameworks and 5 new one-letter packages
* 200+ posts arguing about obscure details
* at least 8 new bugs filed

so I really hope you lower the threshold to "would we use it?".

How about extending the GnuTLS priority string to also specify the NSM
level, DH bits, etc? So the user would say "NORMAL:NSM(medium,dh=1024)"
and we'd cut out all the NSM bits before passing it on to GnuTLS. If
there's nothing in the priority string, we'd look at
`network-security-level', that would be the out-of-the-box use case.

LMI> But as for the defaults, do you agree with putting RC4, SSL<TLS1.0 and
LMI> low bits on `high'?  

RC4 should be disallowed on medium IMO. I *think* it already is
disallowed in the default GnuTLS priority string.

I would disallow SSL 1, 2 on medium and 3 on high. The GnuTLS default
for priority string NORMAL is (in preference order) TLS protocols TLS
1.2, TLS1.1, TLS1.0, SSL3.0 according to
http://gnutls.org/manual/html_node/Priority-Strings.html so regardless
of the NSM level SSL 1 and 2 are dropped by default.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]