[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Additional network security
From: |
Ted Zlatanov |
Subject: |
Re: Additional network security |
Date: |
Sun, 07 Dec 2014 12:03:54 -0500 |
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) |
On Sun, 07 Dec 2014 17:41:06 +0100 Lars Magne Ingebrigtsen <address@hidden>
wrote:
LMI> Ted Zlatanov <address@hidden> writes:
>> Given this precedent, I think it would make sense to offer some
>> fine-grained control over NSM checks as well, similar to
>> `gnutls-verify-error' as I mentioned. We've gone Lispy with the NSM
>> configuration, but if we were consistent with the GnuTLS approach, the
>> NSM tuning would be simply a string like "paranoid:-crazy" (paranoid but
>> not crazy, heh heh). This is still possible:
>>
>> * map a symbol to its symbol-name
>> * parse NSM security levels like GnuTLS priority strings
>> * allow setting these strings per host regex
>> * PROFIT
>>
>> WDYT?
LMI> I think we should require 100 users demanding this before we implement
LMI> it. :-)
I am basing it on the way GnuTLS allows users to control things, not
inventing something new. Asking for 100 Emacs users to agree on
anything will result in:
* 3 frameworks and 5 new one-letter packages
* 200+ posts arguing about obscure details
* at least 8 new bugs filed
so I really hope you lower the threshold to "would we use it?".
How about extending the GnuTLS priority string to also specify the NSM
level, DH bits, etc? So the user would say "NORMAL:NSM(medium,dh=1024)"
and we'd cut out all the NSM bits before passing it on to GnuTLS. If
there's nothing in the priority string, we'd look at
`network-security-level', that would be the out-of-the-box use case.
LMI> But as for the defaults, do you agree with putting RC4, SSL<TLS1.0 and
LMI> low bits on `high'?
RC4 should be disallowed on medium IMO. I *think* it already is
disallowed in the default GnuTLS priority string.
I would disallow SSL 1, 2 on medium and 3 on high. The GnuTLS default
for priority string NORMAL is (in preference order) TLS protocols TLS
1.2, TLS1.1, TLS1.0, SSL3.0 according to
http://gnutls.org/manual/html_node/Priority-Strings.html so regardless
of the NSM level SSL 1 and 2 are dropped by default.
Ted
- Additional network security, Lars Magne Ingebrigtsen, 2014/12/05
- Re: Additional network security, Stefan Monnier, 2014/12/05
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/06
- Re: Additional network security, Stefan Monnier, 2014/12/06
- Re: Additional network security, Stephen J. Turnbull, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/07
- Re: Additional network security,
Ted Zlatanov <=
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/07
- Re: Additional network security, chad, 2014/12/07
- Re: Additional network security, Reiner Steib, 2014/12/18
- Re: Additional network security, Ted Zlatanov, 2014/12/20
- Re: Additional network security, Stephen J. Turnbull, 2014/12/07
- Re: Additional network security, Richard Stallman, 2014/12/07
- Re: Additional network security, Ted Zlatanov, 2014/12/08
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/08
- Re: Additional network security, Lars Magne Ingebrigtsen, 2014/12/08