Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

On Sat, Jul 7, 2018 at 10:36 AM, Robert Pluim <address@hidden> wrote:
> Jimmy Yuen Ho Wong <address@hidden> writes:
>
>> I disagree that prompting for pretty much every TLS connection is a
>> good idea. In security circles these days, there's such a thing known
>> as "security fatigue". Overly troublesome security measure that don't
>> take human psychology into account will lead to numbness. A side
>> effect of that is users will simply start ignoring security warnings
>> like they skip reading iTunes's EULA. This is an adverse unintended
>> consequence that achieves the opposite of what we want to do here.
>
> For normal usage, we should absolutely not prompt too much [1]. Iʼm not
> recommending 'paranoid' to anyone, but in my specific circumstances
> itʼs the right thing to do.
>

I still fail to see what those circumstances are that warrant
prompting the user whenever he visits a URL with TLS that he hasn't
visited before.

>>>>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2
>>>
>>> That might be going a bit far, but I can certainly do that locally and
>>> see what happens.
>>>
>>
>> As I've said, setting `gnutls-min-prime-bits` to nil simply means
>> GnuTLS will negotiate the right number of DH bits on the user's
>> behalf, starting from 1008 bits since 3.3.0.
>>
>>>
>>> Documentation is good. Iʼll see if I can find some time to work on
>>> that.
>>>
>>
>> Thanks for helping out :)
>
> Is your work on a git branch somewhere?

It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks

Diff to master:
https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks

You can just fork my fork and send over a PR.

There's still a couple of things I need to do:

1. Implement `nsm-trust-local-network`
2. Remove that change in src/gnutls.h not needed for bug#31946 (this
is from my OCSP stash still sitting on my machine)
3. Write some ert tests, but this should affect the doc effort
4. I might throw in a few more checks to detech DHE-DSS key exchange
and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do
browsers, but I haven't been able to find much information about them
other than they are not used. There's a claim made that DSS key
exchange is just as bad as static RSA, but DHE-DSS is not that same as
DSS...

Thanks again!

>
> Regards
>
> Robert
>
> Footnotes:
> [1]  If you fix the double-prompting caused by google's certificate
>      load-balancing, that would reduce it a lot for me :-)
>