[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Jimmy Yuen Ho Wong |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Sat, 7 Jul 2018 10:59:42 +0100 |
On Sat, Jul 7, 2018 at 10:36 AM, Robert Pluim <address@hidden> wrote:
> Jimmy Yuen Ho Wong <address@hidden> writes:
>
>> I disagree that prompting for pretty much every TLS connection is a
>> good idea. In security circles these days, there's such a thing known
>> as "security fatigue". Overly troublesome security measure that don't
>> take human psychology into account will lead to numbness. A side
>> effect of that is users will simply start ignoring security warnings
>> like they skip reading iTunes's EULA. This is an adverse unintended
>> consequence that achieves the opposite of what we want to do here.
>
> For normal usage, we should absolutely not prompt too much [1]. Iʼm not
> recommending 'paranoid' to anyone, but in my specific circumstances
> itʼs the right thing to do.
>
I still fail to see what those circumstances are that warrant
prompting the user whenever he visits a URL with TLS that he hasn't
visited before.
>>>>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2
>>>
>>> That might be going a bit far, but I can certainly do that locally and
>>> see what happens.
>>>
>>
>> As I've said, setting `gnutls-min-prime-bits` to nil simply means
>> GnuTLS will negotiate the right number of DH bits on the user's
>> behalf, starting from 1008 bits since 3.3.0.
>>
>>>
>>> Documentation is good. Iʼll see if I can find some time to work on
>>> that.
>>>
>>
>> Thanks for helping out :)
>
> Is your work on a git branch somewhere?
It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks
Diff to master:
https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks
You can just fork my fork and send over a PR.
There's still a couple of things I need to do:
1. Implement `nsm-trust-local-network`
2. Remove that change in src/gnutls.h not needed for bug#31946 (this
is from my OCSP stash still sitting on my machine)
3. Write some ert tests, but this should affect the doc effort
4. I might throw in a few more checks to detech DHE-DSS key exchange
and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do
browsers, but I haven't been able to find much information about them
other than they are not used. There's a claim made that DSS key
exchange is just as bad as static RSA, but DHE-DSS is not that same as
DSS...
Thanks again!
>
> Regards
>
> Robert
>
> Footnotes:
> [1] If you fix the double-prompting caused by google's certificate
> load-balancing, that would reduce it a lot for me :-)
>
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Richard Stallman, 2018/07/05
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Robert Pluim, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Perry E. Metzger, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Robert Pluim, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security,
Jimmy Yuen Ho Wong <=
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Ted Zlatanov, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Paul Eggert, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Ted Zlatanov, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/10
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/10
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/10
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/10
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/13