emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security


From: Perry E. Metzger
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sat, 7 Jul 2018 09:46:22 -0400

On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <address@hidden> wrote:
> > Date: Sat, 7 Jul 2018 08:18:33 -0400
> > From: "Perry E. Metzger" <address@hidden>
> > Cc: Eli Zaretskii <address@hidden>, address@hidden,
> > address@hidden, address@hidden, address@hidden
> > 
> > There is ample evidence that people in such situations rarely if
> > ever understand what the right thing to do is.  
> 
> That doesn't necessarily mean we need to assume none of them will
> understand that, if the considerations are explained in clear terms
> that can be mapped to the user's environment.

The difference between "none" and "under 5%" is so small as to be
unimportant. In tests, even with very careful explanations, only a
really tiny fraction of users seem to make good decisions some of
the time, and that's even when computer science undergraduates are the
test subjects. Go and check the literature on this if you don't
believe me. Once the decisions are complicated, like figuring out
whether to trust a certificate or not, the ability to make correct
choices, even among security professionals, drops to the noise floor.

> > There's also another issue we've discovered: at one time, people
> > believed having software provide "levels" of security made
> > sense,but we now understand based on bitter experience that
> > everyone, whether their greatest threat is unimportant or whether
> > their greatest threat is a nation state, uses the same software
> > and same default settings 99% of the time, so software needs to
> > be built with the needs of people under threat in mind.  
> 
> I don't see how this is relevant, since we are talking about just
> one piece of software: Emacs.  For the purposes of this discussion,
> whether they use the same browsers or different ones, because we are
> not discussing those browsers.

You may not see the relevance, but others do.

> And my personal experience definitely contradicts your "everyone"
> claim: e.g., my home network is set up with several non-default
> defenses, and so is my smartphone.  Why should we assume a
> significant part of Emacs users is in the "everyone" camp?  They
> did choose to use Emacs, didn't they?

The difference between one person in a hundred and no one is so small
for purposes of deciding on default behavior as to be unimportant.

As for your own configuration, you're free to change the defaults any
way you like, so why are you arguing anyway? No one will stop you
from selecting 256 bit D-H keys or turning off encryption entirely or
turning off CT if that's what you really insist on.

> > And let me repeat, there's excellent field evidence that
> > people under threat generally have no technical expertise to make
> > serious security decisions, and that includes people with
> > programming backgrounds.  
> 
> You are entitled to your opinions

These are not opinions. They're facts. They're based on decades of
field experience and objective studies published in the academic
literature. There is almost universal agreement among the
studies, too -- there are no published outliers that I'm aware of.

So, my statements are not matters of opinion any more than the
claim that most people get hungry if they don't eat for long enough
is a matter of opinion. You are, of course, entitled to claim the
moon is made of green cheese or that most users can make informed
security decisions for themselves about things like key length or
certificate origins. These claims are both wrong, and no one should
pay attention to such claims, but one is entitled to say it. Others
should ignore such statements, however, because they are
counterfactual.

> but I don't agree that we should
> design our defaults based on the assumption that we cannot expect
> our users to make informed decisions.

And this sets you apart from people who have worked in the field for
decades, and from people who have done objective studies in the field.

It's fine to let the tiny fraction of users who understand what
they're doing to go into their .emacs file and set whatever they
prefer. Asking users to make "informed decisions" in real time simply
doesn't work, and this is not opinion, it is fact, and though you are
going to argue until the end of time regardless of evidence, your
opinion is simply wrong.

I strongly suspect, by the way, that I could easily get you to make a
bad security decision in a test environment. I don't trust myself to
evaluate the origin of certificates in real time -- it's just too
difficult to read an x.509 cert's contents and verify everything you
need to (including the hash algorithms used in the entire chain,
figuring out if the CA is one I should be expecting for this
particular host, etc.) That is in spite of the fact that I've been
doing this professionally for a very long time. I suspect I could
easily cook up certs that you wouldn't be able to figure out, and
that you would make the wrong decision if prompted to look at them.

That said, I have no objections to your being able to set whatever
parameters you want by editing your configs. So you see, we can both
have our way. You can run Windows XP until the end of time, and you
can set your default configuration for TLS interactions badly, and
other people can run much more secure free operating systems and can
have strong TLS defaults, and everyone can be happy.

> > The other thing is, in spite of the constant claims, running with
> > the level of security provided by Firefox or Chrome or Safari
> > isn't the least bit inconvenient, so there's no obvious reason
> > not to do at least _that_.  
> 
> One would think that those "constant claims" might just provide
> such a reason.

The only one making this claim is _you_. No one can provide
good examples of how following the usual practice in the rest of the
community would inconvenience anyone, but you keep implying this
anyway. No one else is making this claim, but you are constantly and
consistently implying that it is the case even though there's
basically no evidence for it.

> Besides, we don't really follow what those browsers do,

But we should. It's insane not to. You keep going on and on about how
somehow setting such defaults would be inconvenient, but
there's not the slightest evidence that it would be, and there's
excellent evidence that there's good reason to follow those practices.

Perry
-- 
Perry E. Metzger                address@hidden



reply via email to

[Prev in Thread] Current Thread [Next in Thread]