Re: The netsec thread

[Lars Ingebrigtsen]

Eli Zaretskii <address@hidden> writes:

>> From: Lars Ingebrigtsen <address@hidden>
>> Date: Fri, 23 Aug 2019 04:58:35 +0200
>> Cc: address@hidden
>> 
>> I'm not quite sure what to write in the NEWS file beyond what's already
>> there (that the security has been tightened, but that was already the
>> case last year :-/), and now it's just slightly more tightened.
>
> If there are any specific changes in behavior due to this
> "tightening", we should consider them for NEWS.

Well...  As technology is found to be insecure, it's added to the list
of what the NSM warns about.

But I don't really think that this is something that needs to be called
out (beyond a general "things are tighter") in either NEWS or documented
in the Emacs manual.

Today, we have stuff like:

@item @acronym{RC4} stream cipher
The @acronym{RC4} stream cipher is believed to be of low quality and
may allow eavesdropping by third parties.  (This is the @code{rc4}
check in @code{network-security-protocol-checks}).

I think this is of interest of absolutely zero reading the Emacs manual,
and is basically security showoffery.  (That's a word.)  The user just
needs to know that we're doing a best-effort er effort to adhere to best
practices, and if they're really really interested, they can read the
doc string to, say, `nsm-protocol-check--dhe-prime-kx', or any of the
other `nsm-protocol-check--*' functions, each of which has an essay in
the doc string now.

So I'd like to propose to remove most of the text about the specific
tests in the "Network Security" node in the Emacs manual (saving
precious pages) and just refer the user to the doc strings.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no