[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Gmane with Gnus first timer

From: Alberto Luaces
Subject: Re: Gmane with Gnus first timer
Date: Fri, 29 Sep 2017 09:43:40 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Maxim Cournoyer writes:

> Alberto Luaces <> writes:
>> Hi Maxim,
>> Maxim Cournoyer writes:
>>> Are you sure the data obtained from is not funneled
>>> through TLS? And why would Emacs warn about Gmane TLS problems
>>> otherwise? The Gnus manual has this to say about the
>>> `nntp-open-network-stream':
>>>     This is the default, and simply connects to some port or other on the
>>>     remote system. If both Emacs and the server supports it, the connection
>>>     will be upgraded to an encrypted STARTTLS connection automatically.
>> Yes, you are right in the TLS part, but I was referring to the trust you
>> are putting into a certificate you have also downloaded in an insecure
>> way.  The certificate system only works if it is signed by someone you
>> already trust.  If the certificate is self-signed, the only safe way to
>> check that it is the valid one would be to exchange fingerprints with
>> the owner by means of a different secure channel (telephone, USB
>> exchange...)
>> Otherwise you can suffer from a man-in-the-middle attack even the whole
>> communication is encrypted.
> Good point! I hadn't given much thought about that one. Still, while
> flawed, the exercise of trusting the server is not
> totally pointless: if I was lucky enough to retrieve the certificate
> at a time before Malefoy compromised the communication, then I'm at least
> protected against later attacks.
> Thanks for sharing this important limitation. After Gmane's totally
> back, it would be nice that the self-signed certificate be upgraded to a
> free Let's Encrypt[1].

I fully agree.  With LE, the excuses for not having a proper SSL system
are not valid anymore.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]