emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Deprecate TLS1.0 support in emacs

From: Robert Pluim
Subject: Re: Deprecate TLS1.0 support in emacs
Date: Tue, 01 Aug 2017 17:12:53 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) 
Lars Ingebrigtsen <address@hidden> writes:

> Paul Eggert <address@hidden> writes:
>
>> Last year I would have agreed, but nowadays I think it'd be better to
>> warn about TLS 1.0 somehow. According to
>> https://www.ssllabs.com/ssl-pulse/ from July 2016 to July 2017 TLS
>> v1.2 support climbed from 78.3% to 87.3%, whereas support for TLS v1.0
>> dropped from 97.3% to to 93.4% as the higher-end sites tighten up
>> security. By the time the next version of Emacs comes out, it looks
>> like a mild warning about TLS v1.0 will be appropriate.
>
> Yes, I agree.  eww, for instance, could remove the green URL when using
> TLS 1.0, etc.  But the proposed NSM warning (which would make the user
> answer "y" to a direct question about the TLS-ness) is too heavy, in my
> opinion.

OK. I happen to like NSM, mainly because I like explicit and detailed
messages from my tools, rather than having them change visual
indicators, but mileage obviously varies.

> But having the warning on the `high' NSM setting is fine with me, and
> I'll see what I can do about removing green URLs from eww...

Is that an offer to commit my patch? :-)

There's 🔐 and 🔓 you can use if you feel like getting fancy. Changing
the colour of the URL doesn't speak to me very much.

> Other services, like SMTP/IMAP/etc will have to invent other
> "lightweight" ways to tell the user that the content is on the insecure
> side.

I'm not sure how you can signal that someone's SMTP/IMAP session is
using an insecure protocol without ending up back at NSM.

Robert
reply via email to
[Prev in Thread] Current Thread [Next in Thread]