[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Lars Ingebrigtsen |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Mon, 25 Jun 2018 18:55:22 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
Eli Zaretskii <address@hidden> writes:
> Allow me a few comments, with an eye towards getting at least some of
> this to the emacs-26 branch:
>
> . First, the NEWS entry should tell users how to get the previous
> (less secure) behavior if they want. I think this also calls for a
> better documentation of the elements that can appear in
> network-security-protocol-checks.
>
> . The change to gnutls-peer-status is not reflected in its doc string
> and is not called out in NEWS.
Yes, true. I'll do that later this week.
> . Do I understand correctly that most of the changes, including those
> in gnutls.c, are so that intermediary certificates could be
> verified? If so, would it make sense to omit that for emacs-26,
> and only beef up the medium level of security in NSM with the rest
> of the checks?
Yes, that is definitely a possibility. The nsm.el changes should be
safe to backport (after they've been in master for a couple of weeks so
that people can test them), while the gnutls.c change might be more
dangerous.
However, the thing that's protecting against (a SHA1 intermediate
certificate (oops, I see I've called it "intermediary" in the code and
doc; I'll fix that now)) is, I seem to remember, now being considered a
realistic attack (i.e., you can generate valid-looking fake certificates
based on one).
Or do I misremember? I tried googling now, and I couldn't find anybody
actually achieving that yet...
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security,
Lars Ingebrigtsen <=
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/25
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/25
Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/06/23