From: Ted Zlatanov <tzz@lifelogs.com>
To: 16978@debbugs.gnu.org
Subject: bug#16978: 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities
Date: Mon, 17 Mar 2014 17:06:08 -0400 [thread overview]
Message-ID: <878us88ri7.fsf@lifelogs.com> (raw)
In-Reply-To: <86siqqv938.fsf@informationelle-selbstbestimmung-im-internet.de>
On Mon, 10 Mar 2014 07:52:43 +0100 Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> wrote:
JL> I don't find that acceptable. I vote to ship Emacs with certificate
JL> checking by default.
Hi Jens,
that's how it's planned, but please realize we have to be careful with
the large population of Emacs users that would be surprised by sudden
failures. So 24.4 is the first version where we'll start doing this.
JL> gnutls-cli --tofu opens a TLS connection and asks whether the
JL> certificate can be trusted. If so, it is added to
JL> ~/.gnutls/known_hosts. On subsequent connections, the presented
JL> certificate is compared against the stored one; in case of
JL> mismatches, the user is asked whether to trust the new one. To
JL> prevent the process from hanging while waiting for the user's reply,
JL> option --strict-tofu (introduced in GnuTLS 3.2.12) can be used.
JL> I'm describing my view on certificate pinning in general and some
JL> details on TOFU with GnuTLS in more detail in my blog:
JL> https://blogs.fsfe.org/jens.lechtenboerger/?p=208
That's wonderful, but please realize this doesn't work for Emacs because
often, interactive prompting would not be available. The consensus so
far has been to abort the connection and tell the user how to allow a
host specifically. Can you suggest a cleaner way, perhaps using TOFU
with some C automation?
(`gnutls-cli' should not be assumed to be available)
JL> For Emacs, here is my personal workaround (a real fix would
JL> probably require a unified, secure-by-default treatment of TLS
JL> throughout all libraries):
I appreciate all your review. It's too late to make these changes for
24.4, but I think if you can review the state of things in 24.4, maybe
we could discuss an expedited 24.5 release with security fixes (that
would be up to the Emacs maintainers, of course).
Thanks
Ted
next prev parent reply other threads:[~2014-03-17 21:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-10 6:52 bug#16978: 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities Jens Lechtenboerger
2014-03-10 7:04 ` Glenn Morris
2014-03-11 17:04 ` Jens Lechtenboerger
2014-03-17 21:33 ` Ted Zlatanov
2014-03-18 21:25 ` Jens Lechtenboerger
2014-03-17 21:06 ` Ted Zlatanov [this message]
2014-03-18 21:04 ` Jens Lechtenboerger
2014-03-20 13:43 ` Ted Zlatanov
2014-03-20 14:39 ` Lars Magne Ingebrigtsen
2014-03-21 10:24 ` Ted Zlatanov
2014-03-24 12:14 ` Lars Magne Ingebrigtsen
2014-03-21 20:49 ` Jens Lechtenboerger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878us88ri7.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=16978@debbugs.gnu.org \
--cc=bug-gnu-emacs@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).