From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Perry E. Metzger" Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Thu, 23 Oct 2014 16:26:16 -0400 Message-ID: <20141023162616.2217bfa1@jabberwock.cb.piermont.com> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87mw8mzmxj.fsf@mid.deneb.enyo.de> <20141023143702.3897e618@jabberwock.cb.piermont.com> <8761fazkx7.fsf@mid.deneb.enyo.de> <20141023145721.12ed0820@jabberwock.cb.piermont.com> <87vbnay5lf.fsf@mid.deneb.enyo.de> <20141023154223.45f2c9eb@jabberwock.cb.piermont.com> <87wq7qva4w.fsf@mid.deneb.enyo.de> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1414096003 29923 80.91.229.3 (23 Oct 2014 20:26:43 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 23 Oct 2014 20:26:43 +0000 (UTC) Cc: emacs-devel@gnu.org, rms@gnu.org, Rob Browning , kurt@roeckx.be To: Florian Weimer Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 23 22:26:35 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XhOxr-0007ei-Pl for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 22:26:31 +0200 Original-Received: from localhost ([::1]:43369 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhOxr-0001bB-5S for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 16:26:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56836) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhOxe-0001b2-W0 for emacs-devel@gnu.org; Thu, 23 Oct 2014 16:26:19 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XhOxd-000234-VL for emacs-devel@gnu.org; Thu, 23 Oct 2014 16:26:18 -0400 Original-Received: from hacklheber.piermont.com ([2001:470:30:84:e276:63ff:fe62:3400]:42130) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhOxd-00022t-Qi; Thu, 23 Oct 2014 16:26:17 -0400 Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1]) by hacklheber.piermont.com (Postfix) with ESMTP id 496AA400; Thu, 23 Oct 2014 16:26:17 -0400 (EDT) Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com [10.160.2.107]) by snark.cb.piermont.com (Postfix) with ESMTP id 073F52DFCC5; Thu, 23 Oct 2014 16:26:17 -0400 (EDT) In-Reply-To: <87wq7qva4w.fsf@mid.deneb.enyo.de> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.25; x86_64-apple-darwin14.0.0) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175756 Archived-At: On Thu, 23 Oct 2014 21:50:07 +0200 Florian Weimer wrote: > * Perry E. Metzger: > > > The intelligence agencies thank you for your inadvertent > > assistance in assuring that various kinds of downgrade, padding > > and other attacks will remain feasible for years to come. > > Giving incorrect advice, like you do, does not make the Internet a > safer place, either. You think telling people they should be using a secure protocol is "incorrect advice"? Really? You think telling people to keep providing vulnerable protocols by default is "correct" advice? You couldn't be suggesting a policy more useful to the National Security Agency -- this is exactly what they would prefer vendors do, keep supporting insecure protocols forever, especially ones you can force people into with downgrade attacks. The real problem is that many users don't understand the tradeoffs or that there's even an issue. If the software vendors (and FSF is a software vendor) keep supporting old protocols forever, they never *will* figure out they need to upgrade. To reiterate: all the major sites already use TLS 1.2 with AES. All open source TLS implementations implement 1.2 and AES. Ceasing to use SSL 3.0 is simple (even ceasing to use TLS 1.0 and 1.1 is simple but we're talking about SSL 3.0 here). So, why do we need to support SSL 3.0 again? What's the rationale, other than making the lives of attackers easy? > I don't think it makes sense to continue the discussion. Again, if > you are looking for something useful to do, rally against RC4, not > SSL 3.0. None of the big sites are using RC4 any more, and the open source TLS implementations supply better algorithms, so what is there to rally against? Now we have to rally against SHA-1 in certs vs. the use of newer hash functions -- the world has moved on. Perry -- Perry E. Metzger perry@piermont.com