From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: "Perry E. Metzger" <perry@piermont.com>
Newsgroups: gmane.emacs.devel
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Thu, 23 Oct 2014 22:56:21 -0400
Message-ID: <20141023225621.753e2c9f@jabberwock.cb.piermont.com>
References: <87zjcnj2k6.fsf@trouble.defaultvalue.org>
	<E1XhLLS-0005Pt-BQ@fencepost.gnu.org>
	<87mw8mzmxj.fsf@mid.deneb.enyo.de>
	<20141023143702.3897e618@jabberwock.cb.piermont.com>
	<8761fazkx7.fsf@mid.deneb.enyo.de>
	<20141023145721.12ed0820@jabberwock.cb.piermont.com>
	<87vbnay5lf.fsf@mid.deneb.enyo.de>
	<20141023154223.45f2c9eb@jabberwock.cb.piermont.com>
	<87wq7qva4w.fsf@mid.deneb.enyo.de>
	<20141023162616.2217bfa1@jabberwock.cb.piermont.com>
	<20141023210546.GA18158@roeckx.be>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1414119399 24004 80.91.229.3 (24 Oct 2014 02:56:39 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 24 Oct 2014 02:56:39 +0000 (UTC)
Cc: Florian Weimer <fw@deneb.enyo.de>, Rob Browning <rlb@defaultvalue.org>,
	emacs-devel@gnu.org
To: Kurt Roeckx <kurt@roeckx.be>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Oct 24 04:56:28 2014
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1XhV3E-0000Iv-AM
	for ged-emacs-devel@m.gmane.org; Fri, 24 Oct 2014 04:56:28 +0200
Original-Received: from localhost ([::1]:44609 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1XhV3D-0000IN-HS
	for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 22:56:27 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51160)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <perry@piermont.com>) id 1XhV3A-0000I7-0t
	for emacs-devel@gnu.org; Thu, 23 Oct 2014 22:56:24 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <perry@piermont.com>) id 1XhV39-0006VZ-3b
	for emacs-devel@gnu.org; Thu, 23 Oct 2014 22:56:23 -0400
Original-Received: from hacklheber.piermont.com
	([2001:470:30:84:e276:63ff:fe62:3400]:43337)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <perry@piermont.com>) id 1XhV38-0006VR-W7
	for emacs-devel@gnu.org; Thu, 23 Oct 2014 22:56:23 -0400
Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1])
	by hacklheber.piermont.com (Postfix) with ESMTP id CE1CF14D1;
	Thu, 23 Oct 2014 22:56:21 -0400 (EDT)
Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com
	[10.160.2.107])
	by snark.cb.piermont.com (Postfix) with ESMTP id 8E7B02DFCDB;
	Thu, 23 Oct 2014 22:56:21 -0400 (EDT)
In-Reply-To: <20141023210546.GA18158@roeckx.be>
X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.25; x86_64-apple-darwin14.0.0)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:175765
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/175765>

On Thu, 23 Oct 2014 23:05:46 +0200 Kurt Roeckx <kurt@roeckx.be> wrote:
> > So, why do we need to support SSL
> > 3.0 again? What's the rationale, other than making the lives of
> > attackers easy?
> 
> I'm all for dropping SSL 3.0 support and I disabled it in openssl
> in Debian testing and unstable.  This was already planned for some
> time, and the POODLE attack made me just do it.

Then we're pretty much in agreement already and no more needs to be
said. :)

> But if your concern is about the POODLE attack, please note that
> the attack requires many connection attemps where the attacker has
> control over the plaintext that is being send.

Long experience says that attacks only get stronger with time. (They
don't get weaker -- people don't forget attacks -- and smart people
often figure out refinements.) I prefer closing the door rather than
waiting to find out what the next implication of downgrade attacks is.

Anyway, you agree with me on the SSL 3.0 part, and I'm not seriously
suggesting TLS 1.0 be dropped *yet*, so we agree.

Perry
-- 
Perry E. Metzger		perry@piermont.com