From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Perry E. Metzger" Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Thu, 23 Oct 2014 22:56:21 -0400 Message-ID: <20141023225621.753e2c9f@jabberwock.cb.piermont.com> References: <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87mw8mzmxj.fsf@mid.deneb.enyo.de> <20141023143702.3897e618@jabberwock.cb.piermont.com> <8761fazkx7.fsf@mid.deneb.enyo.de> <20141023145721.12ed0820@jabberwock.cb.piermont.com> <87vbnay5lf.fsf@mid.deneb.enyo.de> <20141023154223.45f2c9eb@jabberwock.cb.piermont.com> <87wq7qva4w.fsf@mid.deneb.enyo.de> <20141023162616.2217bfa1@jabberwock.cb.piermont.com> <20141023210546.GA18158@roeckx.be> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1414119399 24004 80.91.229.3 (24 Oct 2014 02:56:39 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 24 Oct 2014 02:56:39 +0000 (UTC) Cc: Florian Weimer , Rob Browning , emacs-devel@gnu.org To: Kurt Roeckx Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Oct 24 04:56:28 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XhV3E-0000Iv-AM for ged-emacs-devel@m.gmane.org; Fri, 24 Oct 2014 04:56:28 +0200 Original-Received: from localhost ([::1]:44609 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhV3D-0000IN-HS for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 22:56:27 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:51160) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhV3A-0000I7-0t for emacs-devel@gnu.org; Thu, 23 Oct 2014 22:56:24 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XhV39-0006VZ-3b for emacs-devel@gnu.org; Thu, 23 Oct 2014 22:56:23 -0400 Original-Received: from hacklheber.piermont.com ([2001:470:30:84:e276:63ff:fe62:3400]:43337) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhV38-0006VR-W7 for emacs-devel@gnu.org; Thu, 23 Oct 2014 22:56:23 -0400 Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1]) by hacklheber.piermont.com (Postfix) with ESMTP id CE1CF14D1; Thu, 23 Oct 2014 22:56:21 -0400 (EDT) Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com [10.160.2.107]) by snark.cb.piermont.com (Postfix) with ESMTP id 8E7B02DFCDB; Thu, 23 Oct 2014 22:56:21 -0400 (EDT) In-Reply-To: <20141023210546.GA18158@roeckx.be> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.25; x86_64-apple-darwin14.0.0) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175765 Archived-At: On Thu, 23 Oct 2014 23:05:46 +0200 Kurt Roeckx wrote: > > So, why do we need to support SSL > > 3.0 again? What's the rationale, other than making the lives of > > attackers easy? > > I'm all for dropping SSL 3.0 support and I disabled it in openssl > in Debian testing and unstable. This was already planned for some > time, and the POODLE attack made me just do it. Then we're pretty much in agreement already and no more needs to be said. :) > But if your concern is about the POODLE attack, please note that > the attack requires many connection attemps where the attacker has > control over the plaintext that is being send. Long experience says that attacks only get stronger with time. (They don't get weaker -- people don't forget attacks -- and smart people often figure out refinements.) I prefer closing the door rather than waiting to find out what the next implication of downgrade attacks is. Anyway, you agree with me on the SSL 3.0 part, and I'm not seriously suggesting TLS 1.0 be dropped *yet*, so we agree. Perry -- Perry E. Metzger perry@piermont.com