From: "Perry E. Metzger" <perry@piermont.com>
To: "Stephen J. Turnbull" <turnbull@sk.tsukuba.ac.jp>
Cc: Florian Weimer <fw@deneb.enyo.de>,
emacs-devel@gnu.org, kurt@roeckx.be,
Rob Browning <rlb@defaultvalue.org>,
rms@gnu.org
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Fri, 24 Oct 2014 17:14:21 -0400 [thread overview]
Message-ID: <20141024171421.78720abe@jabberwock.cb.piermont.com> (raw)
In-Reply-To: <87wq7pgpif.fsf@uwakimon.sk.tsukuba.ac.jp>
On Sat, 25 Oct 2014 05:51:36 +0900 "Stephen J. Turnbull"
<turnbull@sk.tsukuba.ac.jp> wrote:
> But you're defining "sensitive" in terms of security, and that's the
> wrong definition -- those sensitive users are already doing what you
> advocate and don't need encouragement to upgrade their servers and
> so on.[1] It's security-insensitive users who would be
> inconvenienced,
For a long time, the community believed that the relevant fact was
that most users were not security sensitive. Then we came to
understand that the same application software is used by your
grandfather and by reporters talking to sources about intelligence
agencies with hostile intent. It is also the case that few users with
high level security needs actually understand how to tune their
applications.
Unfortunately, the proper strategy is to code to the *highest* level
of security that a user of your application might need, not to the
average level of security one of your users might need.
Or, to quote the usual slogan, "there should only be one mode, and it
should be secure".
> [1] It's true that these users *need* the option to turn off the
> less secure protocol so it doesn't get used inadvertantly, and it's
> probably desirable that it be off by default.
Turning off insecure modes of operation by default is a sort of
minimum, yes. However, it is usually insufficient if it is relatively
easy to turn security off and produces no feedback to the effect
that you are operating in insecure mode.
Once you've listened to the secret service or DEA chatting on the
radio in the clear by accident because they don't realize they
inadvertently turned off the encryption on their P25 radios (which is
trivial to do by accident and provides no warning feedback) you
realize that essentially *no* user can be trusted with such decisions
in the average case.
(This is not a theoretical story, by the way. And yes, you can read
our research group's papers about public safety radio security.)
When you study the failures in enough real world deployed systems,
even when used by trained personnel, you lose your belief that it
is okay to provide knobs to the users that they don't understand very
well. Really the only safe system follows "there should be only one
mode, and it should be secure".
Oh, and the reason P25 radios can be turned to the clear is... wait
for it... *for fallback compatibility*. People's lives have been
endangered by that little decision. (The only agency we found that
does not have serious leakage was the one that made the decision to
remove the clear option from their radios entirely. Somehow, they
found that they could live without compatibility with equipment
that could only do clear.)
Perry
--
Perry E. Metzger perry@piermont.com
next prev parent reply other threads:[~2014-10-24 21:14 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20141022193441.GA11872@roeckx.be>
2014-10-22 20:02 ` Bug#766395: emacs/gnus: Uses s_client to for SSL Rob Browning
2014-10-22 20:05 ` Rob Browning
2014-10-23 14:03 ` Ted Zlatanov
2014-10-23 15:57 ` Rob Browning
2014-10-24 13:39 ` Ted Zlatanov
2016-02-20 15:28 ` Kurt Roeckx
2016-02-21 2:47 ` Lars Ingebrigtsen
2017-02-22 20:38 ` Bug#766397: " Antoine Beaupre
2017-04-16 17:28 ` Rob Browning
2014-10-22 20:14 ` Stefan Monnier
2014-10-22 21:02 ` Andreas Schwab
2014-10-23 16:49 ` Andreas Schwab
2014-10-23 17:29 ` Lars Magne Ingebrigtsen
2014-10-23 20:36 ` Stefan Monnier
2014-10-24 7:01 ` Lars Magne Ingebrigtsen
2014-10-27 19:42 ` Filipp Gunbin
2014-10-23 16:34 ` Richard Stallman
2014-10-23 18:00 ` Florian Weimer
2014-10-23 18:37 ` Perry E. Metzger
2014-10-23 18:43 ` Florian Weimer
2014-10-23 18:57 ` Perry E. Metzger
2014-10-23 18:59 ` Florian Weimer
2014-10-23 19:11 ` Kurt Roeckx
2014-10-23 19:42 ` Perry E. Metzger
2014-10-23 19:50 ` Florian Weimer
2014-10-23 20:26 ` Perry E. Metzger
2014-10-23 21:05 ` Kurt Roeckx
2014-10-24 2:56 ` Perry E. Metzger
2014-10-23 21:48 ` Stephen J. Turnbull
2014-10-24 3:00 ` Perry E. Metzger
2014-10-24 20:51 ` Stephen J. Turnbull
2014-10-24 21:14 ` Perry E. Metzger [this message]
2014-10-24 21:33 ` Lars Magne Ingebrigtsen
2014-10-25 0:36 ` Perry E. Metzger
2014-10-25 15:27 ` Ted Zlatanov
2014-10-25 15:53 ` Lars Magne Ingebrigtsen
2014-10-26 8:15 ` Florian Weimer
2014-10-26 11:42 ` Lars Magne Ingebrigtsen
2014-10-26 12:45 ` Florian Weimer
2014-10-26 1:42 ` Richard Stallman
2014-10-26 7:38 ` Florian Weimer
2014-10-24 21:47 ` Stephen J. Turnbull
2014-10-25 0:42 ` Perry E. Metzger
2014-10-27 17:17 ` Stephen J. Turnbull
2014-10-27 19:39 ` Perry E. Metzger
2014-10-28 7:04 ` Stephen J. Turnbull
2014-10-28 7:45 ` Thien-Thi Nguyen
2014-10-28 8:44 ` Stephen J. Turnbull
2014-10-28 13:31 ` Stefan Monnier
2014-10-28 15:19 ` Perry E. Metzger
2014-10-28 15:33 ` Florian Weimer
2014-10-28 16:20 ` Perry E. Metzger
2014-10-28 16:52 ` Stefan Monnier
2014-10-28 17:11 ` Perry E. Metzger
2014-10-29 3:19 ` Stephen J. Turnbull
2014-10-28 15:10 ` Perry E. Metzger
2014-10-29 2:33 ` Stephen J. Turnbull
2014-10-29 3:06 ` Perry E. Metzger
2014-10-29 7:28 ` Stephen J. Turnbull
2014-10-29 11:19 ` Perry E. Metzger
2014-10-23 19:03 ` Kurt Roeckx
2014-10-24 13:35 ` Ted Zlatanov
2014-10-25 7:31 ` Richard Stallman
2014-10-25 14:33 ` Perry E. Metzger
2014-10-25 15:49 ` removing SSLv3 support by default from the Emacs GnuTLS integration (was: Bug#766395: emacs/gnus: Uses s_client to for SSL.) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141024171421.78720abe@jabberwock.cb.piermont.com \
--to=perry@piermont.com \
--cc=emacs-devel@gnu.org \
--cc=fw@deneb.enyo.de \
--cc=kurt@roeckx.be \
--cc=rlb@defaultvalue.org \
--cc=rms@gnu.org \
--cc=turnbull@sk.tsukuba.ac.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).