From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Perry E. Metzger" Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Fri, 24 Oct 2014 20:36:29 -0400 Message-ID: <20141024203629.20b4b7f1@jabberwock.cb.piermont.com> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87mw8mzmxj.fsf@mid.deneb.enyo.de> <20141023143702.3897e618@jabberwock.cb.piermont.com> <8761fazkx7.fsf@mid.deneb.enyo.de> <20141023145721.12ed0820@jabberwock.cb.piermont.com> <87vbnay5lf.fsf@mid.deneb.enyo.de> <20141023154223.45f2c9eb@jabberwock.cb.piermont.com> <874muuihjh.fsf@uwakimon.sk.tsukuba.ac.jp> <20141023230048.13f8234a@jabberwock.cb.piermont.com> <87wq7pgpif.fsf@uwakimon.sk.tsukuba.ac.jp> <20141024171421.78720abe@jabberwock.cb.piermont.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1414197419 20734 80.91.229.3 (25 Oct 2014 00:36:59 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sat, 25 Oct 2014 00:36:59 +0000 (UTC) Cc: rms@gnu.org, kurt@roeckx.be, emacs-devel@gnu.org, Florian Weimer , "Stephen J. Turnbull" , Rob Browning To: Lars Magne Ingebrigtsen Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Oct 25 02:36:52 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XhpLe-0002p0-No for ged-emacs-devel@m.gmane.org; Sat, 25 Oct 2014 02:36:50 +0200 Original-Received: from localhost ([::1]:51413 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhpLe-0003GZ-6l for ged-emacs-devel@m.gmane.org; Fri, 24 Oct 2014 20:36:50 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42627) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhpLO-0003Fr-Gq for emacs-devel@gnu.org; Fri, 24 Oct 2014 20:36:38 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XhpLK-0003SM-8z for emacs-devel@gnu.org; Fri, 24 Oct 2014 20:36:34 -0400 Original-Received: from hacklheber.piermont.com ([2001:470:30:84:e276:63ff:fe62:3400]:47767) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhpLK-0003SI-3M; Fri, 24 Oct 2014 20:36:30 -0400 Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1]) by hacklheber.piermont.com (Postfix) with ESMTP id 897DB1438; Fri, 24 Oct 2014 20:36:29 -0400 (EDT) Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com [10.160.2.107]) by snark.cb.piermont.com (Postfix) with ESMTP id 503AB2DFD09; Fri, 24 Oct 2014 20:36:29 -0400 (EDT) In-Reply-To: X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.25; x86_64-apple-darwin14.0.0) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175800 Archived-At: On Fri, 24 Oct 2014 23:33:01 +0200 Lars Magne Ingebrigtsen wrote: > "Perry E. Metzger" writes: > > > Once you've listened to the secret service or DEA chatting on the > > radio in the clear by accident because they don't realize they > > inadvertently turned off the encryption on their P25 radios > > (which is trivial to do by accident and provides no warning > > feedback) you realize that essentially *no* user can be trusted > > with such decisions in the average case. > > [...] > > > Really the only safe system follows "there should be only one > > mode, and it should be secure". > > This is alarmist nonsense. No, it is the result of working in security for about twenty years. > It's telling that your example is a case where, perhaps, it might > have made a difference whether the communication was secure or not. As I've said earlier: the problem is that ordinary users use the same applications as extraordinary ones. P25 radios are used both by shopping mall security guards and by the US Secret Service. If you say "oh, the security doesn't have to be perfect for a security guard", you end up endangering the highest risk users. When the reporters who dealt with Edward Snowden were communicating with them, they didn't have the special unusual operating system issued only to special reporters, they had the normal one. People with secrets to keep use the same mail programs other people do, the same text editors, the same web browsers. You can't say "oh, most users don't need protection", or "well, for most web sites the user doesn't need protection". You have to aim your protection to the users you have with the highest need for secrecy, your web browser for the banking application, not the times when the user is browsing auto reviews. > However, the common case for a normal user is when you're binging > around for a solution as to why your Foobarzot device is not And who cares, because that same user will also look at his bank statements, and who cares, because the reporter who is talking to someone risking their life in Iran just by communicating with a Western journalist is using the same email program or web browser as everyone else. And let me be blunt: I'm sick of cleaning up the messes software developers playing amateur security people have created for the world over the last few decades. I spend my life cleaning up messes caused by people who think they're smarter. SSL itself is an example of this -- designed by people at Netscape who knew better and didn't consult anyone who actually had any experience. You read the full disclosure mailing list or the equivalent and you see exactly what the amateurs have produced with their "oh, who would think to do that" or "well, we need to be compatible" or their "well, most users don't need protection" attitude, and worse, you see it day after day, week after week. You started this by saying that I was producing "alarmist nonsense". Sadly, we live in a world where the largest banks in the world, the largest retailers, etc. get broken in to regularly, where there are spy agencies trying to record your, yes your, phone calls, never mind how unimportant you think you are, where there are activists in countries all of the world whose lives are put at risk by crappy software, where most system security is a broken mess. Quit playing amateur security expert. You're part of the problem when you do. > In real life, virtually all situations where the security of the > communication channel can't be verified, you simply don't care at > all. Yes, but your software will not be used exclusively by people who don't care, and you have no control over who uses your software. > The super-alarmist "don't allow the user to do what she obviously > wants to do" just makes the user to disable all security. Not if you remove the ability to disable security. In fact, if you let the user disable security, they'll be tricked into doing so by social engineering attacks of various kinds, so you can't actually leave that knob available anyway. That's not theoretical either. It was a huge mistake that many of our protocols make security optional -- a mistake being corrected in the new HTTP, by the way, which will not even permit unencrypted connections. Perry -- Perry E. Metzger perry@piermont.com