Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: "Perry E. Metzger" <perry@piermont.com>
To: "Stephen J. Turnbull" <stephen@xemacs.org>
Cc: Florian Weimer <fw@deneb.enyo.de>,
	rms@gnu.org, kurt@roeckx.be, Rob Browning <rlb@defaultvalue.org>,
	emacs-devel@gnu.org
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Fri, 24 Oct 2014 20:42:02 -0400	[thread overview]
Message-ID: <20141024204202.276dbb1f@jabberwock.cb.piermont.com> (raw)
In-Reply-To: <87r3xxgmx2.fsf@uwakimon.sk.tsukuba.ac.jp>

On Sat, 25 Oct 2014 06:47:37 +0900 "Stephen J. Turnbull"
<stephen@xemacs.org> wrote:
> It's possible that the inconvenience is small.  Your anecdote about
> P25 radios suggests that in that case in fact it was, but that can
> only be determined by finding out whether organizations different in
> many ways are the same in that dimension.  On the other hand, it is
> a fact that people have died (and to this day are dying in Japan)
> because of lack of compatibility between communication systems among
> cooperating organizations such as fire and police.  It's possible
> that fallback-to-compatible capability did matter and still does
> matter.

There are ways to provide compatibility without sacrificing security,
however. Read our papers or our (redacted) recommendations to law
enforcement if you wish.

> I'm not going to attempt to deny the importance of security, the
> lack of information and training in use of optional security
> features among users, or the rapid escalation of frequency and
> power of attacks. Nevertheless, advocating extreme security policy
> is unlikely to achieve the goal of extreme security in the current
> environment, and I believe that a more balanced approach can do
> better.

I think that removing SSL 3.0 support is not an "extreme measure" and
leaving it in isn't "balanced" at this point.

TLS 1.0 has been around for a very long time. If you want to argue
that removing TLS 1.0 and 1.1 support is a bad idea since support
has only become 100% universal in the last several years, you have a
case to make -- perhaps it should be another few years until those
are deprecated. Then again, I never suggested removing them right now.

If, on the other hand, you want to argue that getting rid of SSL 3.0
is a problem at this point, then you are arguing de facto that bad
protocols can *never* be removed, and that causing minor
inconvenience to a handful of users is far more important than
security.

Perry
-- 
Perry E. Metzger		perry@piermont.com

next prev parent reply	other threads:[~2014-10-25  0:42 UTC|newest]

Thread overview: 65+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20141022193441.GA11872@roeckx.be>
2014-10-22 20:02 ` Bug#766395: emacs/gnus: Uses s_client to for SSL Rob Browning
2014-10-22 20:05   ` Rob Browning
2014-10-23 14:03     ` Ted Zlatanov
2014-10-23 15:57       ` Rob Browning
2014-10-24 13:39         ` Ted Zlatanov
2016-02-20 15:28           ` Kurt Roeckx
2016-02-21  2:47             ` Lars Ingebrigtsen
2017-02-22 20:38               ` Bug#766397: " Antoine Beaupre
2017-04-16 17:28                 ` Rob Browning
2014-10-22 20:14   ` Stefan Monnier
2014-10-22 21:02   ` Andreas Schwab
2014-10-23 16:49     ` Andreas Schwab
2014-10-23 17:29       ` Lars Magne Ingebrigtsen
2014-10-23 20:36         ` Stefan Monnier
2014-10-24  7:01           ` Lars Magne Ingebrigtsen
2014-10-27 19:42             ` Filipp Gunbin
2014-10-23 16:34   ` Richard Stallman
2014-10-23 18:00     ` Florian Weimer
2014-10-23 18:37       ` Perry E. Metzger
2014-10-23 18:43         ` Florian Weimer
2014-10-23 18:57           ` Perry E. Metzger
2014-10-23 18:59             ` Florian Weimer
2014-10-23 19:11               ` Kurt Roeckx
2014-10-23 19:42               ` Perry E. Metzger
2014-10-23 19:50                 ` Florian Weimer
2014-10-23 20:26                   ` Perry E. Metzger
2014-10-23 21:05                     ` Kurt Roeckx
2014-10-24  2:56                       ` Perry E. Metzger
2014-10-23 21:48                 ` Stephen J. Turnbull
2014-10-24  3:00                   ` Perry E. Metzger
2014-10-24 20:51                     ` Stephen J. Turnbull
2014-10-24 21:14                       ` Perry E. Metzger
2014-10-24 21:33                         ` Lars Magne Ingebrigtsen
2014-10-25  0:36                           ` Perry E. Metzger
2014-10-25 15:27                           ` Ted Zlatanov
2014-10-25 15:53                             ` Lars Magne Ingebrigtsen
2014-10-26  8:15                               ` Florian Weimer
2014-10-26 11:42                                 ` Lars Magne Ingebrigtsen
2014-10-26 12:45                                   ` Florian Weimer
2014-10-26  1:42                             ` Richard Stallman
2014-10-26  7:38                               ` Florian Weimer
2014-10-24 21:47                         ` Stephen J. Turnbull
2014-10-25  0:42                           ` Perry E. Metzger [this message]
2014-10-27 17:17                             ` Stephen J. Turnbull
2014-10-27 19:39                               ` Perry E. Metzger
2014-10-28  7:04                                 ` Stephen J. Turnbull
2014-10-28  7:45                                   ` Thien-Thi Nguyen
2014-10-28  8:44                                     ` Stephen J. Turnbull
2014-10-28 13:31                                   ` Stefan Monnier
2014-10-28 15:19                                     ` Perry E. Metzger
2014-10-28 15:33                                       ` Florian Weimer
2014-10-28 16:20                                         ` Perry E. Metzger
2014-10-28 16:52                                       ` Stefan Monnier
2014-10-28 17:11                                         ` Perry E. Metzger
2014-10-29  3:19                                       ` Stephen J. Turnbull
2014-10-28 15:10                                   ` Perry E. Metzger
2014-10-29  2:33                                     ` Stephen J. Turnbull
2014-10-29  3:06                                       ` Perry E. Metzger
2014-10-29  7:28                                         ` Stephen J. Turnbull
2014-10-29 11:19                                           ` Perry E. Metzger
2014-10-23 19:03             ` Kurt Roeckx
2014-10-24 13:35     ` Ted Zlatanov
2014-10-25  7:31       ` Richard Stallman
2014-10-25 14:33         ` Perry E. Metzger
2014-10-25 15:49         ` removing SSLv3 support by default from the Emacs GnuTLS integration (was: Bug#766395: emacs/gnus: Uses s_client to for SSL.) Ted Zlatanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141024204202.276dbb1f@jabberwock.cb.piermont.com \
    --to=perry@piermont.com \
    --cc=emacs-devel@gnu.org \
    --cc=fw@deneb.enyo.de \
    --cc=kurt@roeckx.be \
    --cc=rlb@defaultvalue.org \
    --cc=rms@gnu.org \
    --cc=stephen@xemacs.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).