From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: "Perry E. Metzger" <perry@piermont.com>
Newsgroups: gmane.emacs.devel
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Thu, 5 Jul 2018 11:33:20 -0400
Message-ID: <20180705113320.17e6b8ee@jabberwock.cb.piermont.com>
References: <m236xe5vo2.fsf@mobilecat.lan>
	<eba313cf-104d-50dd-f1cd-4acb15864c0f@cs.ucla.edu>
	<CAM-tV--kcS34bGfMdDNziFp9S8LE5fjeT0V6n-QfM7Gnkde+rA@mail.gmail.com>
	<83po0iuhs7.fsf@gnu.org>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1530804727 27933 195.159.176.226 (5 Jul 2018 15:32:07 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Thu, 5 Jul 2018 15:32:07 +0000 (UTC)
Cc: larsi@gnus.org, eggert@cs.ucla.edu, emacs-devel@gnu.org,
	Noam Postavsky <npostavs@gmail.com>, wyuenho@gmail.com
To: Eli Zaretskii <eliz@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jul 05 17:32:02 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fb6Ej-00077v-Ee
	for ged-emacs-devel@m.gmane.org; Thu, 05 Jul 2018 17:32:01 +0200
Original-Received: from localhost ([::1]:53322 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fb6Gq-0004Yt-Fu
	for ged-emacs-devel@m.gmane.org; Thu, 05 Jul 2018 11:34:12 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:48067)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <perry@piermont.com>) id 1fb6G9-0004Yk-Hm
	for emacs-devel@gnu.org; Thu, 05 Jul 2018 11:33:33 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <perry@piermont.com>) id 1fb6G5-0006JJ-V6
	for emacs-devel@gnu.org; Thu, 05 Jul 2018 11:33:29 -0400
Original-Received: from hacklheber.piermont.com
	([2001:470:30:84:e276:63ff:fe62:3400]:60578)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <perry@piermont.com>)
	id 1fb6G1-0006HQ-KC; Thu, 05 Jul 2018 11:33:21 -0400
Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1])
	by hacklheber.piermont.com (Postfix) with ESMTP id 42916217;
	Thu,  5 Jul 2018 11:33:21 -0400 (EDT)
Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com
	[10.160.2.107])
	by snark.cb.piermont.com (Postfix) with ESMTP id 2625D2DEE47;
	Thu,  5 Jul 2018 11:33:21 -0400 (EDT)
In-Reply-To: <83po0iuhs7.fsf@gnu.org>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:226956
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/226956>

On Sat, 23 Jun 2018 09:40:56 +0300 Eli Zaretskii <eliz@gnu.org> wrote:
> > From: Noam Postavsky <npostavs@gmail.com>
> > Date: Fri, 22 Jun 2018 22:17:56 -0400
> > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>,
> > 	Jimmy Yuen Ho Wong <wyuenho@gmail.com>,
> > 	Emacs developers <emacs-devel@gnu.org>
> > 
> > On 22 June 2018 at 18:43, Paul Eggert <eggert@cs.ucla.edu>
> > wrote:  
> > > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote:  
> > >>
> > >> 1. Can we update the default network security settings?  
> > >
> > >
> > > Yes, I would think so, in the master branch. As you say, the
> > > current defaults are inappropriate for today's users.  
> > 
> > Can we bump gnutls-min-prime-bits to 1024 on the release branch?  
> 
> No, I don't think so.  Changing these settings needs a prolonged
> testing period to uncover any subtle problems with non-conforming
> servers that users must be able to access, and such testing is
> unlikely to happen on emacs-26 before the next bug-fix release.

All modern browsers set 1024 as a minimum. There is no need for Emacs
to worry about this as it has been years since you could connect to a
web site with less than 1024 bits security. It should be changed as
soon as possible. Even 1024 bits is too small, but this is at least
better than the current situation.

Generally speaking, if a security setting is the default in Chrome,
Firefox, Safari, and Edge, you can feel reasonably certain that it is
safe to have Emacs turn on such a setting as well without fear that
it will cause inconvenience to the user community.

> If we change this now on emacs-26, we should probably not release
> Emacs 26.2 before a year goes by.

Perry
-- 
Perry E. Metzger		perry@piermont.com