From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: "Perry E. Metzger" Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sat, 7 Jul 2018 09:46:22 -0400 Message-ID: <20180707094622.6eff25bf@jabberwock.cb.piermont.com> References: <20180705093346.071e6970@jabberwock.cb.piermont.com> <83wou9n66t.fsf@gnu.org> <20180705112920.076265d5@jabberwock.cb.piermont.com> <83r2khms1j.fsf@gnu.org> <20180705164500.0bde16cd@jabberwock.cb.piermont.com> <83bmbknafs.fsf@gnu.org> <20180707081833.37561702@jabberwock.cb.piermont.com> <83zhz3i3o3.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: blaine.gmane.org 1530971101 3302 195.159.176.226 (7 Jul 2018 13:45:01 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 7 Jul 2018 13:45:01 +0000 (UTC) Cc: wyuenho@gmail.com, larsi@gnus.org, eggert@cs.ucla.edu, rms@gnu.org, emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sat Jul 07 15:44:57 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fbnWC-0000kP-P5 for ged-emacs-devel@m.gmane.org; Sat, 07 Jul 2018 15:44:57 +0200 Original-Received: from localhost ([::1]:33763 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbnYJ-0000tO-Pq for ged-emacs-devel@m.gmane.org; Sat, 07 Jul 2018 09:47:07 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38271) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbnXj-0000tG-AK for emacs-devel@gnu.org; Sat, 07 Jul 2018 09:46:32 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fbnXh-00044c-5z for emacs-devel@gnu.org; Sat, 07 Jul 2018 09:46:31 -0400 Original-Received: from hacklheber.piermont.com ([2001:470:30:84:e276:63ff:fe62:3400]:39548) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fbnXc-00042C-VA; Sat, 07 Jul 2018 09:46:25 -0400 Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1]) by hacklheber.piermont.com (Postfix) with ESMTP id 32A3D160; Sat, 7 Jul 2018 09:46:24 -0400 (EDT) Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com [10.160.2.107]) by snark.cb.piermont.com (Postfix) with ESMTP id 1EB9C2DEE9F; Sat, 7 Jul 2018 09:46:24 -0400 (EDT) In-Reply-To: <83zhz3i3o3.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227056 Archived-At: On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii wrote: > > Date: Sat, 7 Jul 2018 08:18:33 -0400 > > From: "Perry E. Metzger" > > Cc: Eli Zaretskii , eggert@cs.ucla.edu, > > emacs-devel@gnu.org, larsi@gnus.org, wyuenho@gmail.com > > > > There is ample evidence that people in such situations rarely if > > ever understand what the right thing to do is. > > That doesn't necessarily mean we need to assume none of them will > understand that, if the considerations are explained in clear terms > that can be mapped to the user's environment. The difference between "none" and "under 5%" is so small as to be unimportant. In tests, even with very careful explanations, only a really tiny fraction of users seem to make good decisions some of the time, and that's even when computer science undergraduates are the test subjects. Go and check the literature on this if you don't believe me. Once the decisions are complicated, like figuring out whether to trust a certificate or not, the ability to make correct choices, even among security professionals, drops to the noise floor. > > There's also another issue we've discovered: at one time, people > > believed having software provide "levels" of security made > > sense,but we now understand based on bitter experience that > > everyone, whether their greatest threat is unimportant or whether > > their greatest threat is a nation state, uses the same software > > and same default settings 99% of the time, so software needs to > > be built with the needs of people under threat in mind. > > I don't see how this is relevant, since we are talking about just > one piece of software: Emacs. For the purposes of this discussion, > whether they use the same browsers or different ones, because we are > not discussing those browsers. You may not see the relevance, but others do. > And my personal experience definitely contradicts your "everyone" > claim: e.g., my home network is set up with several non-default > defenses, and so is my smartphone. Why should we assume a > significant part of Emacs users is in the "everyone" camp? They > did choose to use Emacs, didn't they? The difference between one person in a hundred and no one is so small for purposes of deciding on default behavior as to be unimportant. As for your own configuration, you're free to change the defaults any way you like, so why are you arguing anyway? No one will stop you from selecting 256 bit D-H keys or turning off encryption entirely or turning off CT if that's what you really insist on. > > And let me repeat, there's excellent field evidence that > > people under threat generally have no technical expertise to make > > serious security decisions, and that includes people with > > programming backgrounds. > > You are entitled to your opinions These are not opinions. They're facts. They're based on decades of field experience and objective studies published in the academic literature. There is almost universal agreement among the studies, too -- there are no published outliers that I'm aware of. So, my statements are not matters of opinion any more than the claim that most people get hungry if they don't eat for long enough is a matter of opinion. You are, of course, entitled to claim the moon is made of green cheese or that most users can make informed security decisions for themselves about things like key length or certificate origins. These claims are both wrong, and no one should pay attention to such claims, but one is entitled to say it. Others should ignore such statements, however, because they are counterfactual. > but I don't agree that we should > design our defaults based on the assumption that we cannot expect > our users to make informed decisions. And this sets you apart from people who have worked in the field for decades, and from people who have done objective studies in the field. It's fine to let the tiny fraction of users who understand what they're doing to go into their .emacs file and set whatever they prefer. Asking users to make "informed decisions" in real time simply doesn't work, and this is not opinion, it is fact, and though you are going to argue until the end of time regardless of evidence, your opinion is simply wrong. I strongly suspect, by the way, that I could easily get you to make a bad security decision in a test environment. I don't trust myself to evaluate the origin of certificates in real time -- it's just too difficult to read an x.509 cert's contents and verify everything you need to (including the hash algorithms used in the entire chain, figuring out if the CA is one I should be expecting for this particular host, etc.) That is in spite of the fact that I've been doing this professionally for a very long time. I suspect I could easily cook up certs that you wouldn't be able to figure out, and that you would make the wrong decision if prompted to look at them. That said, I have no objections to your being able to set whatever parameters you want by editing your configs. So you see, we can both have our way. You can run Windows XP until the end of time, and you can set your default configuration for TLS interactions badly, and other people can run much more secure free operating systems and can have strong TLS defaults, and everyone can be happy. > > The other thing is, in spite of the constant claims, running with > > the level of security provided by Firefox or Chrome or Safari > > isn't the least bit inconvenient, so there's no obvious reason > > not to do at least _that_. > > One would think that those "constant claims" might just provide > such a reason. The only one making this claim is _you_. No one can provide good examples of how following the usual practice in the rest of the community would inconvenience anyone, but you keep implying this anyway. No one else is making this claim, but you are constantly and consistently implying that it is the case even though there's basically no evidence for it. > Besides, we don't really follow what those browsers do, But we should. It's insane not to. You keep going on and on about how somehow setting such defaults would be inconvenient, but there's not the slightest evidence that it would be, and there's excellent evidence that there's good reason to follow those practices. Perry -- Perry E. Metzger perry@piermont.com