From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: "Perry E. Metzger" Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Mon, 9 Jul 2018 20:02:28 -0400 Message-ID: <20180709200228.031de093@jabberwock.cb.piermont.com> References: <83o9g2uhju.fsf@gnu.org> <20180705115826.73c1d95e@jabberwock.cb.piermont.com> <83a7r4n5ht.fsf@gnu.org> <87lgaoaf2f.fsf@gmail.com> <877em7o09z.fsf@gmail.com> <87r2kcmu7q.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1531180971 2557 195.159.176.226 (10 Jul 2018 00:02:51 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 10 Jul 2018 00:02:51 +0000 (UTC) Cc: Eli Zaretskii , Paul Eggert , Lars Ingebrigtsen , rms@gnu.org, Emacs-Devel devel To: Jimmy Yuen Ho Wong Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Jul 10 02:02:47 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fcg7C-0000Yl-RH for ged-emacs-devel@m.gmane.org; Tue, 10 Jul 2018 02:02:46 +0200 Original-Received: from localhost ([::1]:44972 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fcg9J-0003r0-RS for ged-emacs-devel@m.gmane.org; Mon, 09 Jul 2018 20:04:57 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:36276) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fcg78-0001ta-7S for emacs-devel@gnu.org; Mon, 09 Jul 2018 20:02:43 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fcg77-000283-AU for emacs-devel@gnu.org; Mon, 09 Jul 2018 20:02:42 -0400 Original-Received: from hacklheber.piermont.com ([166.84.7.14]:51120) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fcg71-00025m-P1; Mon, 09 Jul 2018 20:02:35 -0400 Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1]) by hacklheber.piermont.com (Postfix) with ESMTP id 6884E1FB; Mon, 9 Jul 2018 20:02:28 -0400 (EDT) Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com [10.160.2.107]) by snark.cb.piermont.com (Postfix) with ESMTP id 4BD642DEF07; Mon, 9 Jul 2018 20:02:28 -0400 (EDT) In-Reply-To: X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 166.84.7.14 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227192 Archived-At: On Mon, 9 Jul 2018 14:33:17 +0100 Jimmy Yuen Ho Wong wrote: > > I see you=CA=BCre checking for TLS < 1.1. TLS 1.1 has its fair share of > > reported issues as well, perhaps we should check for < 1.2 (or we > > could put that on 'high). > > =20 >=20 > I thought about this, but there's no standard that bans TLS 1.1, nor > TLS client implementations that disabled it by default. Besides, all > the problems TLS 1.1 has is already checked by the other checks. > This reason I'm checking for TLS 1.0 is somewhat arbitrary, as all > the problems it has is already checked by other checks too. So > maybe even checking for 1.0 is already too strict, but PCI DSS does > ban it, so... Yes, this is the correct choice. 1.1 is too widely deployed. Not allowing 1.0 is quite reasonable, and it would be _nice_ to stop 1.1, but it would be too disruptive. We should do that only after the major browsers do the same. Perry --=20 Perry E. Metzger perry@piermont.com