From: Eli Zaretskii <eliz@gnu.org>
To: Noam Postavsky <npostavs@gmail.com>
Cc: larsi@gnus.org, eggert@cs.ucla.edu, wyuenho@gmail.com,
emacs-devel@gnu.org
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sun, 24 Jun 2018 17:23:53 +0300 [thread overview]
Message-ID: <83lgb4tg92.fsf@gnu.org> (raw)
In-Reply-To: <CAM-tV--iwqEJgQgijY4f_7uecXUGPLPPdU1-6mPh5DGAzu1Lpg@mail.gmail.com> (message from Noam Postavsky on Sat, 23 Jun 2018 18:28:15 -0400)
> From: Noam Postavsky <npostavs@gmail.com>
> Date: Sat, 23 Jun 2018 18:28:15 -0400
> Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>,
> Jimmy Yuen Ho Wong <wyuenho@gmail.com>, Emacs developers <emacs-devel@gnu.org>
>
> On 23 June 2018 at 02:40, Eli Zaretskii <eliz@gnu.org> wrote:
>
> >> Can we bump gnutls-min-prime-bits to 1024 on the release branch?
> >
> > No, I don't think so. Changing these settings needs a prolonged
> > testing period to uncover any subtle problems with non-conforming
> > servers that users must be able to access, and such testing is
> > unlikely to happen on emacs-26 before the next bug-fix release.
>
> I'm not sure what testing would be needed: if the connection to a
> server fails, the user sets the variable to the previous default.
If too many users will have to reset to previous defaults, then what
exactly did we accomplish, except annoying those users by having stuff
not work OOTB?
> Also, would this attack published in 2015 make a difference to the decision?
>
> https://weakdh.org/
> https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
>
> The Logjam attack allows a man-in-the-middle attacker to downgrade
> vulnerable TLS connections to 512-bit export-grade cryptography.
>
> RECOMMENDATIONS
>
> Server operators should disable DHE_EXPORT and configure DHE
> ciphersuites to use primes of 2048 bits or larger. Browsers
> and clients should raise the minimum accepted size for
> Diffie-Hellman groups to at least 1024 bits in order to avoid
> downgrade attacks when communicating with servers that still
> use smaller groups. Primes of less than 1024 bits should not
> be considered secure, even against an attacker with moderate
> resources.
Is this relevant to Emacs? Given the explanations by Lars here:
http://lists.gnu.org/archive/html/emacs-devel/2018-06/msg00736.html
having the GnuTLS related values low is by design, so that NSM (and
the users) could be in control of what is allowed, instead of silently
failing connections at a low level. Am I missing something?
next prev parent reply other threads:[~2018-06-24 14:23 UTC|newest]
Thread overview: 221+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-22 22:00 A couple of questions and concerns about Emacs network security Jimmy Yuen Ho Wong
2018-06-22 22:43 ` Paul Eggert
2018-06-22 23:21 ` Lars Ingebrigtsen
2018-06-22 23:33 ` Lars Ingebrigtsen
2018-06-23 1:35 ` Jimmy Yuen Ho Wong
2018-06-23 10:23 ` Lars Ingebrigtsen
2018-06-23 10:34 ` Lars Ingebrigtsen
2018-06-23 10:48 ` Jimmy Yuen Ho Wong
2018-06-23 11:32 ` Lars Ingebrigtsen
2018-06-23 11:55 ` Jimmy Yuen Ho Wong
2018-06-23 12:05 ` Lars Ingebrigtsen
2018-06-23 12:13 ` Eli Zaretskii
2018-06-23 12:15 ` Lars Ingebrigtsen
2018-06-23 12:26 ` Eli Zaretskii
2018-07-07 9:57 ` Eli Zaretskii
2018-07-08 14:01 ` Lars Ingebrigtsen
2018-07-08 14:53 ` Eli Zaretskii
2018-07-08 15:06 ` Lars Ingebrigtsen
2018-07-08 15:23 ` Eli Zaretskii
2018-06-23 12:45 ` Jimmy Yuen Ho Wong
2018-06-24 12:53 ` Lars Ingebrigtsen
2018-07-05 13:33 ` Perry E. Metzger
2018-07-05 13:49 ` Eli Zaretskii
2018-07-05 15:29 ` Perry E. Metzger
2018-07-05 18:55 ` Eli Zaretskii
2018-07-05 19:26 ` Paul Eggert
2018-07-05 19:35 ` Eli Zaretskii
2018-07-05 20:01 ` Eli Zaretskii
2018-07-06 17:03 ` Paul Eggert
2018-07-06 17:36 ` Eli Zaretskii
2018-07-06 18:15 ` Paul Eggert
2018-07-07 7:04 ` Eli Zaretskii
2018-07-07 10:30 ` Jimmy Yuen Ho Wong
2018-07-07 11:35 ` Eli Zaretskii
2018-07-05 20:46 ` Perry E. Metzger
2018-07-05 20:45 ` Perry E. Metzger
2018-07-06 6:29 ` Eli Zaretskii
2018-07-06 23:08 ` Richard Stallman
2018-07-07 12:18 ` Perry E. Metzger
2018-07-07 13:19 ` Eli Zaretskii
2018-07-07 13:46 ` Perry E. Metzger
2018-07-07 14:17 ` Eli Zaretskii
2018-07-07 15:25 ` Perry E. Metzger
2018-07-07 16:08 ` Eli Zaretskii
2018-07-07 23:46 ` Richard Stallman
2018-07-08 0:25 ` Perry E. Metzger
2018-07-08 2:44 ` Eli Zaretskii
2018-07-08 22:55 ` Richard Stallman
2018-07-07 14:32 ` Jimmy Yuen Ho Wong
2018-07-07 15:15 ` Perry E. Metzger
2018-07-07 15:39 ` Jimmy Yuen Ho Wong
2018-07-07 18:16 ` Paul Eggert
2018-07-07 23:03 ` Jimmy Yuen Ho Wong
2018-07-07 15:57 ` Eli Zaretskii
2018-07-07 23:45 ` Richard Stallman
2018-07-05 13:50 ` Jimmy Yuen Ho Wong
2018-07-05 15:30 ` Perry E. Metzger
2018-07-05 15:36 ` Stefan Monnier
2018-07-05 16:05 ` Perry E. Metzger
2018-07-05 22:44 ` Richard Stallman
2018-07-06 6:01 ` Eli Zaretskii
2018-06-23 0:00 ` Paul Eggert
2018-06-23 0:10 ` Stefan Monnier
2018-06-23 9:57 ` Lars Ingebrigtsen
2018-06-23 2:17 ` Noam Postavsky
2018-06-23 6:40 ` Eli Zaretskii
2018-06-23 10:21 ` Jimmy Yuen Ho Wong
2018-06-23 11:26 ` Eli Zaretskii
2018-06-23 22:28 ` Noam Postavsky
2018-06-24 14:23 ` Eli Zaretskii [this message]
2018-06-24 14:34 ` Lars Ingebrigtsen
2018-06-24 14:48 ` Noam Postavsky
2018-06-24 15:30 ` Eli Zaretskii
2018-06-24 16:57 ` Lars Ingebrigtsen
2018-06-24 17:10 ` Jimmy Yuen Ho Wong
2018-06-24 17:39 ` Lars Ingebrigtsen
2018-06-24 18:29 ` Jimmy Yuen Ho Wong
2018-06-24 18:51 ` Eli Zaretskii
2018-06-24 21:30 ` Jimmy Yuen Ho Wong
2018-06-25 1:25 ` Van L
2018-06-25 2:28 ` Jimmy Yuen Ho Wong
2018-06-25 2:38 ` Jimmy Yuen Ho Wong
2018-06-25 17:16 ` Eli Zaretskii
2018-06-25 17:25 ` Jimmy Yuen Ho Wong
2018-06-25 18:06 ` Jimmy Yuen Ho Wong
2018-06-24 20:58 ` Lars Ingebrigtsen
2018-06-24 21:07 ` Lars Ingebrigtsen
2018-06-24 22:47 ` Jimmy Yuen Ho Wong
2018-06-25 0:04 ` Lars Ingebrigtsen
2018-06-25 0:33 ` Noam Postavsky
2018-06-25 0:36 ` Lars Ingebrigtsen
2018-06-24 21:28 ` Noam Postavsky
2018-06-24 21:57 ` Lars Ingebrigtsen
2018-06-25 16:06 ` Eli Zaretskii
2018-06-25 16:29 ` Jimmy Yuen Ho Wong
2018-06-25 16:58 ` Lars Ingebrigtsen
2018-06-25 17:08 ` Jimmy Yuen Ho Wong
2018-06-25 17:18 ` Eli Zaretskii
2018-06-30 17:40 ` Jimmy Yuen Ho Wong
2018-06-30 18:04 ` Eli Zaretskii
2018-06-25 17:09 ` Eli Zaretskii
2018-06-25 17:17 ` Eli Zaretskii
2018-06-25 16:55 ` Lars Ingebrigtsen
2018-06-25 17:06 ` Eli Zaretskii
2018-06-25 17:20 ` Jimmy Yuen Ho Wong
2018-06-25 17:33 ` Lars Ingebrigtsen
2018-07-05 15:52 ` Perry E. Metzger
2018-07-05 15:58 ` Jimmy Yuen Ho Wong
2018-07-05 16:36 ` Perry E. Metzger
2018-07-05 16:51 ` Jimmy Yuen Ho Wong
2018-07-05 18:25 ` Perry E. Metzger
2018-07-05 18:32 ` Eli Zaretskii
2018-07-05 18:43 ` Noam Postavsky
2018-07-05 20:31 ` Perry E. Metzger
2018-07-08 11:43 ` Lars Ingebrigtsen
2018-07-08 14:48 ` Eli Zaretskii
2018-07-06 9:01 ` Eli Zaretskii
2018-07-05 15:33 ` Perry E. Metzger
2018-07-05 18:58 ` Eli Zaretskii
2018-07-06 8:36 ` Robert Pluim
2018-07-06 8:49 ` Eli Zaretskii
2018-07-06 9:35 ` Robert Pluim
2018-07-06 12:32 ` Eli Zaretskii
2018-07-06 12:52 ` Robert Pluim
2018-07-06 13:31 ` Eli Zaretskii
2018-07-06 9:45 ` Stephen Berman
2018-07-06 12:41 ` Eli Zaretskii
2018-07-06 13:50 ` Stephen Berman
2018-07-07 7:15 ` martin rudalics
2018-07-07 12:22 ` Stephen Berman
2018-07-07 13:22 ` Eli Zaretskii
2018-07-07 13:47 ` Stephen Berman
2018-07-08 8:11 ` martin rudalics
2018-07-05 15:10 ` Perry E. Metzger
2018-06-23 6:45 ` Eli Zaretskii
2018-06-23 10:34 ` Jimmy Yuen Ho Wong
2018-07-05 15:58 ` Perry E. Metzger
2018-07-05 19:20 ` Paul Eggert
2018-07-05 20:46 ` Perry E. Metzger
2018-07-05 22:44 ` Richard Stallman
2018-07-06 6:42 ` Jimmy Yuen Ho Wong
2018-07-06 8:16 ` Eli Zaretskii
2018-07-06 9:28 ` Robert Pluim
2018-07-06 13:18 ` Eli Zaretskii
2018-07-06 18:06 ` Jimmy Yuen Ho Wong
2018-07-06 18:48 ` Perry E. Metzger
2018-07-07 7:02 ` Eli Zaretskii
2018-07-07 9:36 ` Robert Pluim
2018-07-07 9:59 ` Jimmy Yuen Ho Wong
2018-07-07 10:01 ` Jimmy Yuen Ho Wong
2018-07-07 21:44 ` Ted Zlatanov
2018-07-07 21:59 ` Paul Eggert
2018-07-07 22:11 ` Jimmy Yuen Ho Wong
2018-07-09 23:09 ` Ted Zlatanov
2018-07-10 18:20 ` Jimmy Yuen Ho Wong
2018-07-10 18:36 ` Eli Zaretskii
2018-07-10 18:40 ` Jimmy Yuen Ho Wong
2018-07-10 18:58 ` Eli Zaretskii
2018-07-13 20:50 ` Jimmy Yuen Ho Wong
2018-07-14 6:37 ` Eli Zaretskii
2018-07-14 17:18 ` Jimmy Yuen Ho Wong
2018-07-14 18:25 ` Eli Zaretskii
2018-07-07 22:13 ` Jimmy Yuen Ho Wong
2018-07-09 13:09 ` Robert Pluim
2018-07-09 13:33 ` Jimmy Yuen Ho Wong
2018-07-09 13:43 ` Lars Ingebrigtsen
2018-07-09 13:49 ` Jimmy Yuen Ho Wong
2018-07-09 17:15 ` Eli Zaretskii
2018-07-09 17:24 ` Jimmy Yuen Ho Wong
2018-07-10 0:06 ` Perry E. Metzger
2018-07-10 0:03 ` Perry E. Metzger
2018-07-10 0:02 ` Perry E. Metzger
2018-07-06 13:03 ` Jimmy Yuen Ho Wong
2018-07-06 14:06 ` Eli Zaretskii
2018-07-06 21:24 ` Jimmy Yuen Ho Wong
2018-07-07 7:55 ` Eli Zaretskii
2018-07-08 14:06 ` Lars Ingebrigtsen
2018-07-08 14:54 ` Jimmy Yuen Ho Wong
2018-07-08 15:13 ` Lars Ingebrigtsen
2018-07-08 16:56 ` Jimmy Yuen Ho Wong
2018-07-08 17:06 ` Paul Eggert
2018-07-08 17:25 ` Jimmy Yuen Ho Wong
2018-07-08 17:53 ` Lars Ingebrigtsen
2018-07-08 18:54 ` Jimmy Yuen Ho Wong
2018-07-08 19:30 ` Lars Ingebrigtsen
2018-07-08 19:32 ` Jimmy Yuen Ho Wong
2018-07-08 22:56 ` Richard Stallman
2018-07-08 17:47 ` Lars Ingebrigtsen
2018-07-08 18:10 ` Eli Zaretskii
2018-07-08 18:12 ` Jimmy Yuen Ho Wong
2018-07-08 18:26 ` Eli Zaretskii
2018-07-08 18:39 ` Lars Ingebrigtsen
2018-07-08 18:53 ` Eli Zaretskii
2018-07-08 19:22 ` Jimmy Yuen Ho Wong
2018-07-09 16:57 ` Eli Zaretskii
2018-07-09 17:17 ` Jimmy Yuen Ho Wong
2018-07-09 17:36 ` Jimmy Yuen Ho Wong
2018-07-09 17:38 ` Jimmy Yuen Ho Wong
2018-07-09 18:04 ` Eli Zaretskii
2018-07-09 18:10 ` Jimmy Yuen Ho Wong
2018-07-09 18:33 ` Eli Zaretskii
2018-07-09 18:47 ` Jimmy Yuen Ho Wong
2018-07-10 16:10 ` Eli Zaretskii
2018-07-08 19:28 ` Lars Ingebrigtsen
2018-07-08 19:31 ` Jimmy Yuen Ho Wong
2018-07-09 17:04 ` Eli Zaretskii
2018-07-09 17:02 ` Eli Zaretskii
2018-07-09 17:09 ` Jimmy Yuen Ho Wong
2018-07-09 15:29 ` Jimmy Yuen Ho Wong
2018-07-09 16:35 ` Robert Pluim
2018-07-08 18:31 ` Jimmy Yuen Ho Wong
2018-07-08 18:42 ` Lars Ingebrigtsen
2018-07-08 19:28 ` Jimmy Yuen Ho Wong
2018-07-08 17:53 ` Eli Zaretskii
2018-07-08 19:16 ` Jimmy Yuen Ho Wong
2018-07-08 14:55 ` Eli Zaretskii
2018-07-08 14:58 ` Jimmy Yuen Ho Wong
2018-07-08 15:18 ` Eli Zaretskii
2018-07-08 15:16 ` Lars Ingebrigtsen
2018-07-06 16:53 ` Paul Eggert
2018-07-06 23:11 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83lgb4tg92.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
--cc=larsi@gnus.org \
--cc=npostavs@gmail.com \
--cc=wyuenho@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).