From: Eli Zaretskii <eliz@gnu.org>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: wyuenho@gmail.com, larsi@gnus.org, eggert@cs.ucla.edu,
rms@gnu.org, emacs-devel@gnu.org
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sat, 07 Jul 2018 17:17:24 +0300 [thread overview]
Message-ID: <83tvpbi0zv.fsf@gnu.org> (raw)
In-Reply-To: <20180707094622.6eff25bf@jabberwock.cb.piermont.com> (perry@piermont.com)
> Date: Sat, 7 Jul 2018 09:46:22 -0400
> From: "Perry E. Metzger" <perry@piermont.com>
> Cc: rms@gnu.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, larsi@gnus.org,
> wyuenho@gmail.com
>
> On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <eliz@gnu.org> wrote:
> > > Date: Sat, 7 Jul 2018 08:18:33 -0400
> > > From: "Perry E. Metzger" <perry@piermont.com>
> > > Cc: Eli Zaretskii <eliz@gnu.org>, eggert@cs.ucla.edu,
> > > emacs-devel@gnu.org, larsi@gnus.org, wyuenho@gmail.com
> > >
> > > There is ample evidence that people in such situations rarely if
> > > ever understand what the right thing to do is.
> >
> > That doesn't necessarily mean we need to assume none of them will
> > understand that, if the considerations are explained in clear terms
> > that can be mapped to the user's environment.
>
> The difference between "none" and "under 5%" is so small as to be
> unimportant.
I don't know where you took that number. Any idea what is the
correlation between those 5% and the percentage of people who use
Emacs, btw?
> In tests, even with very careful explanations, only a
> really tiny fraction of users seem to make good decisions some of
> the time, and that's even when computer science undergraduates are the
> test subjects.
We are not talking about the same decisions in the same terms. Once
again, I suggest to re-read my comments to Jimmy's patches and the
following discussion.
> > And my personal experience definitely contradicts your "everyone"
> > claim: e.g., my home network is set up with several non-default
> > defenses, and so is my smartphone. Why should we assume a
> > significant part of Emacs users is in the "everyone" camp? They
> > did choose to use Emacs, didn't they?
>
> The difference between one person in a hundred and no one is so small
> for purposes of deciding on default behavior as to be unimportant.
I don't think your estimation of the percentage is accurate, wrt Emacs
users. They are not the typical mass user of computers.
> As for your own configuration, you're free to change the defaults any
> way you like, so why are you arguing anyway?
Because I think there are many others like me. I'm not special in any
way, neither in my Emacs usage patterns nor in how I approach
security.
> > You are entitled to your opinions
>
> These are not opinions. They're facts. They're based on decades of
> field experience and objective studies published in the academic
> literature. There is almost universal agreement among the
> studies, too -- there are no published outliers that I'm aware of.
I meant your opinions about how Emacs should design its
security-related UI and treat its users. They are definitely not
facts, because we are talking about something that doesn't yet exist,
so it couldn't be a subject of decades of studies.
> > but I don't agree that we should
> > design our defaults based on the assumption that we cannot expect
> > our users to make informed decisions.
>
> And this sets you apart from people who have worked in the field for
> decades, and from people who have done objective studies in the field.
Studies on Emacs users?
> I strongly suspect, by the way, that I could easily get you to make a
> bad security decision in a test environment. I don't trust myself to
> evaluate the origin of certificates in real time -- it's just too
> difficult to read an x.509 cert's contents and verify everything you
> need to (including the hash algorithms used in the entire chain,
> figuring out if the CA is one I should be expecting for this
> particular host, etc.) That is in spite of the fact that I've been
> doing this professionally for a very long time. I suspect I could
> easily cook up certs that you wouldn't be able to figure out, and
> that you would make the wrong decision if prompted to look at them.
You are completely missing the point. No one claimed we should expect
users to judge certificates.
> > > The other thing is, in spite of the constant claims, running with
> > > the level of security provided by Firefox or Chrome or Safari
> > > isn't the least bit inconvenient, so there's no obvious reason
> > > not to do at least _that_.
> >
> > One would think that those "constant claims" might just provide
> > such a reason.
>
> The only one making this claim is _you_.
My "claims" are facts. I see these issues every day, using mostly
Firefox and IE. I'd be surprised if I were the only one, because
there's nothing special in my setups.
> > Besides, we don't really follow what those browsers do,
>
> But we should. It's insane not to.
Please read Jimmy's comments on this, and respond to them if you want.
next prev parent reply other threads:[~2018-07-07 14:17 UTC|newest]
Thread overview: 221+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-22 22:00 A couple of questions and concerns about Emacs network security Jimmy Yuen Ho Wong
2018-06-22 22:43 ` Paul Eggert
2018-06-22 23:21 ` Lars Ingebrigtsen
2018-06-22 23:33 ` Lars Ingebrigtsen
2018-06-23 1:35 ` Jimmy Yuen Ho Wong
2018-06-23 10:23 ` Lars Ingebrigtsen
2018-06-23 10:34 ` Lars Ingebrigtsen
2018-06-23 10:48 ` Jimmy Yuen Ho Wong
2018-06-23 11:32 ` Lars Ingebrigtsen
2018-06-23 11:55 ` Jimmy Yuen Ho Wong
2018-06-23 12:05 ` Lars Ingebrigtsen
2018-06-23 12:13 ` Eli Zaretskii
2018-06-23 12:15 ` Lars Ingebrigtsen
2018-06-23 12:26 ` Eli Zaretskii
2018-07-07 9:57 ` Eli Zaretskii
2018-07-08 14:01 ` Lars Ingebrigtsen
2018-07-08 14:53 ` Eli Zaretskii
2018-07-08 15:06 ` Lars Ingebrigtsen
2018-07-08 15:23 ` Eli Zaretskii
2018-06-23 12:45 ` Jimmy Yuen Ho Wong
2018-06-24 12:53 ` Lars Ingebrigtsen
2018-07-05 13:33 ` Perry E. Metzger
2018-07-05 13:49 ` Eli Zaretskii
2018-07-05 15:29 ` Perry E. Metzger
2018-07-05 18:55 ` Eli Zaretskii
2018-07-05 19:26 ` Paul Eggert
2018-07-05 19:35 ` Eli Zaretskii
2018-07-05 20:01 ` Eli Zaretskii
2018-07-06 17:03 ` Paul Eggert
2018-07-06 17:36 ` Eli Zaretskii
2018-07-06 18:15 ` Paul Eggert
2018-07-07 7:04 ` Eli Zaretskii
2018-07-07 10:30 ` Jimmy Yuen Ho Wong
2018-07-07 11:35 ` Eli Zaretskii
2018-07-05 20:46 ` Perry E. Metzger
2018-07-05 20:45 ` Perry E. Metzger
2018-07-06 6:29 ` Eli Zaretskii
2018-07-06 23:08 ` Richard Stallman
2018-07-07 12:18 ` Perry E. Metzger
2018-07-07 13:19 ` Eli Zaretskii
2018-07-07 13:46 ` Perry E. Metzger
2018-07-07 14:17 ` Eli Zaretskii [this message]
2018-07-07 15:25 ` Perry E. Metzger
2018-07-07 16:08 ` Eli Zaretskii
2018-07-07 23:46 ` Richard Stallman
2018-07-08 0:25 ` Perry E. Metzger
2018-07-08 2:44 ` Eli Zaretskii
2018-07-08 22:55 ` Richard Stallman
2018-07-07 14:32 ` Jimmy Yuen Ho Wong
2018-07-07 15:15 ` Perry E. Metzger
2018-07-07 15:39 ` Jimmy Yuen Ho Wong
2018-07-07 18:16 ` Paul Eggert
2018-07-07 23:03 ` Jimmy Yuen Ho Wong
2018-07-07 15:57 ` Eli Zaretskii
2018-07-07 23:45 ` Richard Stallman
2018-07-05 13:50 ` Jimmy Yuen Ho Wong
2018-07-05 15:30 ` Perry E. Metzger
2018-07-05 15:36 ` Stefan Monnier
2018-07-05 16:05 ` Perry E. Metzger
2018-07-05 22:44 ` Richard Stallman
2018-07-06 6:01 ` Eli Zaretskii
2018-06-23 0:00 ` Paul Eggert
2018-06-23 0:10 ` Stefan Monnier
2018-06-23 9:57 ` Lars Ingebrigtsen
2018-06-23 2:17 ` Noam Postavsky
2018-06-23 6:40 ` Eli Zaretskii
2018-06-23 10:21 ` Jimmy Yuen Ho Wong
2018-06-23 11:26 ` Eli Zaretskii
2018-06-23 22:28 ` Noam Postavsky
2018-06-24 14:23 ` Eli Zaretskii
2018-06-24 14:34 ` Lars Ingebrigtsen
2018-06-24 14:48 ` Noam Postavsky
2018-06-24 15:30 ` Eli Zaretskii
2018-06-24 16:57 ` Lars Ingebrigtsen
2018-06-24 17:10 ` Jimmy Yuen Ho Wong
2018-06-24 17:39 ` Lars Ingebrigtsen
2018-06-24 18:29 ` Jimmy Yuen Ho Wong
2018-06-24 18:51 ` Eli Zaretskii
2018-06-24 21:30 ` Jimmy Yuen Ho Wong
2018-06-25 1:25 ` Van L
2018-06-25 2:28 ` Jimmy Yuen Ho Wong
2018-06-25 2:38 ` Jimmy Yuen Ho Wong
2018-06-25 17:16 ` Eli Zaretskii
2018-06-25 17:25 ` Jimmy Yuen Ho Wong
2018-06-25 18:06 ` Jimmy Yuen Ho Wong
2018-06-24 20:58 ` Lars Ingebrigtsen
2018-06-24 21:07 ` Lars Ingebrigtsen
2018-06-24 22:47 ` Jimmy Yuen Ho Wong
2018-06-25 0:04 ` Lars Ingebrigtsen
2018-06-25 0:33 ` Noam Postavsky
2018-06-25 0:36 ` Lars Ingebrigtsen
2018-06-24 21:28 ` Noam Postavsky
2018-06-24 21:57 ` Lars Ingebrigtsen
2018-06-25 16:06 ` Eli Zaretskii
2018-06-25 16:29 ` Jimmy Yuen Ho Wong
2018-06-25 16:58 ` Lars Ingebrigtsen
2018-06-25 17:08 ` Jimmy Yuen Ho Wong
2018-06-25 17:18 ` Eli Zaretskii
2018-06-30 17:40 ` Jimmy Yuen Ho Wong
2018-06-30 18:04 ` Eli Zaretskii
2018-06-25 17:09 ` Eli Zaretskii
2018-06-25 17:17 ` Eli Zaretskii
2018-06-25 16:55 ` Lars Ingebrigtsen
2018-06-25 17:06 ` Eli Zaretskii
2018-06-25 17:20 ` Jimmy Yuen Ho Wong
2018-06-25 17:33 ` Lars Ingebrigtsen
2018-07-05 15:52 ` Perry E. Metzger
2018-07-05 15:58 ` Jimmy Yuen Ho Wong
2018-07-05 16:36 ` Perry E. Metzger
2018-07-05 16:51 ` Jimmy Yuen Ho Wong
2018-07-05 18:25 ` Perry E. Metzger
2018-07-05 18:32 ` Eli Zaretskii
2018-07-05 18:43 ` Noam Postavsky
2018-07-05 20:31 ` Perry E. Metzger
2018-07-08 11:43 ` Lars Ingebrigtsen
2018-07-08 14:48 ` Eli Zaretskii
2018-07-06 9:01 ` Eli Zaretskii
2018-07-05 15:33 ` Perry E. Metzger
2018-07-05 18:58 ` Eli Zaretskii
2018-07-06 8:36 ` Robert Pluim
2018-07-06 8:49 ` Eli Zaretskii
2018-07-06 9:35 ` Robert Pluim
2018-07-06 12:32 ` Eli Zaretskii
2018-07-06 12:52 ` Robert Pluim
2018-07-06 13:31 ` Eli Zaretskii
2018-07-06 9:45 ` Stephen Berman
2018-07-06 12:41 ` Eli Zaretskii
2018-07-06 13:50 ` Stephen Berman
2018-07-07 7:15 ` martin rudalics
2018-07-07 12:22 ` Stephen Berman
2018-07-07 13:22 ` Eli Zaretskii
2018-07-07 13:47 ` Stephen Berman
2018-07-08 8:11 ` martin rudalics
2018-07-05 15:10 ` Perry E. Metzger
2018-06-23 6:45 ` Eli Zaretskii
2018-06-23 10:34 ` Jimmy Yuen Ho Wong
2018-07-05 15:58 ` Perry E. Metzger
2018-07-05 19:20 ` Paul Eggert
2018-07-05 20:46 ` Perry E. Metzger
2018-07-05 22:44 ` Richard Stallman
2018-07-06 6:42 ` Jimmy Yuen Ho Wong
2018-07-06 8:16 ` Eli Zaretskii
2018-07-06 9:28 ` Robert Pluim
2018-07-06 13:18 ` Eli Zaretskii
2018-07-06 18:06 ` Jimmy Yuen Ho Wong
2018-07-06 18:48 ` Perry E. Metzger
2018-07-07 7:02 ` Eli Zaretskii
2018-07-07 9:36 ` Robert Pluim
2018-07-07 9:59 ` Jimmy Yuen Ho Wong
2018-07-07 10:01 ` Jimmy Yuen Ho Wong
2018-07-07 21:44 ` Ted Zlatanov
2018-07-07 21:59 ` Paul Eggert
2018-07-07 22:11 ` Jimmy Yuen Ho Wong
2018-07-09 23:09 ` Ted Zlatanov
2018-07-10 18:20 ` Jimmy Yuen Ho Wong
2018-07-10 18:36 ` Eli Zaretskii
2018-07-10 18:40 ` Jimmy Yuen Ho Wong
2018-07-10 18:58 ` Eli Zaretskii
2018-07-13 20:50 ` Jimmy Yuen Ho Wong
2018-07-14 6:37 ` Eli Zaretskii
2018-07-14 17:18 ` Jimmy Yuen Ho Wong
2018-07-14 18:25 ` Eli Zaretskii
2018-07-07 22:13 ` Jimmy Yuen Ho Wong
2018-07-09 13:09 ` Robert Pluim
2018-07-09 13:33 ` Jimmy Yuen Ho Wong
2018-07-09 13:43 ` Lars Ingebrigtsen
2018-07-09 13:49 ` Jimmy Yuen Ho Wong
2018-07-09 17:15 ` Eli Zaretskii
2018-07-09 17:24 ` Jimmy Yuen Ho Wong
2018-07-10 0:06 ` Perry E. Metzger
2018-07-10 0:03 ` Perry E. Metzger
2018-07-10 0:02 ` Perry E. Metzger
2018-07-06 13:03 ` Jimmy Yuen Ho Wong
2018-07-06 14:06 ` Eli Zaretskii
2018-07-06 21:24 ` Jimmy Yuen Ho Wong
2018-07-07 7:55 ` Eli Zaretskii
2018-07-08 14:06 ` Lars Ingebrigtsen
2018-07-08 14:54 ` Jimmy Yuen Ho Wong
2018-07-08 15:13 ` Lars Ingebrigtsen
2018-07-08 16:56 ` Jimmy Yuen Ho Wong
2018-07-08 17:06 ` Paul Eggert
2018-07-08 17:25 ` Jimmy Yuen Ho Wong
2018-07-08 17:53 ` Lars Ingebrigtsen
2018-07-08 18:54 ` Jimmy Yuen Ho Wong
2018-07-08 19:30 ` Lars Ingebrigtsen
2018-07-08 19:32 ` Jimmy Yuen Ho Wong
2018-07-08 22:56 ` Richard Stallman
2018-07-08 17:47 ` Lars Ingebrigtsen
2018-07-08 18:10 ` Eli Zaretskii
2018-07-08 18:12 ` Jimmy Yuen Ho Wong
2018-07-08 18:26 ` Eli Zaretskii
2018-07-08 18:39 ` Lars Ingebrigtsen
2018-07-08 18:53 ` Eli Zaretskii
2018-07-08 19:22 ` Jimmy Yuen Ho Wong
2018-07-09 16:57 ` Eli Zaretskii
2018-07-09 17:17 ` Jimmy Yuen Ho Wong
2018-07-09 17:36 ` Jimmy Yuen Ho Wong
2018-07-09 17:38 ` Jimmy Yuen Ho Wong
2018-07-09 18:04 ` Eli Zaretskii
2018-07-09 18:10 ` Jimmy Yuen Ho Wong
2018-07-09 18:33 ` Eli Zaretskii
2018-07-09 18:47 ` Jimmy Yuen Ho Wong
2018-07-10 16:10 ` Eli Zaretskii
2018-07-08 19:28 ` Lars Ingebrigtsen
2018-07-08 19:31 ` Jimmy Yuen Ho Wong
2018-07-09 17:04 ` Eli Zaretskii
2018-07-09 17:02 ` Eli Zaretskii
2018-07-09 17:09 ` Jimmy Yuen Ho Wong
2018-07-09 15:29 ` Jimmy Yuen Ho Wong
2018-07-09 16:35 ` Robert Pluim
2018-07-08 18:31 ` Jimmy Yuen Ho Wong
2018-07-08 18:42 ` Lars Ingebrigtsen
2018-07-08 19:28 ` Jimmy Yuen Ho Wong
2018-07-08 17:53 ` Eli Zaretskii
2018-07-08 19:16 ` Jimmy Yuen Ho Wong
2018-07-08 14:55 ` Eli Zaretskii
2018-07-08 14:58 ` Jimmy Yuen Ho Wong
2018-07-08 15:18 ` Eli Zaretskii
2018-07-08 15:16 ` Lars Ingebrigtsen
2018-07-06 16:53 ` Paul Eggert
2018-07-06 23:11 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83tvpbi0zv.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=eggert@cs.ucla.edu \
--cc=emacs-devel@gnu.org \
--cc=larsi@gnus.org \
--cc=perry@piermont.com \
--cc=rms@gnu.org \
--cc=wyuenho@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).