From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Lars Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Deprecate TLS1.0 support in emacs
Date: Wed, 12 Jul 2017 21:05:04 +0200
Message-ID: <87fue1v5lr.fsf@mouse>
References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse>
	<87fue17mo5.fsf@gmail.com> <87tw2hvhob.fsf@mouse>
	<8760ex63hi.fsf@gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: blaine.gmane.org 1499886331 5484 195.159.176.226 (12 Jul 2017 19:05:31 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Wed, 12 Jul 2017 19:05:31 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux)
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jul 12 21:05:24 2017
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dVMwn-0000k2-Ac
	for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 21:05:17 +0200
Original-Received: from localhost ([::1]:55283 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1dVMws-000762-SQ
	for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 15:05:22 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57602)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1dVMwn-00074M-By
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 15:05:18 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <larsi@gnus.org>) id 1dVMwi-0003G3-DY
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 15:05:17 -0400
Original-Received: from hermes.netfonds.no ([80.91.224.195]:57997)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <larsi@gnus.org>) id 1dVMwi-0003BX-6l
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 15:05:12 -0400
Original-Received: from cm-84.209.243.26.getinternet.no ([84.209.243.26] helo=mouse)
	by hermes.netfonds.no with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2)
	(envelope-from <larsi@gnus.org>) id 1dVMwa-0002mk-JP
	for emacs-devel@gnu.org; Wed, 12 Jul 2017 21:05:09 +0200
In-Reply-To: <8760ex63hi.fsf@gmail.com> (Robert Pluim's message of "Wed, 12
	Jul 2017 18:10:01 +0200")
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 80.91.224.195
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:216558
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/216558>

Robert Pluim <rpluim@gmail.com> writes:

> There is no refusal of access, just refusal of a specific protocol. If
> we implement your suggestion from below there won't even be refusal.

It is a refusal to access a resource because somebody has determined
that a specific protocol (HTTP + TLS1.0) is something that our users
shouldn't be able to use.

lists.gnu.org is, of course, just one example.

> I appreciate that's a strong opinion, but I definitely think we should
> strongly encourage people to move away from both of these protocols.

Encouragement is fine, but making our users switch to Firefox because of
this obsession with protocols isn't.

As more and more resources are being made available over encrypted
channels only, and as more and more of these (as a result of bad
maintenance and the like) get tagged as "invalid encryption", something
has to give.

It seems like the current movement is to just to start ignoring whether
protocols are outdated, use invalid certificates and the like, and just
tell the user "you tried to access this via a secure channel.  It's not,
but here's the content anyway".

I may be misremembering, but I think the new Chrome beta is going in
this direction: No explicit refusals to access anything, but just a big
red X in the menu bar saying "UNSAFE".  It is, you know, not less safe
than accessing via an unencrypted channel.

I think this is probably the way Emacs should consider moving, too, for
eww and package-list.  For other use, we may consider having the NSM
prompt the user for what to do with TLS1.0.  But probably not just yet.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no