From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Florian Weimer Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Thu, 23 Oct 2014 20:00:08 +0200 Message-ID: <87mw8mzmxj.fsf@mid.deneb.enyo.de> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1414087243 5120 80.91.229.3 (23 Oct 2014 18:00:43 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 23 Oct 2014 18:00:43 +0000 (UTC) Cc: 766397@bugs.debian.org, 766397-forwarded@bugs.debian.org, kurt@roeckx.be, Rob Browning , emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 23 20:00:34 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XhMgb-0003Je-3M for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 20:00:33 +0200 Original-Received: from localhost ([::1]:42664 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhMga-0000gJ-Pc for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 14:00:32 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46879) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhMgS-0000fG-Hg for emacs-devel@gnu.org; Thu, 23 Oct 2014 14:00:30 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XhMgM-0004xA-Dw for emacs-devel@gnu.org; Thu, 23 Oct 2014 14:00:24 -0400 Original-Received: from albireo.enyo.de ([46.237.207.196]:34502) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhMgF-0004tx-Rc; Thu, 23 Oct 2014 14:00:11 -0400 Original-Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) id 1XhMgD-0004MS-5J; Thu, 23 Oct 2014 20:00:09 +0200 Original-Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from ) id 1XhMgC-0004MR-UH; Thu, 23 Oct 2014 20:00:08 +0200 In-Reply-To: (Richard Stallman's message of "Thu, 23 Oct 2014 12:34:38 -0400") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 46.237.207.196 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175746 Archived-At: * Richard Stallman: > I've read that falling back to ssl3 is a real security hole, > being exploited frequently. That feature should be removed. GNUTLS automatically and securely upgrades to a TLS protocol if supported by the server. Dropping SSL 3.0 support altogether will only encourage unencrypted connections instead. Furthermore, SSL 3.0 is certainly not an ideal design, but neither is TLS 1.0. Only TLS 1.1 and later attempt to fix the padding issue, and support for those versions is still poor in servers. Fortunately, the padding issues are only exploitable under fairly narrow circumstances. Most applications (except web browsers) use SSL 3.0 in such a way that the attack described in the POODLE paper does not apply.