From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Fri, 6 Jul 2018 19:06:29 +0100 Message-ID: References: <83o9g2uhju.fsf@gnu.org> <20180705115826.73c1d95e@jabberwock.cb.piermont.com> <83a7r4n5ht.fsf@gnu.org> <87lgaoaf2f.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Trace: blaine.gmane.org 1530900297 22180 195.159.176.226 (6 Jul 2018 18:04:57 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 6 Jul 2018 18:04:57 +0000 (UTC) Cc: Eli Zaretskii , Paul Eggert , Lars Ingebrigtsen , rms@gnu.org, "Perry E. Metzger" To: Emacs-Devel devel Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jul 06 20:04:52 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fbV6C-0005ei-0l for ged-emacs-devel@m.gmane.org; Fri, 06 Jul 2018 20:04:52 +0200 Original-Received: from localhost ([::1]:59209 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbV8J-0004DP-4d for ged-emacs-devel@m.gmane.org; Fri, 06 Jul 2018 14:07:03 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:60828) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fbV88-0004Cl-Fs for emacs-devel@gnu.org; Fri, 06 Jul 2018 14:06:53 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fbV87-00041d-I8 for emacs-devel@gnu.org; Fri, 06 Jul 2018 14:06:52 -0400 Original-Received: from mail-io0-x22e.google.com ([2607:f8b0:4001:c06::22e]:37603) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fbV87-000413-D5; Fri, 06 Jul 2018 14:06:51 -0400 Original-Received: by mail-io0-x22e.google.com with SMTP id z19-v6so11606571ioh.4; Fri, 06 Jul 2018 11:06:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=F1YpTj/kNP5NMqxlpVg0VOh1BOTw76C5ZYyNqvGr/SI=; b=ezV/9OKW8gCVBSGY57o6N5NYAHgToHpUDQmJlLGQxzWUZmdIM4IyblDzYeIXKK3aQY kFD9qjLHZ5/iEerX006SCq6mI6C2zHWr6x4C+XKald4BXf5GnLxKvIcUZu5pPNTRVBee z9ouQyX3VWgm5JM+0jM7XHGcUKQzrU+j+ouuHEsvMr+9o8dm8sW8LQQCs5CJOCDF5YVV t3jJsHlIpQYW4/nJRhWSPgEXPxGbP8gI8ZGPf84MzH5PAYxMnv1mXOfBS6oIpPoVDIv0 hOlyHc2UN1OEoqTR2h3401uRDlxSpHwr/dsTyEcnKtPRuoNEm2KdVN01IoOhw9tx2XUS ohdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=F1YpTj/kNP5NMqxlpVg0VOh1BOTw76C5ZYyNqvGr/SI=; b=V6SFAMomnT7efjEMBwHANDSdoCN41S5S0pCxt0Jjq/lV+JZ0av6Wsl3h+2Za3xqcr5 cJem2E7OtThHpfo3lTZk5/ThyIVDBOKRVmNnG8zgYroX+21mEa7tKWM0f4xKTd55yS9L JlLtp8FbXqgZ6D8uAQ9r8xXYZw5YppvOkue7wgu1IISQS9BRrWQaLLrVL2xzjmWqs+ha eWcF1dbxrZloH87AzERu7tqmbAYQ3HBQYUCGdy06YTF5LVo1HobXHrVYUqJs9+AarKKk 4ryCEek2f63YCPIIetMf2mAsEfA7E7TuobToj0mNBimz12vBviPqnRUwFFIWXmAdHfdL yxiQ== X-Gm-Message-State: APt69E1tvffErnBw74IXi6A1G/Ysm/nzhPOpSklZEbDNVCcZARhRZ9SE TckpUmUUkiXXYCpFuaBEdch4CYD6u2aoEY2hNJ40tA== X-Google-Smtp-Source: AAOMgpe205DhNfX08M/71dKf38lcpgWgYf68qSs6NuCl/N4VugfYbWMjf8OCnPGulY57i3N1jCl+nZhJcTMAWHWKfd4= X-Received: by 2002:a6b:e008:: with SMTP id z8-v6mr9213628iog.296.1530900410140; Fri, 06 Jul 2018 11:06:50 -0700 (PDT) Original-Received: by 2002:a02:985d:0:0:0:0:0 with HTTP; Fri, 6 Jul 2018 11:06:29 -0700 (PDT) In-Reply-To: <87lgaoaf2f.fsf@gmail.com> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c06::22e X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227019 Archived-At: > >> Same questions regarding a home network, separated from the outside >> world by a firewall. > > I have such a network at home. I also have family members who are not > necessarily as aware of security issues as I am, and who also possess > network connections that are not secured by my firewall. > >> Why shouldn't Emacs cater to such use cases? >> >> On the other end, there are legitimate use cases where users might >> need to access sites and servers known in advance to be dangerous. >> Why shouldn't Emacs provide a 'paranoid' set of settings for such use >> cases? > > That I agree with, and that=CA=BCs why I use 'paranoid', limited as it > currently is. > I disagree that prompting for pretty much every TLS connection is a good idea. In security circles these days, there's such a thing known as "security fatigue". Overly troublesome security measure that don't take human psychology into account will lead to numbness. A side effect of that is users will simply start ignoring security warnings like they skip reading iTunes's EULA. This is an adverse unintended consequence that achieves the opposite of what we want to do here. >>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 > > That might be going a bit far, but I can certainly do that locally and > see what happens. > As I've said, setting `gnutls-min-prime-bits` to nil simply means GnuTLS will negotiate the right number of DH bits on the user's behalf, starting from 1008 bits since 3.3.0. > > Documentation is good. I=CA=BCll see if I can find some time to work on > that. > Thanks for helping out :)