From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!.POSTED!not-for-mail
From: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
Newsgroups: gmane.emacs.devel
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Mon, 9 Jul 2018 14:33:17 +0100
Message-ID: <CAKDRQS5hbePO7wUbCqY2qpniDKknWM2K6bE3kHwKuA5tAGW=dg@mail.gmail.com>
References: <m236xe5vo2.fsf@mobilecat.lan>
	<eba313cf-104d-50dd-f1cd-4acb15864c0f@cs.ucla.edu>
	<83o9g2uhju.fsf@gnu.org>
	<20180705115826.73c1d95e@jabberwock.cb.piermont.com>
	<E1fbCz5-00088E-Cg@fencepost.gnu.org>
	<CAKDRQS68xcs74s3afKTYgnQQYC1URhK6AAw=zGMSACGJbPU1Fw@mail.gmail.com>
	<83a7r4n5ht.fsf@gnu.org> <87lgaoaf2f.fsf@gmail.com>
	<CAKDRQS4iSG+vO2KXyVVWFCxoFfvNCPUO6ziOGBFGt6Zu=KOsgg@mail.gmail.com>
	<877em7o09z.fsf@gmail.com>
	<CAKDRQS7HMCuynM6hpM9wDOEzkqqyimiYGjTsFYeHAkNCdv5QiQ@mail.gmail.com>
	<87r2kcmu7q.fsf@gmail.com>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Trace: blaine.gmane.org 1531143153 27244 195.159.176.226 (9 Jul 2018 13:32:33 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Mon, 9 Jul 2018 13:32:33 +0000 (UTC)
Cc: Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>,
	Lars Ingebrigtsen <larsi@gnus.org>, rms@gnu.org,
	"Perry E. Metzger" <perry@piermont.com>
To: Emacs-Devel devel <emacs-devel@gnu.org>
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Jul 09 15:32:29 2018
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fcWHD-0006tw-0i
	for ged-emacs-devel@m.gmane.org; Mon, 09 Jul 2018 15:32:27 +0200
Original-Received: from localhost ([::1]:41995 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>)
	id 1fcWJK-0007kB-5p
	for ged-emacs-devel@m.gmane.org; Mon, 09 Jul 2018 09:34:38 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42291)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wyuenho@gmail.com>) id 1fcWIH-0007au-16
	for emacs-devel@gnu.org; Mon, 09 Jul 2018 09:33:34 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wyuenho@gmail.com>) id 1fcWIG-00021z-07
	for emacs-devel@gnu.org; Mon, 09 Jul 2018 09:33:33 -0400
Original-Received: from mail-io0-x22b.google.com ([2607:f8b0:4001:c06::22b]:42006)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <wyuenho@gmail.com>)
	id 1fcWIF-00021W-Px; Mon, 09 Jul 2018 09:33:31 -0400
Original-Received: by mail-io0-x22b.google.com with SMTP id r24-v6so17056657ioh.9;
	Mon, 09 Jul 2018 06:33:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc:content-transfer-encoding;
	bh=IW72AzmJS9Zr0nFbYUppBeMWPIMwCYatX5YpphZ+/Ew=;
	b=lf7pNkoEBirZNMc0t0x4Q3IgSpvsTyf0Czq6Np2QESkkq7uIwq3B8iHhA+/sbTd9Q8
	hbI21vmzy7mReKNZyr0T9kVEGiLXFJU708CzS3wXWzuqaBMZjqp7cqqpYfgV6hcsUsqC
	sXVBijHrJXjbtVjV/Do1XMnqUnFSx/360MNXlQsv4f+XpgPyNN1O1RRgnOMdmMB6f7td
	0OXhnPj5tOfighWDlSPIDh1fZtWUoGzb8Zoo5dUQ+tqPv1fSjzI7SuUOHdIf0ply3glt
	6Wzx22+wpS23sv4eUTU13SeKRDr3Tz/53Mo0hg2DfFDzaCowLXQWrgEv/J9e4xXegiV/
	Ccxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc:content-transfer-encoding;
	bh=IW72AzmJS9Zr0nFbYUppBeMWPIMwCYatX5YpphZ+/Ew=;
	b=LK0MyQkGDxUx2jKoC8XmELntxAM+FCQaaxeZCaBlah2MeJ+QRjklKzmiJrR9vKSV/b
	qaV01OAD5c4XT425VHt14/RxfBTvZbKVulKPgf0WgfusFfk7iL/YKSrOLFf03foK2xCm
	jqpDGazikmu2qzbzmjBXf/hixbvj//Hr4a63FacS03BKCykgG36jaImrx0yYKD90bw7d
	6wP/Pr4HYExhvu3Abud842j1QEXv7TNXkqhD4cEnztPxD4gtRn5Dc+LLmPru+zu5BncD
	geqnJv1RNrqLs+TGb9DIyJ94et7k4P6TWu9bSCFXIN86uxszzyZ9C8vuqxd6RWZrlOf1
	S/nQ==
X-Gm-Message-State: AOUpUlEPkJpoPJflDkOtWfwHB1W9zxQEt3l2+/woh38mACwdHedwt9Jl
	tli0n7CVHJFy/UOEYkl2lnxP39gyAtaTReCHGcZJ2A==
X-Google-Smtp-Source: AAOMgpcVwAIIN2Q022muw5aFzs1pkOI8xif+GgcqSev0c374FWXLLL42XYZIf5JtRRo0E9VFyE3mEESWYiu4gN8SVW4=
X-Received: by 2002:a5e:9812:: with SMTP id
	s18-v6mr16992656ioj.117.1531143210365; 
	Mon, 09 Jul 2018 06:33:30 -0700 (PDT)
In-Reply-To: <87r2kcmu7q.fsf@gmail.com>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 2607:f8b0:4001:c06::22b
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-devel/>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Original-Sender: "Emacs-devel" <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.devel:227150
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/227150>

On Mon, Jul 9, 2018 at 2:09 PM Robert Pluim <rpluim@gmail.com> wrote:
>
> Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes:
>
> >> Is your work on a git branch somewhere?
> >
> > It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-ch=
ecks
> >
> > Diff to master:
> > https://github.com/emacs-mirror/emacs/compare/master...wyuenho:addition=
al-nsm-checks
> >
> > You can just fork my fork and send over a PR.
> >
> > There's still a couple of things I need to do:
> >
> > 1. Implement `nsm-trust-local-network`
> > 2. Remove that change in src/gnutls.h not needed for bug#31946 (this
> > is from my OCSP stash still sitting on my machine)
>
> It needs either removing or making it work with earlier versions of GnuTL=
S:
>
> gnutls.c: In function =E2=80=98Fgnutls_peer_status=E2=80=99:
> gnutls.c:1353:22: error: =E2=80=98GNUTLS_CERT_MISSING_OCSP_STATUS=E2=80=
=99 undeclared (first use in this function)
>
> I have:
>
> pkg-config --modversion gnutls
> 3.4.10
>
> I think the OCSP stuff is 3.6.something.
>

Ah! Thank you! It's >=3D 3.5.1. I just pushed a change to fix this.

> > 3. Write some ert tests, but this should affect the doc effort
> > 4. I might throw in a few more checks to detech DHE-DSS key exchange
> > and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do
> > browsers, but I haven't been able to find much information about them
> > other than they are not used. There's a claim made that DSS key
> > exchange is just as bad as static RSA, but DHE-DSS is not that same as
> > DSS...
>
> I see you=CA=BCre checking for TLS < 1.1. TLS 1.1 has its fair share of
> reported issues as well, perhaps we should check for < 1.2 (or we
> could put that on 'high).
>

I thought about this, but there's no standard that bans TLS 1.1, nor
TLS client implementations that disabled it by default. Besides, all
the problems TLS 1.1 has is already checked by the other checks. This
reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the
problems it has is already checked by other checks too. So maybe even
checking for 1.0 is already too strict, but PCI DSS does ban it, so...