From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Sun, 8 Jul 2018 18:25:49 +0100 Message-ID: References: <83o9g2uhju.fsf@gnu.org> <20180705115826.73c1d95e@jabberwock.cb.piermont.com> <878t6lom8g.fsf@mouse.gnus.org> <87pnzxn4kw.fsf@mouse.gnus.org> <06fdac3c-a773-2c98-ade1-a1b7dd2d34ce@cs.ucla.edu> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: blaine.gmane.org 1531070685 25225 195.159.176.226 (8 Jul 2018 17:24:45 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 8 Jul 2018 17:24:45 +0000 (UTC) Cc: Lars Ingebrigtsen , Emacs-Devel devel To: Paul Eggert Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Jul 08 19:24:41 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fcDQO-0006Sm-EN for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 19:24:40 +0200 Original-Received: from localhost ([::1]:37690 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fcDSV-0000m1-88 for ged-emacs-devel@m.gmane.org; Sun, 08 Jul 2018 13:26:51 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56055) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fcDRj-0000ls-78 for emacs-devel@gnu.org; Sun, 08 Jul 2018 13:26:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fcDRh-0005Xl-Tf for emacs-devel@gnu.org; Sun, 08 Jul 2018 13:26:03 -0400 Original-Received: from mail-io0-x229.google.com ([2607:f8b0:4001:c06::229]:38048) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fcDRh-0005XO-Pg for emacs-devel@gnu.org; Sun, 08 Jul 2018 13:26:01 -0400 Original-Received: by mail-io0-x229.google.com with SMTP id v26-v6so15037020iog.5 for ; Sun, 08 Jul 2018 10:26:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zbfN+Z/P2WPo2ujysVVvRzt47Z5TbqcqwtYeK6vmTeY=; b=NdxRmSmFe9BQkX+0LCIG1WjzKiyvM0I/peZuFJypl8Mc14m465pnPNWbJVFEBIaI0r aJ9P1j3jnKLf6i3U0unX+n8Uy576xtIsKv6y7dEYkW1Wd+ADglvIdMck11ulu3cwRAYR 04yMxijkm+rHfI2auJN9HGvfYJYMajkQEVuE/8VrP4MvzJ9J2SZaTm7tmPbAHy3RpOvN 4VYZyE0MdoQ6lanNDZss1vngAqn8kiXtZv/SWTydcKSCIT/cgOifd5Milbx2ywTKV2OG fjuU+frbDhjlsLwaITQnT7Oyx7RNBvixgq8BgMZTkhgws8nQ5a7o9GELdVWzCK+4OSST hdNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zbfN+Z/P2WPo2ujysVVvRzt47Z5TbqcqwtYeK6vmTeY=; b=ruAHx/kQ3aQ3+2/F7pKYFukuVIFyD4w8bPcP6Ifoif2KC+jw+Jm5Rg+YyyomaJqwmi H7WUJHi2o/QD+bnxw8iZO6v8s1mDrtdZ/NsDxWF5R5d4mrhmFGgoHbDtyJZ8q8VBLbwD aOhK3HUXncDVJcCAdEYNIr6tj1btMQFTJslSA28dQFHOflmiKFbx7F/AgCXNFZs3qWCd 7oxqBVbzDmMn6oW7xGwwf6FK2WBnWBjN7kGrNm3IiXffqizatpkQbrkOJF8HuBdZBBy0 BFyJTeTAC6rOBSjvkQ1l0yFqB2i6BuaukLQOI/5IA8Zgn9zCI29/dHgo/7ec1Zjiagu5 oDEg== X-Gm-Message-State: AOUpUlEpb3fImNlhvDhi51LNtGFVk7tQ3+70cL1q3gkdX4S3iyqewwM9 H+jWA00kbIb4BXxKw40SNu/lzyxURPlFWzUWf/g= X-Google-Smtp-Source: AAOMgpd0fnmV7qemVbEq7CvU2tFi3cIwsSkxpYRqcsGGI9BfFArsD+CtyBFaU4JUUUPWa2Hz/zSJheF75Zpp/x1OvMg= X-Received: by 2002:a5e:9812:: with SMTP id s18-v6mr14651167ioj.117.1531070761097; Sun, 08 Jul 2018 10:26:01 -0700 (PDT) In-Reply-To: <06fdac3c-a773-2c98-ade1-a1b7dd2d34ce@cs.ucla.edu> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4001:c06::229 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:227116 Archived-At: On Sun, Jul 8, 2018 at 6:06 PM Paul Eggert wrote: > > Jimmy Yuen Ho Wong wrote: > > If you are thinking about renaming the "Default" tag in > > `gnutls-min-prime-bits` 's defcustom, don't. I will start doubting > > whether you are doing this under good faith > > There's no need to be using ad hominem language like that. Assume that we are > miscommunicating, as this is the obvious and most likely explanation for the > behavior you're observing. Indulging in attacks will make your efforts less > likely to succeed. I have been quite lenient to everyone as I'm trying to figure a lot of things myself. But sometimes, when there's clearly no good reason to do a something, but still insisting on doing it, especially when it comes to security matters, you have to resolve to the last resort, which is start doubting whether you are dealing with a friend or an adversary. I would urge a little less stubborness in changing some of the defaults. If I've given the impression that setting `gnutls-min-prime-bits` to 256 will make the connection to use a 256 bit prime, I apologize. I don't think I have done that since the very beginning of this thread, but I haven't clarified myself enough, here's my sincere apology. I only believe this is a UI issue, which may have some security consequences. The last thing I would suggest to Lars is, `gnutls-verify-error` will effectively bypass NSM, so please don't pretend NSM is the be-all and end-all layer for all matters related to Emacs' network security. It's not, not until you consent to removing or changing some of the standard values of the defcustoms in the 'gnutls group, or better yet. Merge NSM and GnuTLS together, and rename some of the `gnutls group's options. i.e. (define-obsolete-variable-alias 'gnutls-verify-error 'nsm-bypass' "27.1"). Better UI/UX/DX design is almost always more preferrable than documentation.