unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Getting SSL test A+ grade on elpa.gnu.org
@ 2020-11-25 15:11 김민우
  2020-11-25 17:04 ` Robert Pluim
  2020-11-25 17:38 ` Vasilij Schneidermann
  0 siblings, 2 replies; 7+ messages in thread
From: 김민우 @ 2020-11-25 15:11 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 383 bytes --]

elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
support Forward Secrecy on every device, so It got a B grade on Qualys
Labs' SSL Test (
https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest).
It could have a bad effect on security and privacy for emacs users. Would
you apply only TLS 1.3 on elpa.gnu.org?

King Regards,
Minwoo Kim

[-- Attachment #2: Type: text/html, Size: 638 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Getting SSL test A+ grade on elpa.gnu.org
  2020-11-25 15:11 Getting SSL test A+ grade on elpa.gnu.org 김민우
@ 2020-11-25 17:04 ` Robert Pluim
  2020-11-26  6:21   ` 김민우
  2020-11-25 17:38 ` Vasilij Schneidermann
  1 sibling, 1 reply; 7+ messages in thread
From: Robert Pluim @ 2020-11-25 17:04 UTC (permalink / raw)
  To: 김민우; +Cc: emacs-devel

김민우 <kmwyard@gmail.com> writes:

> elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
> support Forward Secrecy on every device, so It got a B grade on Qualys
> Labs' SSL Test (
> https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest).
> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?

*only* TLS 1.3 would be a bit harsh, I think.

Robert



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Getting SSL test A+ grade on elpa.gnu.org
  2020-11-25 15:11 Getting SSL test A+ grade on elpa.gnu.org 김민우
  2020-11-25 17:04 ` Robert Pluim
@ 2020-11-25 17:38 ` Vasilij Schneidermann
  2020-11-25 17:51   ` Robert Pluim
  1 sibling, 1 reply; 7+ messages in thread
From: Vasilij Schneidermann @ 2020-11-25 17:38 UTC (permalink / raw)
  To: 김민우; +Cc: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?

ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
successfully establish a connection to GNU ELPA?

Another thing to watch out for is the cipher suites. To reach a good
rating several of them need to be disabled and extensive testing is
required to ensure that we don't exclude users from fetching packages
for no apparent reason.

Something else I'm curious about, what exactly blocks us from forcing a
HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
widely used Emacs version or are there others?

Vasilij

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Getting SSL test A+ grade on elpa.gnu.org
  2020-11-25 17:38 ` Vasilij Schneidermann
@ 2020-11-25 17:51   ` Robert Pluim
  2020-11-25 18:10     ` Vasilij Schneidermann
  0 siblings, 1 reply; 7+ messages in thread
From: Robert Pluim @ 2020-11-25 17:51 UTC (permalink / raw)
  To: 김민우; +Cc: emacs-devel

Vasilij Schneidermann <mail@vasilij.de> writes:

>> It could have a bad effect on security and privacy for emacs users. Would
>> you apply only TLS 1.3 on elpa.gnu.org?
>
> ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
> TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
> successfully establish a connection to GNU ELPA?

Right

> Another thing to watch out for is the cipher suites. To reach a good
> rating several of them need to be disabled and extensive testing is
> required to ensure that we don't exclude users from fetching packages
> for no apparent reason.

The impression I get is that reordering the cipher suite list to put
the weak ones at the end might be enough to improve the score. That
shouldn't create any compatibility issues (and is a good idea
regardless of just 'improving our score').

> Something else I'm curious about, what exactly blocks us from forcing a
> HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
> widely used Emacs version or are there others?

Are you sure that all the versions of Emacs that connect to
elpa.gnu.org work correctly in the face of such a redirect? What about
versions that donʼt support https?

Robert



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Getting SSL test A+ grade on elpa.gnu.org
  2020-11-25 17:51   ` Robert Pluim
@ 2020-11-25 18:10     ` Vasilij Schneidermann
  2020-11-25 18:52       ` Stefan Monnier
  0 siblings, 1 reply; 7+ messages in thread
From: Vasilij Schneidermann @ 2020-11-25 18:10 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

> Are you sure that all the versions of Emacs that connect to
> elpa.gnu.org work correctly in the face of such a redirect? What about
> versions that donʼt support https?

I chose 26.1 as possible cut-off point as it defaults to building with
gnutls. Analysis of the GNU ELPA logs should show the percentages of
each Emacs version used. Once the percentage of requests from Emacs
versions below 26.1 drops to 1% or so, measures to stop supporting them
could be considered, such as forcing HTTPS usage.

Vasilij

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Getting SSL test A+ grade on elpa.gnu.org
  2020-11-25 18:10     ` Vasilij Schneidermann
@ 2020-11-25 18:52       ` Stefan Monnier
  0 siblings, 0 replies; 7+ messages in thread
From: Stefan Monnier @ 2020-11-25 18:52 UTC (permalink / raw)
  To: emacs-devel

> I chose 26.1 as possible cut-off point as it defaults to building with
> gnutls. Analysis of the GNU ELPA logs should show the percentages of
> each Emacs version used. Once the percentage of requests from Emacs
> versions below 26.1 drops to 1% or so, measures to stop supporting them
> could be considered, such as forcing HTTPS usage.

Emacsen built with libgnutls should already automatically use https, so
a redirect wouldn't be useful for them, AFAICT.  IOW the redirect would
only be useful for people browsing elpa.gnu.org rather than for
connection from package.el.


        Stefan




^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Getting SSL test A+ grade on elpa.gnu.org
  2020-11-25 17:04 ` Robert Pluim
@ 2020-11-26  6:21   ` 김민우
  0 siblings, 0 replies; 7+ messages in thread
From: 김민우 @ 2020-11-26  6:21 UTC (permalink / raw)
  To: emacs-devel

[-- Attachment #1: Type: text/plain, Size: 1123 bytes --]

>
> > elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
> > support Forward Secrecy on every device, so It got a B grade on Qualys
> > Labs' SSL Test (
> >
> https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest
> ).
> > It could have a bad effect on security and privacy for emacs users. Would
>

> you apply only TLS 1.3 on elpa.gnu.org?
>
*only* TLS 1.3 would be a bit harsh, I think.
>
If so,  At least we should deprecate TLS 1.1 and TLS 1.0 on elpa.gnu.org

2020년 11월 26일 (목) 오전 2:04, Robert Pluim <rpluim@gmail.com>님이 작성:

> 김민우 <kmwyard@gmail.com> writes:
>
> > elpa.gnu.org is supporting insecure TLS 1.0 and TLS 1.1, and does not
> > support Forward Secrecy on every device, so It got a B grade on Qualys
> > Labs' SSL Test (
> >
> https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org&s=209.51.188.89&latest
> ).
> > It could have a bad effect on security and privacy for emacs users. Would
> > you apply only TLS 1.3 on elpa.gnu.org?
>
> *only* TLS 1.3 would be a bit harsh, I think.
>
> Robert
>

[-- Attachment #2: Type: text/html, Size: 2657 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-11-26  6:21 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-25 15:11 Getting SSL test A+ grade on elpa.gnu.org 김민우
2020-11-25 17:04 ` Robert Pluim
2020-11-26  6:21   ` 김민우
2020-11-25 17:38 ` Vasilij Schneidermann
2020-11-25 17:51   ` Robert Pluim
2020-11-25 18:10     ` Vasilij Schneidermann
2020-11-25 18:52       ` Stefan Monnier

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).