From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Network security manager Date: Tue, 18 Nov 2014 20:45:17 +0100 Message-ID: References: <85a93pj1n5.fsf@stephe-leake.org> <87sihg7r73.fsf@alrua-karlstad.karlstad.toke.dk> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1416339974 14354 80.91.229.3 (18 Nov 2014 19:46:14 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 18 Nov 2014 19:46:14 +0000 (UTC) Cc: Emacs development discussions To: Toke =?iso-8859-1?Q?H=F8iland-J=F8rgensen?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Nov 18 20:46:09 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Xqoj2-0000yl-Bs for ged-emacs-devel@m.gmane.org; Tue, 18 Nov 2014 20:46:08 +0100 Original-Received: from localhost ([::1]:55043 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xqoj1-0008Ch-Ol for ged-emacs-devel@m.gmane.org; Tue, 18 Nov 2014 14:46:07 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:44823) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xqoid-00088s-75 for emacs-devel@gnu.org; Tue, 18 Nov 2014 14:45:48 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XqoiY-0006Gj-4E for emacs-devel@gnu.org; Tue, 18 Nov 2014 14:45:43 -0500 Original-Received: from hermes.netfonds.no ([80.91.224.195]:51708) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XqoiX-0006G9-JP for emacs-devel@gnu.org; Tue, 18 Nov 2014 14:45:37 -0500 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1XqoiD-0004RQ-Oz; Tue, 18 Nov 2014 20:45:17 +0100 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEVUCQZ2hNYiSrgsWsiB j+AiUMEyOochRa5Ua78+JkYlV8ext+p/frshAAACVklEQVQ4jV2RsYvbMBTG35pR1EOObg7qteNV BK7ZTDUUvCUIiqf2CopNtwzVdfSlNbotUFDOcwgUb4XQRf9c35PsnNMP4iTvp+97T8/g7PTKMsYS 6aWU3k+ZRSUZuJpNWVDCsvzkMza1dZJ7eKLjGZNB3ntJR04IyppAInNPUTIjr/QnCSEko/opgox5 TGVAhhBzkoGwXHo6DDQPKUQNrggkIU998zFIzvOQApAByBCd+wsiMwnjqh9hGDqPixl2Ab4UvOgW XXcQQmxt1FYIMK+tbeyD6g639J/KggT3dm63W9X99h+s6LrjQURB+0XxlSq6IKxuz2C9+TFXqjgq Ajf5KZJbePr6U6G6TvWWqBv4+10EcFTHWMcZFmq2hId3s5QjKQaD9++vjeHwyqRpylfBv8BPPTXG bFIFbj9D0iffJtg8+A5QOrxSms6Q1biQTJzHLW1TVncz/P0Sga37i4DWtnV6wz/2i2QvBC4AgSv1 o3YbfkMgz9hWHBY0H5S6bNz67Wpe0FBhMYtFBLZp97PVUaluLOphW3hQc7xiMQaNtmsNv8Ja/gON Nm27obVQ2gChbhCYNy4NoIhLwy/s4bQ2lbuLhHSkxwCqfcq5GglBVWnd7jWuNOUXoHxsNWqN606f GQHbYtyuB4HwAHSJjgr2lIWKhmVwWKSVi28ujrD8hgC37voeJt5zya81tFXrqrbRff+QZh41AhJM 6BlNqApz4IoQkCK4t8bswBn4BJNdqMOEOn32vtEO28KzMA6H838qpy9BaBcPDOlnD+z6A5NLMDgJ /wMkj6k13s4WlAAAAABJRU5ErkJggg== X-Now-Playing: Talking Heads's _Once In A Lifetime (3)_: "Lifetime Piling Up" X-Hashcash: 1:23:141118:kwhite@gnu.org::F/MmxqIq2Kop4Dc1:000Je/M X-Hashcash: 1:23:141118:stephen_leake@stephe-leake.org::0llC9R6s3KPQvZaG:0000000000000000000000000000000LXsK X-Hashcash: 1:23:141118:toke@toke.dk::64JgU5cqoJeY3CF3:00000qe2l X-Hashcash: 1:23:141118:emacs-devel@gnu.org::ADnkl6prD2ocLhGA:000000000000000000000000000000000000000002IEA3 In-Reply-To: <87sihg7r73.fsf@alrua-karlstad.karlstad.toke.dk> ("Toke \=\?iso-8859-1\?Q\?H\=F8iland-J\=F8rgensen\=22's\?\= message of "Tue, 18 Nov 2014 11:12:32 +0100") User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.51 (gnu/linux) X-MailScanner-ID: 1XqoiD-0004RQ-Oz MailScanner-NULL-Check: 1416944717.96725@AKGK5zgKTPRdigjfDM087A X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:177643 Archived-At: Toke H=F8iland-J=F8rgensen writes: > Lars Magne Ingebrigtsen writes: > >> But here's the feedback I need: > > Haven't tested the code, but feel like I can weigh in on some of this: > >> if (verification & GNUTLS_CERT_INVALID) >> warnings =3D Fcons (list2 (intern (":invalid"), > > As far as I can tell from the GnuTLS example code, this is a flag that > GnuTLS sets when a cert is not trusted, rather than when it's malformed > (as I would have guessed from the name)? I.e. it doesn't ever appear on > its own? Ah, right, so it's a general catch-all that's set in addition to other flags? >> if (verification & GNUTLS_CERT_REVOKED) >> warnings =3D Fcons (list2 (intern (":revoked"), > > This should probably be treated as fairly suspicious; since if the cert > has been explicitly revoked, there's probably a reason (not sure how > GnuTLS determines this second one; does it do OCSP revocation checks?). > SO carrying on would probably be... ill-advised. Perhaps by default fail > this completely (rather than ask), and optionally have a variable option > to override it? I don't see why we shouldn't ask. The user should be able to decide without setting variables. >> if (verification & GNUTLS_CERT_SIGNER_NOT_FOUND) >> warnings =3D Fcons (list2 (intern (":signer-not-found"), >> if (verification & GNUTLS_CERT_SIGNER_NOT_CA) >> warnings =3D Fcons (list2 (intern (":self-signed"), > > Not sure which of these would indicate the common self-signed case? > Could probably be both... Yeah, that's what I'm mainly wondering about. >> if (verification & GNUTLS_CERT_NOT_ACTIVATED) >> warnings =3D Fcons (list2 (intern (":not-activated"), > > This would probably be an issue with the clock? > >> if (verification & GNUTLS_CERT_EXPIRED) >> warnings =3D Fcons (list2 (intern (":expired"), > > I would expect this to be mostly benign (someone forgot to replace a > cert), but can also indicate someone stole an old cert and is using it > to MITM... Yup. > However, in terms of UI we might be able to do a bit better. I'd advise > taking a look at the Certificate Patrol firefox extension > (http://patrol.psyced.org/), which does some heuristics to determine if > a changed certificate is benign or not. The main thing it does is to > look at the expiration date of the stored certificate; if that is > expired (or close to being), and the new certificate has the same CA as > the old one, it pops up a notice and continues. Interesting. It does this even if the new certificate is valid? To mitigate against rogue CAs? The NSM will also warn about new certificates if the user has switched to `paranoid', but it doesn't compare old and new CAs and stuff. --=20 (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no