From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Network security manager Date: Tue, 18 Nov 2014 00:26:17 +0100 Organization: Programmerer Ingebrigtsen Message-ID: References: <85a93pj1n5.fsf@stephe-leake.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1416266810 15395 80.91.229.3 (17 Nov 2014 23:26:50 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 17 Nov 2014 23:26:50 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Nov 18 00:26:45 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XqVgy-0007jm-Jk for ged-emacs-devel@m.gmane.org; Tue, 18 Nov 2014 00:26:44 +0100 Original-Received: from localhost ([::1]:50660 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XqVgy-0004Vs-69 for ged-emacs-devel@m.gmane.org; Mon, 17 Nov 2014 18:26:44 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:39311) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XqVgp-0004Vl-6Z for emacs-devel@gnu.org; Mon, 17 Nov 2014 18:26:41 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XqVgi-0001Xd-Ty for emacs-devel@gnu.org; Mon, 17 Nov 2014 18:26:35 -0500 Original-Received: from plane.gmane.org ([80.91.229.3]:53913) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XqVgi-0001XP-OA for emacs-devel@gnu.org; Mon, 17 Nov 2014 18:26:28 -0500 Original-Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1XqVgh-0007cb-Fj for emacs-devel@gnu.org; Tue, 18 Nov 2014 00:26:27 +0100 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 18 Nov 2014 00:26:27 +0100 Original-Received: from larsi by cm-84.215.51.58.getinternet.no with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 18 Nov 2014 00:26:27 +0100 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: emacs-devel@gnu.org Original-Lines: 20 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: cm-84.215.51.58.getinternet.no Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAHlBMVEWSj37AvqNoUUlgAAlU HSFaAAlDLy0wAwZUDBJJAAcdIeQ1AAACbUlEQVQ4jVWTQU/bQBCFx04F111+wbJG5hp5UqXcUIJU OCOEuFELreGGoNqpr0htxBlcZ/9tZ2adtvgQOfN53nsza0M1nzmAEvgqAOZQIaL8gbIBPA5OSFHM XMn1ReOEoKuIqNZ7DwIQT0sHrqq+EkVqwVpzaHylgB9y1ZLkill4LfWFKCNqPWTg10JAgTa0UKrJ 0RnXV8AOgGMGECS1OmgvqFJ/Wpi9wEqaqTDGAKjSywoMt+SGee64FvDkQbS0ocl1UIu3I+eh/l7N sEI3AbXA04aHbhuWakoO6zPoCRvZZDXnek2+bGWOTqXwE2dFBvMQfVuW+1mKBmxW3qMoEbGb33cZ JMTlSrIuN0Ql1O74VqTGsedHG8kqUzneTvcI+0Q3AvAI8XIc81B7vOwDoucTusQ3ZjoTL86zjABK 7J4WiNcZPFp7QHmQkVL/hif5yKiw1gYdpMebIeEil+nJZiD3iFeSSIeNzv7tINxF1VCOtRxYzsuh cDp7BqUzCswHELu2sMY6AUiDgOwdawWW967H+U8qZMBEZ84gSkt7aEHAbPm+/r8jtnyC0nBOP/Aj KHxhi0Lme9Z6M3mEgi2MgqRg/ToBp9YM+pTEpTkZMwjcoCClceDXAC924NsObNOm5WkuJinRyuDs dwx8sK9jTqXbFfD+cMeP4efsEWs5Jxbj219cDw94k6QeeApdFtG91EOX+Jq+RQuGX7gYFYTXCbSy cdOC5lCtDN49sNbBLcRuAncM2D69COCXMYYYMmOwHdOwUFAC23ZZ7SJtzzZpwEMZowZNJD/33HHe b6++FBPodh3hfLsZtj9Xen7hDx2nOuqOD2PvAAAAAElFTkSuQmCC Mail-Copies-To: never X-Now-Playing: Joe Jackson's _Mike's Murder_ User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) Cancel-Lock: sha1:fDGiEm/oueLYazXTpqBdtfR5y5g= X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.229.3 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:177504 Archived-At: There's one slight privacy leak in the security manager. To keep track of STARTTLS man-in-the-middle downgrades, nsm needs to store data on all STARTTLS connections you've made. A wily hacker (I mean, the NSA) could use this file to determine what servers you've been talking to. The ~/.emacs.d/network-security.data will have things like (:id "sha1:ac7feb949147490ee549b5b6c3ae7edd929ea335" :fingerprint "sha1:c0:ec:2f:01:6c:ff:4a:43:c1:a7:c7:83:4b:48:0b:3a:c5:4e:90:f9") it it, where the :id is the sha1 of "host:port", and the latter is the fingerprint of the certificate. The wily hacker (I mean, the NSA) wouldn't find it easy to get a list of the servers (because they would have to check all servers/port names in existence), but they could use it to check for specific servers. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no