Re: User interface to bad certificate warning -- how to use?

Re: User interface to bad certificate warning -- how to use?

[Lars Magne Ingebrigtsen]

nljlistbox2@gmail.com (N. Jackson) writes:

> The warning is shown in a help window while simultaneously there is a
> prompt displayed in the minibuffer:
>
>     Continue connecting? (No, Session only, Always)
>
> Is the user intended to type in the full text of their choice or the
> first letter or what? If the first letter, must it be capitalised as
> shown?

I think the standard in Emacs is to use capitalisation to say what
characters you're supposed to hit.

> The prompt seems to disappear when _any_ key is pressed; for
> example I tried to copy the prompt to the clipboard and it disappeared
> when I started to select it -- I've no idea which of the three choices
> it decided I had entered. This seems rather surprising behaviour for the
> minibuffer.

I don't think that's what happened.  When you tried selecting the text,
you probably ended up aborting the function, just as if you'd hit `C-g'.

> After the prompt is gone, the help window remains but the buffer itself
> is gone. This seems to be rather the opposite of what would be useful.
> Wouldn't it be better if the buffer with the details about the
> problematic certificate persisted and the help window was closed?

The help window should have gone away.  Please report this as a bug with
`M-x report-emacs-bug'.

> Furthermore, the information in the help buffer is in a confusing order:
>
>     Certificate information
>     Issued by:          imap.example.com
>     Issued to:          IMAP server
>     Hostname:           imap.example.com
>     Public key:         RSA, signature: RSA-SHA1
>     Protocol:           TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
>     Security level:     Low
>     Valid:              From 2013-09-07 to 2014-09-07
>
>     The TLS connection to localhost:993 is insecure for the following
>     reasons:
>
>     certificate signer was not found (self-signed)
>     certificate host does not match hostname
>     certificate has expired
>     the certificate was signed by an unknown and therefore untrusted authority
>     certificate could not be verified
>
> Would it not be better if the statement of the problem "The TLS
> connection ... is insecure" came first, and the detailed certificate
> information came at the end.

Yeah, that might be better...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: User interface to bad certificate warning -- how to use?

[N. Jackson]

Thank you for your response Lars.

At 06:02 +0100 on Monday 2016-02-01, Lars Magne Ingebrigtsen wrote:

> nljlistbox2@gmail.com (N. Jackson) writes:
>
>> Is the user intended to type in the full text of their choice or the
>> first letter or what?
>
> I think the standard in Emacs is to use capitalisation to say what
> characters you're supposed to hit.

I should probably know that. I just don't see prompts to choose between
options very often, so I wasn't sure.

>> The prompt seems to disappear when _any_ key is pressed
>
> I don't think that's what happened.  When you tried selecting the text,
> you probably ended up aborting the function, just as if you'd hit `C-g'.

On further investigation, some invalid key presses (such as `z')
correctly result in a followup prompt, but other invalid key presses
(such as the arrow keys) result in the prompt silently disappearing.
I've opened bug#22530 for this.

I'm not sure what aborting the function would mean here. Is it the same
as responding `n' to the prompt (i.e. don't continue connecting to the
insecure server)? From the user's perspective, the command just issued
was `M-x gnus', so if it were aborted Gnus "shouldn't" start. It's a bit
fuzzy. Probably best though, if it didn't abort unless the user pressed
`C-g'.

>> After the prompt is gone, the help window remains

> The help window should have gone away.  Please report this as a bug with
> `M-x report-emacs-bug'.

This is now bug#22532.

Re: User interface to bad certificate warning -- how to use?

[Lars Magne Ingebrigtsen]

nljlistbox2@gmail.com (N. Jackson) writes:

> I'm not sure what aborting the function would mean here. Is it the same
> as responding `n' to the prompt (i.e. don't continue connecting to the
> insecure server)? From the user's perspective, the command just issued
> was `M-x gnus', so if it were aborted Gnus "shouldn't" start. It's a bit
> fuzzy. Probably best though, if it didn't abort unless the user pressed
> `C-g'.

Well...  you can abort most anything with `C-g'.  And it means "stop
whatever it is that you're doing".  It might make sense to interpret it
as "no" and carry on, but it would be rather unusual.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: User interface to bad certificate warning -- how to use?

[N. Jackson]

At 04:57 +0100 on Tuesday 2016-02-02, Lars Magne Ingebrigtsen wrote:

> nljlistbox2@gmail.com (N. Jackson) writes:
>
>> I'm not sure what aborting the function would mean here. Is it the same
>> as responding `n' to the prompt (i.e. don't continue connecting to the
>> insecure server)? From the user's perspective, the command just issued
>> was `M-x gnus', so if it were aborted Gnus "shouldn't" start. It's a bit
>> fuzzy. Probably best though, if it didn't abort unless the user pressed
>> `C-g'.
>
> Well...  you can abort most anything with `C-g'.  And it means "stop
> whatever it is that you're doing".  It might make sense to interpret it
> as "no" and carry on, but it would be rather unusual.

Just following up for completeness:

Hitting `n', hitting some invalid keys (such as cursor movement keys),
and hitting `C-g' in response to the

    Continue connecting? (No, Session only, Always) 

prompt, _all__ seem to result in the same behaviour. Gnus starts but
there is no connection made to the insecure server.

This seems to be a safe interpretation of `C-g', but its a bit
unexpected for invalid key presses.

User interface to bad certificate warning -- how to use?

[N. Jackson]

In the pre-release for Emacs 25 (25.0.90) I get a warning message when
Gnus tries to connect to my local Dovecot IMAP server. The warning
message correctly states that "The TLS connection to localhost:993 is
insecure ..." because I have a self-signed certificate (among other
problems with it).

I'm very happy that this functionality is now in Emacs.

My question is about how the user is intended to interact with this
warning, since there are several rather confusing things about it.

The warning is shown in a help window while simultaneously there is a
prompt displayed in the minibuffer:

    Continue connecting? (No, Session only, Always)

Is the user intended to type in the full text of their choice or the
first letter or what? If the first letter, must it be capitalised as
shown? The prompt seems to disappear when _any_ key is pressed; for
example I tried to copy the prompt to the clipboard and it disappeared
when I started to select it -- I've no idea which of the three choices
it decided I had entered. This seems rather surprising behaviour for the
minibuffer.

After the prompt is gone, the help window remains but the buffer itself
is gone. This seems to be rather the opposite of what would be useful.
Wouldn't it be better if the buffer with the details about the
problematic certificate persisted and the help window was closed?

Furthermore, the information in the help buffer is in a confusing order:

    Certificate information
    Issued by:          imap.example.com
    Issued to:          IMAP server
    Hostname:           imap.example.com
    Public key:         RSA, signature: RSA-SHA1
    Protocol:           TLS1.2, key: ECDHE-RSA, cipher: AES-128-GCM, mac: AEAD
    Security level:     Low
    Valid:              From 2013-09-07 to 2014-09-07


    The TLS connection to localhost:993 is insecure for the following
    reasons:

    certificate signer was not found (self-signed)
    certificate host does not match hostname
    certificate has expired
    the certificate was signed by an unknown and therefore untrusted authority
    certificate could not be verified

Would it not be better if the statement of the problem "The TLS
connection ... is insecure" came first, and the detailed certificate
information came at the end.

I'm trying to understand why the interface is the way it is, and also
how the user is expected to interact with it.