From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: "Perry E. Metzger" Newsgroups: gmane.emacs.devel Subject: Re: A couple of questions and concerns about Emacs network security Date: Thu, 5 Jul 2018 11:29:20 -0400 Message-ID: <20180705112920.076265d5@jabberwock.cb.piermont.com> References: <20180705093346.071e6970@jabberwock.cb.piermont.com> <83wou9n66t.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: blaine.gmane.org 1530804505 10387 195.159.176.226 (5 Jul 2018 15:28:25 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 5 Jul 2018 15:28:25 +0000 (UTC) Cc: larsi@gnus.org, eggert@cs.ucla.edu, wyuenho@gmail.com, rms@gnu.org, emacs-devel@gnu.org To: Eli Zaretskii Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Jul 05 17:28:20 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fb6BA-0002as-Bx for ged-emacs-devel@m.gmane.org; Thu, 05 Jul 2018 17:28:20 +0200 Original-Received: from localhost ([::1]:53304 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fb6DH-0002cI-HR for ged-emacs-devel@m.gmane.org; Thu, 05 Jul 2018 11:30:31 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:46609) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fb6CJ-0002Zo-3w for emacs-devel@gnu.org; Thu, 05 Jul 2018 11:29:33 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fb6CE-0003r3-K9 for emacs-devel@gnu.org; Thu, 05 Jul 2018 11:29:31 -0400 Original-Received: from hacklheber.piermont.com ([2001:470:30:84:e276:63ff:fe62:3400]:60548) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fb6CA-0003md-6h; Thu, 05 Jul 2018 11:29:22 -0400 Original-Received: from snark.cb.piermont.com (localhost [127.0.0.1]) by hacklheber.piermont.com (Postfix) with ESMTP id E5F04217; Thu, 5 Jul 2018 11:29:20 -0400 (EDT) Original-Received: from jabberwock.cb.piermont.com (jabberwock.cb.piermont.com [10.160.2.107]) by snark.cb.piermont.com (Postfix) with ESMTP id C26A12DEE47; Thu, 5 Jul 2018 11:29:20 -0400 (EDT) In-Reply-To: <83wou9n66t.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2001:470:30:84:e276:63ff:fe62:3400 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:226954 Archived-At: On Thu, 05 Jul 2018 16:49:30 +0300 Eli Zaretskii wrote: > > Date: Thu, 5 Jul 2018 09:33:46 -0400 > > From: "Perry E. Metzger" > > Cc: Paul Eggert , Jimmy Yuen Ho Wong > > , emacs-devel@gnu.org > > > > Pinning is what is done by sites like gmail to prevent third world > > dictatorships from using stolen certificate credentials to spy on > > their citizens. People who have been victims of this have had > > their email read, been arrested by state security forces for > > dissent, and have been tortured to death for lack of certificate > > pinning working in their browsers. > > > > This is a matter of life and death for many people. > > > > > do this via ELPA, I think. Whether it's worth doing is another > > > issue; I think the jury is still out on that one... > > > > Do you think it's worth keeping people from quite literally being > > tortured to death? > > > > For most of the secure HTTP stuff we've been discussing, I would > > far rather be inconvenienced here and there than know my slight > > extra convenience was being paid for in human blood. > > It isn't the Emacs way to second-guess our users' needs, Most users do not know or understand anything about setting security, so defaults have to do the right thing. > definitely > not to decide for them what is and what isn't a matter of life and > death for them. Most users depend on software vendors to set the correct amount of security. They have no understanding of the protocols in use and it is unreasonable to ask them to make such decisions by default. I'm dead serious in saying if you do not obey the standards for how browsers are supposed to behave, you might quite literally kill someone. People have died this way. Do you want me to start posting names and incidents? You want descriptions of dissidents having their genitals electrocuted and being locked upright in freezing cold rooms, I'll happily start linking to Amnesty International reports for you. Many countries now use the internet as an instrument of control and oppression. We should not be making their job easier. If people want to remove security on their own, that's their business, but providing defaults that are not even as secure as what Chrome or Firefox does is totally irresponsible. > We provide options with some reasonable defaults, > and then let users make informed decisions which defaults are not > good enough for them. > > It is IMO unreasonable to make our defaults match what happens in > dictatorships that you describe, You do not understand the issue and are thus incompetent to make a decision on this. Certificate pinning has nothing to do with defaults that are set only for such countries. It is a general mechanism deployed in any browser you can download today, and was created to prevent people using browsers who cannot trust their network -- which is to say, all users -- from having untrustworthy certificates substituted in by malign actors who intend to man-in-the-middle attack TLS connections. Various web sites, like gmail, have deliberately requested pinning of certs used with their sites to prevent this from happening, and it is not our place to second-guess their security policies. Do you really want me to describe some of the things that have happened to people who have had their communications intercepted because software developers were irresponsible? You can find pretty graphic descriptions online. > because that would unnecessarily > inconvenience the majority of the users. Certificate pinning is used by Chrome, Firefox, Safari and all other browsers. Do you think they inconvenience their users? Have you ever even gotten a single false error from this? No you haven't. I assure you that the people setting the standards for such things spend a lot of time making sure that it is invisible to their users. If a site demands pinning, you should accept that they have made this decision for good reasons. > Let's not follow the bad > example of the TSA (whose rationale is, unsurprisingly, also matters > of life and death). Your metaphor is completely inaccurate. The TSA misses something over 95% of weapons in adversarial tests for example. Security professionals have set standards in bodies like the IETF for how browsers should behave by default. If you want to allow consenting adults to turn off such defenses that's one thing, but the default should be to provide security to the users. Richard has a blurb in every one of his emails because state security actors are of that much concern to him, and you honestly propose ignoring the need to protect users from network based attacks? Perry -- Perry E. Metzger perry@piermont.com