From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#31946: 27.0.50; The NSM should warn about more TLS problems Date: Sun, 01 Jul 2018 18:01:27 +0300 Message-ID: <83po07knjs.fsf@gnu.org> References: <87fu1apchn.fsf@gmail.com> <83in65r4n9.fsf@gnu.org> <87y3f1njku.fsf@gmail.com> <87tvpnojgt.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1530457208 14623 195.159.176.226 (1 Jul 2018 15:00:08 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 1 Jul 2018 15:00:08 +0000 (UTC) Cc: larsi@gnus.org, 31946@debbugs.gnu.org, npostavs@gmail.com To: Jimmy Yuen Ho Wong Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jul 01 17:00:03 2018 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fZdpb-0003i5-6Z for geb-bug-gnu-emacs@m.gmane.org; Sun, 01 Jul 2018 17:00:03 +0200 Original-Received: from localhost ([::1]:54656 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fZdri-0001Re-ET for geb-bug-gnu-emacs@m.gmane.org; Sun, 01 Jul 2018 11:02:14 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33592) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fZdra-0001RL-IC for bug-gnu-emacs@gnu.org; Sun, 01 Jul 2018 11:02:09 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fZdrW-0007m0-GW for bug-gnu-emacs@gnu.org; Sun, 01 Jul 2018 11:02:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:34345) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fZdrW-0007lp-CM for bug-gnu-emacs@gnu.org; Sun, 01 Jul 2018 11:02:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fZdrW-0002A0-2J for bug-gnu-emacs@gnu.org; Sun, 01 Jul 2018 11:02:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 01 Jul 2018 15:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 31946 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 31946-submit@debbugs.gnu.org id=B31946.15304573088281 (code B ref 31946); Sun, 01 Jul 2018 15:02:02 +0000 Original-Received: (at 31946) by debbugs.gnu.org; 1 Jul 2018 15:01:48 +0000 Original-Received: from localhost ([127.0.0.1]:42242 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fZdrI-00029U-3f for submit@debbugs.gnu.org; Sun, 01 Jul 2018 11:01:48 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:42552) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fZdrH-00029I-6d for 31946@debbugs.gnu.org; Sun, 01 Jul 2018 11:01:47 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fZdr8-0007Ur-7F for 31946@debbugs.gnu.org; Sun, 01 Jul 2018 11:01:42 -0400 Original-Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42809) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fZdr8-0007Ue-35; Sun, 01 Jul 2018 11:01:38 -0400 Original-Received: from [176.228.60.248] (port=2467 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fZdr7-0007UH-FC; Sun, 01 Jul 2018 11:01:37 -0400 In-reply-to: (message from Jimmy Yuen Ho Wong on Sat, 30 Jun 2018 18:28:41 +0100) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:148047 Archived-At: > From: Jimmy Yuen Ho Wong > Date: Sat, 30 Jun 2018 18:28:41 +0100 > Cc: Noam Postavsky , Eli Zaretskii , 31946@debbugs.gnu.org > > Here's the patch promised. > > Summary of changes: > > * 9 new checks added, some for securing Emacs builts with older GnuTLS > versions, some for bringing NSM checks to 2018. > * Individual checks are now suffixe'd by their cipher suite part. E.g. > dhe-kx for DHE key exchange, des-cipher for DES cipher, sha1-sig for > SHA1 signature. > * Protocal checks now return an error message instead of querying the > user directly. > * All protocol checks under the same network-security-level are > performed. All of the messages are then merged if any, and the user is > only prompt once after the protocol check for all problems found. > * nsm-query and nsm-query-user no longer takes extra args to format > messages. Formatted messages are now provided directly by the > individual checks. > * Fix RC4 check where it was previously checking for non-existent RC4 > cipher from GnuTLS. GnuTLS actually calls RC4 ARCFOUR. > * Removed sha1 check as it is already covered by the intermediate SHA1 checks. > * DHE check now checks for < 1024 bit prime for 'medium and usage of > DHE for 'high and above, in addition to prime bit length. Just looking at this with somewhat naïve eyes of a user who knows very little about security features, I'm bothered that we add so many checks to the 'medium' level, only 2 to 'high', and _none_ to 'paranoid'. Since 'medium' is the lowest level that provides _any_ security features, does having 12 out of 14 checks in 'medium' really make sense? Do other browsers offer the same features on the lowest security level? Aren't some of the vulnerabilities less frequent and/or less dangerous, in which case it would make sense to move them to higher levels? Or maybe we should introduce an intermediate level between 'medium' and 'high', and move some of these new checks into it? That's my main concern about this and other similar changes. The next concern is about documentation: IMO such a massive upgrade of security needs to document the checks, in the source if not in the Emacs manual. We must give our users tools to make informed decisions regarding which security measures are good for them. This patch comes just with doc strings, which IMO is not enough: NEWS and the manual should also be updated. As for doc strings, see comments below. > (defvar network-security-protocol-checks > - '((diffie-hellman-prime-bits medium 1024) > - (rc4 medium) > - (signature-sha1 medium) > - (intermediate-sha1 medium) > - (3des high) > + '((rsa-kx high) > + (dhe-kx medium) > + (anon-kx medium) > + (export-kx medium) > + (cbc-cipher high) > + (ecdsa-cbc-cipher medium) > + (3des-cipher medium) > + (des-cipher medium) > + (rc4-cipher medium) > + (rc2-cipher medium) > + (null-cipher medium) > + (sha1-sig medium) > + (md5-sig medium) > (ssl medium)) > "This variable specifies what TLS connection checks to perform. Either each test should be documented right here, or the doc string of this variable should refer the reader to the respective functions, explaining how to deduce the function name from the test name. > +(defun nsm-protocol-check--rsa-kx (host port status) > + "Check for static RSA key exchange. > + > +Static RSA key exchange methods do not offer perfect forward > +secrecy. > + > +Reference: > + > +IETF TLSWG (2014). \"[TLS] Confirming Consensus on removing RSA key > +Transport from TLS 1.3\", > +`https://www.ietf.org/mail-archive/web/tls/current/msg11621.html'" A reference is fine, but it alone is not enough: we cannot expect users to read academic papers just to decide what security they need. IMO, we should say at least a few words about each test, enough for the user to understand whether they need this test. It may be enough to say just how frequent and/or dangerous is the corresponding vulnerability; adding the description of a vulnerability with some objective assessment of its relevance would be a bonus. > +Recent version of GnuTLS does not enable this key exchange by default, > +but can be enabled if requested. This check is mainly provided to > +secure Emacs built with older version of GnuTLS. Please state the first version of GnuTLS that disables this by default: what is "recent" today will become less so in a year. I'd like us to give a user who knows what version of GnuTLS she has installed an effective way of deciding whether this test is needed. > +RC4 cipher has been prohibited by RFC 7465. > + > +Recent version of GnuTLS does not enable this cipher by default, but > +can be enabled if requested. This check is mainly provided to secure > +Emacs built with older version of GnuTLS. Likewise here (and elsewhere in the patch). > +The first SHA1 collision was found in 2017[1], as a precaution against > +events followed the discovery of cheap collisions in MD5, major > +browsers[2][3][4] have sunsetted the use of SHA1 signatures in > +certificates. ^^^^^^^^^^^^^^ Please try to avoid using jargon that may be difficult for non-native English speakers to understand. Security issues should not be obscured by obscure language. Thanks again for working on this.