From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Florian Weimer Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Thu, 23 Oct 2014 20:43:32 +0200 Message-ID: <8761fazkx7.fsf@mid.deneb.enyo.de> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87mw8mzmxj.fsf@mid.deneb.enyo.de> <20141023143702.3897e618@jabberwock.cb.piermont.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1414089840 22461 80.91.229.3 (23 Oct 2014 18:44:00 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 23 Oct 2014 18:44:00 +0000 (UTC) Cc: emacs-devel@gnu.org, rms@gnu.org, Rob Browning , kurt@roeckx.be To: "Perry E. Metzger" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Oct 23 20:43:52 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XhNMW-00081x-FZ for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 20:43:52 +0200 Original-Received: from localhost ([::1]:42980 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhNMW-0002Fe-4q for ged-emacs-devel@m.gmane.org; Thu, 23 Oct 2014 14:43:52 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57365) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhNMO-0002FG-Ue for emacs-devel@gnu.org; Thu, 23 Oct 2014 14:43:49 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XhNMK-0003Ah-1P for emacs-devel@gnu.org; Thu, 23 Oct 2014 14:43:44 -0400 Original-Received: from albireo.enyo.de ([46.237.207.196]:34710) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XhNME-00039N-Hn; Thu, 23 Oct 2014 14:43:34 -0400 Original-Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) id 1XhNMC-0004gK-VD; Thu, 23 Oct 2014 20:43:33 +0200 Original-Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from ) id 1XhNMC-0005eC-MU; Thu, 23 Oct 2014 20:43:32 +0200 In-Reply-To: <20141023143702.3897e618@jabberwock.cb.piermont.com> (Perry E. Metzger's message of "Thu, 23 Oct 2014 14:37:02 -0400") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] [fuzzy] X-Received-From: 46.237.207.196 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175749 Archived-At: * Perry E. Metzger: > On Thu, 23 Oct 2014 20:00:08 +0200 Florian Weimer > wrote: >> * Richard Stallman: >> >> > I've read that falling back to ssl3 is a real security hole, >> > being exploited frequently. That feature should be removed. >> >> GNUTLS automatically and securely upgrades to a TLS protocol if >> supported by the server. Dropping SSL 3.0 support altogether will >> only encourage unencrypted connections instead. > > I disagree. It will encourage people to upgrade from a flawed > protocol to one that works. Many people running servers are utterly > unaware that there's anything wrong with what they're using right now > -- if you leave in support forever, they'll never figure it out. Well, print a warning and sit for five seconds if you care so much about that, but denying users access to their mail just because you decided that SSL 3.0 is not secure enough anymore doesn't make much sense. Rallying against RC4 would be a better use of our time, I suspect. Keep in mind that TLS 1.0 basically has the same problem as SSL 3.0, and support for protocols beyond TLS 1.0 is not actually widespread. And to reiterate, if something better is available, the presence of SSL 3.0 support on both ends does no harm (only with browsers, but that's a browser bug). TLS cryptographically protects against downgrades.