From: "Stephen J. Turnbull" <stephen@xemacs.org>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: rms@gnu.org, kurt@roeckx.be, emacs-devel@gnu.org,
Florian Weimer <fw@deneb.enyo.de>,
Stefan Monnier <monnier@iro.umontreal.ca>,
Rob Browning <rlb@defaultvalue.org>
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Wed, 29 Oct 2014 12:19:47 +0900 [thread overview]
Message-ID: <878ujz4l64.fsf@uwakimon.sk.tsukuba.ac.jp> (raw)
In-Reply-To: <20141028111903.199d44ab@jabberwock.cb.piermont.com>
Getting the attributions right, I wrote:
> > > I consider contributions to security technology and policy[1]
> > > defense of freedom.
And on Tue, 28 Oct 2014 09:31:58 -0400 Stefan Monnier
<monnier@iro.umontreal.ca> replied:
> > Note that in the context of "secure"boot, digital restrictions
> > management, and other tivo-ized systems, that same technology is
> > clearly being used against freedom.
They're being used against *software* freedom. Without that (or
similar) qualification, it's no longer so clear, as in many cases
other freedoms are being enabled.
Nevertheless, as Perry points out, it's reasonable to consider the
algorithms to be freedom-defending in many cases. Free software
distributions would be hard put to prosper under current conditions of
criminal behavior on the Internet without signatures, for example. I
suggest below that the problem is when these technologies are
*embedded* in a hardware product, and the user has no choice about how
they are applied by that product.
Perry E. Metzger rebuts:
> There's nothing wrong with things like secure boot systems provided
> they're fully under the control of the user.
Excuse me? Your main argument in this thread amounts to "'secure
system under the control of the user' is an oxymoron". That's not
quite true: you personally might be able to pull it off. But I know
I'm at risk, because I don't have a high degree of expertise. (I'm
willing to accept the risk because I've learned to be paranoid and
think that the chances that I'll be targeted by a social engineering
threat I don't recognize is low. But I must acknowledge that risk.)
> Yes, the same technology has multiple uses, both pro and anti
> freedom, but that's true of all sorts of things, including
> computers in general.
Which of course is the argument behind my "consideration" above.
Nevertheless, Stefan and Florian are correct about the technologies
mentioned in current practice. Furthermore, it's hard to see how it
can be otherwise, since ordinary users do not have access to the
facilities for manufacturing the systems they use, and the convenience
of using systems manufactured by others is huge even if they did.
I'm sure there are ways, but I note that later in the conversation you
acknowledge that it would take a fair amount of thought for you to
design the system itself. And then there is the politicking and
enforcement against three-letter agencies and wannabe monopolists
necessary to provide a tight legal framework to preserve the freedom
that such a technology would provide. For the foreseeable future, the
only freedom these particular *embedded* technologies are likely to
defend is that of the manufacturers and their content-marketing
clients.
I note that you and Stefan say that this is getting off-topic, and of
course in one sense you're right. However, the central tension in the
"rip out SSL3 by the roots" discussion is precisely about whether
users can be trusted not to shoot themselves in the foot enough to
justify the convenience of features that could result in blowing off
their toes. I think this discussion of freedom-enhancing vs. freedom-
detracting "security" is useful in that context.
next prev parent reply other threads:[~2014-10-29 3:19 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20141022193441.GA11872@roeckx.be>
2014-10-22 20:02 ` Bug#766395: emacs/gnus: Uses s_client to for SSL Rob Browning
2014-10-22 20:05 ` Rob Browning
2014-10-23 14:03 ` Ted Zlatanov
2014-10-23 15:57 ` Rob Browning
2014-10-24 13:39 ` Ted Zlatanov
2016-02-20 15:28 ` Kurt Roeckx
2016-02-21 2:47 ` Lars Ingebrigtsen
2017-02-22 20:38 ` Bug#766397: " Antoine Beaupre
2017-04-16 17:28 ` Rob Browning
2014-10-22 20:14 ` Stefan Monnier
2014-10-22 21:02 ` Andreas Schwab
2014-10-23 16:49 ` Andreas Schwab
2014-10-23 17:29 ` Lars Magne Ingebrigtsen
2014-10-23 20:36 ` Stefan Monnier
2014-10-24 7:01 ` Lars Magne Ingebrigtsen
2014-10-27 19:42 ` Filipp Gunbin
2014-10-23 16:34 ` Richard Stallman
2014-10-23 18:00 ` Florian Weimer
2014-10-23 18:37 ` Perry E. Metzger
2014-10-23 18:43 ` Florian Weimer
2014-10-23 18:57 ` Perry E. Metzger
2014-10-23 18:59 ` Florian Weimer
2014-10-23 19:11 ` Kurt Roeckx
2014-10-23 19:42 ` Perry E. Metzger
2014-10-23 19:50 ` Florian Weimer
2014-10-23 20:26 ` Perry E. Metzger
2014-10-23 21:05 ` Kurt Roeckx
2014-10-24 2:56 ` Perry E. Metzger
2014-10-23 21:48 ` Stephen J. Turnbull
2014-10-24 3:00 ` Perry E. Metzger
2014-10-24 20:51 ` Stephen J. Turnbull
2014-10-24 21:14 ` Perry E. Metzger
2014-10-24 21:33 ` Lars Magne Ingebrigtsen
2014-10-25 0:36 ` Perry E. Metzger
2014-10-25 15:27 ` Ted Zlatanov
2014-10-25 15:53 ` Lars Magne Ingebrigtsen
2014-10-26 8:15 ` Florian Weimer
2014-10-26 11:42 ` Lars Magne Ingebrigtsen
2014-10-26 12:45 ` Florian Weimer
2014-10-26 1:42 ` Richard Stallman
2014-10-26 7:38 ` Florian Weimer
2014-10-24 21:47 ` Stephen J. Turnbull
2014-10-25 0:42 ` Perry E. Metzger
2014-10-27 17:17 ` Stephen J. Turnbull
2014-10-27 19:39 ` Perry E. Metzger
2014-10-28 7:04 ` Stephen J. Turnbull
2014-10-28 7:45 ` Thien-Thi Nguyen
2014-10-28 8:44 ` Stephen J. Turnbull
2014-10-28 13:31 ` Stefan Monnier
2014-10-28 15:19 ` Perry E. Metzger
2014-10-28 15:33 ` Florian Weimer
2014-10-28 16:20 ` Perry E. Metzger
2014-10-28 16:52 ` Stefan Monnier
2014-10-28 17:11 ` Perry E. Metzger
2014-10-29 3:19 ` Stephen J. Turnbull [this message]
2014-10-28 15:10 ` Perry E. Metzger
2014-10-29 2:33 ` Stephen J. Turnbull
2014-10-29 3:06 ` Perry E. Metzger
2014-10-29 7:28 ` Stephen J. Turnbull
2014-10-29 11:19 ` Perry E. Metzger
2014-10-23 19:03 ` Kurt Roeckx
2014-10-24 13:35 ` Ted Zlatanov
2014-10-25 7:31 ` Richard Stallman
2014-10-25 14:33 ` Perry E. Metzger
2014-10-25 15:49 ` removing SSLv3 support by default from the Emacs GnuTLS integration (was: Bug#766395: emacs/gnus: Uses s_client to for SSL.) Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878ujz4l64.fsf@uwakimon.sk.tsukuba.ac.jp \
--to=stephen@xemacs.org \
--cc=emacs-devel@gnu.org \
--cc=fw@deneb.enyo.de \
--cc=kurt@roeckx.be \
--cc=monnier@iro.umontreal.ca \
--cc=perry@piermont.com \
--cc=rlb@defaultvalue.org \
--cc=rms@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.