From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Deprecate TLS1.0 support in emacs Date: Wed, 12 Jul 2017 21:05:04 +0200 Message-ID: <87fue1v5lr.fsf@mouse> References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse> <87fue17mo5.fsf@gmail.com> <87tw2hvhob.fsf@mouse> <8760ex63hi.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1499886331 5484 195.159.176.226 (12 Jul 2017 19:05:31 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 12 Jul 2017 19:05:31 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jul 12 21:05:24 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dVMwn-0000k2-Ac for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 21:05:17 +0200 Original-Received: from localhost ([::1]:55283 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVMws-000762-SQ for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 15:05:22 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57602) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVMwn-00074M-By for emacs-devel@gnu.org; Wed, 12 Jul 2017 15:05:18 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVMwi-0003G3-DY for emacs-devel@gnu.org; Wed, 12 Jul 2017 15:05:17 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:57997) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dVMwi-0003BX-6l for emacs-devel@gnu.org; Wed, 12 Jul 2017 15:05:12 -0400 Original-Received: from cm-84.209.243.26.getinternet.no ([84.209.243.26] helo=mouse) by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1dVMwa-0002mk-JP for emacs-devel@gnu.org; Wed, 12 Jul 2017 21:05:09 +0200 In-Reply-To: <8760ex63hi.fsf@gmail.com> (Robert Pluim's message of "Wed, 12 Jul 2017 18:10:01 +0200") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:216558 Archived-At: Robert Pluim writes: > There is no refusal of access, just refusal of a specific protocol. If > we implement your suggestion from below there won't even be refusal. It is a refusal to access a resource because somebody has determined that a specific protocol (HTTP + TLS1.0) is something that our users shouldn't be able to use. lists.gnu.org is, of course, just one example. > I appreciate that's a strong opinion, but I definitely think we should > strongly encourage people to move away from both of these protocols. Encouragement is fine, but making our users switch to Firefox because of this obsession with protocols isn't. As more and more resources are being made available over encrypted channels only, and as more and more of these (as a result of bad maintenance and the like) get tagged as "invalid encryption", something has to give. It seems like the current movement is to just to start ignoring whether protocols are outdated, use invalid certificates and the like, and just tell the user "you tried to access this via a secure channel. It's not, but here's the content anyway". I may be misremembering, but I think the new Chrome beta is going in this direction: No explicit refusals to access anything, but just a big red X in the menu bar saying "UNSAFE". It is, you know, not less safe than accessing via an unencrypted channel. I think this is probably the way Emacs should consider moving, too, for eww and package-list. For other use, we may consider having the NSM prompt the user for what to do with TLS1.0. But probably not just yet. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no