From: Mark H Weaver <mhw@netris.org>
To: Glenn Morris <rgm@gnu.org>
Cc: 18600@debbugs.gnu.org
Subject: bug#18600: 24.3.94; EWW fails to check https certificates
Date: Sat, 04 Oct 2014 19:24:41 -0400 [thread overview]
Message-ID: <87h9zj5sg6.fsf@yeeloong.lan> (raw)
In-Reply-To: <87tx3jiknk.fsf@lifelogs.com> (Ted Zlatanov's message of "Sat, 04 Oct 2014 17:34:39 -0400")
Ted Zlatanov <tzz@lifelogs.com> writes:
> On Fri, 03 Oct 2014 19:01:42 -0400 Glenn Morris <rgm@gnu.org> wrote:
>
> GM> Mark H Weaver wrote:
>>> I used EWW to visit an https website that uses a self-signed and
>>> long-expired https certificate. It failed to notify me of any problem.
>
> GM> Setting gnutls-verify-error non-nil may help (I don't know what it does
> GM> with self-signed certificates).
>
> Emacs will reject such certificates then. I tested that as part of
> http://debbugs.gnu.org/16978 and would appreciate Mark's verification.
Yes, that works, thanks.
> After 24.4 (now 25.1) is released it will be t by default. Mark, can we
> close this bug since http://debbugs.gnu.org/16978 already has all the info?
I almost closed the bug myself, but on second thought I think this case
of eww https warrants special consideration, independent of the more
general question of how 'open-gnutls-stream' should behave by default.
There are a few reasons for this:
1. In the case of imaps, smtps, xmpp, etc, the most common use case is
to connect to a single server only for each of these protocols, and
very often that's one's own server with self-signed certs.
2. In the case of https, the typical use cases are very different, as
are the expectations. When browsing the web, one typically talks to
a very large number of https servers. More often than not, these
servers have certificates signed by a well-known CA. (Ideally it
should be possible to disable checking based on URL).
3. Emacs 24.4 will be the first release that includes eww, so there are
no preexisting users of eww that would be annoyed by suddenly having
their existing functionality stop working.
With these in mind, I have two recommendations:
* I believe that eww https should check certificates by default in 24.4,
even though other tls connections are tolerant by default.
* At minimum, it should be possible to enable certificate checking for
eww https connections while still allowing self-signed certificates
for other uses of 'open-gnutls-stream' such as imaps and smtps. This
is fairly common case.
IMO, anyway. If you disagree, I'll defer to your judgment, but my
feeling is that the current behavior would not be well received.
Thanks,
Mark
next prev parent reply other threads:[~2014-10-04 23:24 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-02 5:48 bug#18600: 24.3.94; EWW fails to check https certificates Mark H Weaver
2014-10-03 23:01 ` Glenn Morris
2014-10-03 23:44 ` Glenn Morris
2014-10-04 21:34 ` Ted Zlatanov
2014-10-04 23:24 ` Mark H Weaver [this message]
2014-10-05 2:00 ` Stefan Monnier
2014-10-05 2:38 ` Marking changes to be backported Glenn Morris
2014-10-05 16:46 ` Glenn Morris
2014-10-06 1:13 ` Stefan Monnier
2014-10-06 6:37 ` Glenn Morris
2014-10-06 13:25 ` Stefan Monnier
2014-10-06 15:16 ` Eli Zaretskii
2014-10-06 18:49 ` Glenn Morris
2014-10-06 19:12 ` Stefan Monnier
2014-10-06 15:09 ` Eli Zaretskii
2014-10-05 17:17 ` bug#18600: 24.3.94; EWW fails to check https certificates Mark H Weaver
2014-10-05 2:16 ` Glenn Morris
2014-11-23 17:10 ` Lars Magne Ingebrigtsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h9zj5sg6.fsf@yeeloong.lan \
--to=mhw@netris.org \
--cc=18600@debbugs.gnu.org \
--cc=rgm@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.