From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Deprecate TLS1.0 support in emacs Date: Tue, 01 Aug 2017 16:53:17 +0200 Message-ID: <87pocfibky.fsf@mouse> References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse> <87fue17mo5.fsf@gmail.com> <87tw2hvhob.fsf@mouse> <8760ex63hi.fsf@gmail.com> <87fue1v5lr.fsf@mouse> <87shi0tqh3.fsf@gmail.com> <87d18fwl66.fsf@gmail.com> <87tw1rihu0.fsf@mouse> <4037dc81-4245-6925-842a-2c84a5ba996d@cs.ucla.edu> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1501599610 19038 195.159.176.226 (1 Aug 2017 15:00:10 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Tue, 1 Aug 2017 15:00:10 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) Cc: Robert Pluim , Richard Stallman , emacs-devel@gnu.org To: Paul Eggert Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Tue Aug 01 17:00:05 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dcYeH-0004FV-ND for ged-emacs-devel@m.gmane.org; Tue, 01 Aug 2017 16:59:53 +0200 Original-Received: from localhost ([::1]:43086 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dcYeN-00031N-RM for ged-emacs-devel@m.gmane.org; Tue, 01 Aug 2017 10:59:59 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:57109) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dcYY3-0005oI-Gx for emacs-devel@gnu.org; Tue, 01 Aug 2017 10:53:28 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dcYXz-0001HH-AI for emacs-devel@gnu.org; Tue, 01 Aug 2017 10:53:27 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:41721) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dcYXz-0001G6-3O; Tue, 01 Aug 2017 10:53:23 -0400 Original-Received: from cm-84.209.243.26.getinternet.no ([84.209.243.26] helo=mouse) by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1dcYXt-0005uM-Hl; Tue, 01 Aug 2017 16:53:19 +0200 In-Reply-To: <4037dc81-4245-6925-842a-2c84a5ba996d@cs.ucla.edu> (Paul Eggert's message of "Tue, 1 Aug 2017 07:45:36 -0700") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:217207 Archived-At: Paul Eggert writes: > Last year I would have agreed, but nowadays I think it'd be better to > warn about TLS 1.0 somehow. According to > https://www.ssllabs.com/ssl-pulse/ from July 2016 to July 2017 TLS > v1.2 support climbed from 78.3% to 87.3%, whereas support for TLS v1.0 > dropped from 97.3% to to 93.4% as the higher-end sites tighten up > security. By the time the next version of Emacs comes out, it looks > like a mild warning about TLS v1.0 will be appropriate. Yes, I agree. eww, for instance, could remove the green URL when using TLS 1.0, etc. But the proposed NSM warning (which would make the user answer "y" to a direct question about the TLS-ness) is too heavy, in my opinion. But having the warning on the `high' NSM setting is fine with me, and I'll see what I can do about removing green URLs from eww... Other services, like SMTP/IMAP/etc will have to invent other "lightweight" ways to tell the user that the content is on the insecure side. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no