The Network Security Manager is now on the trunk

The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

`network-security-level' defaults to `low', though, so it will not
actually be used, so there should currently be no impact on anybody,
unless I made a boo-boo somewhere.

There may be building problems on non-GNU/Linux systems because of the
gnutls.c changes, but hopefully not.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: The Network Security Manager is now on the trunk

[Romain Francoise]

On Sun, Nov 23, 2014 at 03:16:21PM +0100, Lars Magne Ingebrigtsen wrote:
> `network-security-level' defaults to `low', though, so it will not
> actually be used, so there should currently be no impact on anybody,
> unless I made a boo-boo somewhere.

Works fine for me, thanks!

(But our TLS support will still be fatally insecure by default as long
as `gnutls-min-prime-bits' is set to something lower than 1024.)

Re: The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

Romain Francoise <romain@orebokech.com> writes:

> On Sun, Nov 23, 2014 at 03:16:21PM +0100, Lars Magne Ingebrigtsen wrote:
>> `network-security-level' defaults to `low', though, so it will not
>> actually be used, so there should currently be no impact on anybody,
>> unless I made a boo-boo somewhere.
>
> Works fine for me, thanks!
>
> (But our TLS support will still be fatally insecure by default as long
> as `gnutls-min-prime-bits' is set to something lower than 1024.)

Is there an interface function to query gnutls how many prime bits were
used during connection?  If so, we could add that to the NSM, too.  (On
`high', perhaps.)

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: The Network Security Manager is now on the trunk

[Romain Francoise]

On Sun, Nov 23, 2014 at 04:38:02PM +0100, Lars Magne Ingebrigtsen wrote:
> Is there an interface function to query gnutls how many prime bits were
> used during connection?  If so, we could add that to the NSM, too.  (On
> `high', perhaps.)

`gnutls_dh_get_prime_bits'

Re: The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

Romain Francoise <romain@orebokech.com> writes:

> On Sun, Nov 23, 2014 at 04:38:02PM +0100, Lars Magne Ingebrigtsen wrote:
>> Is there an interface function to query gnutls how many prime bits were
>> used during connection?  If so, we could add that to the NSM, too.  (On
>> `high', perhaps.)
>
> `gnutls_dh_get_prime_bits'

Great.  I'll report that as a wishlist bug so that we don't forget to
implement it.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: The Network Security Manager is now on the trunk

[Ted Zlatanov]

On Sun, 23 Nov 2014 17:04:48 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Romain Francoise <romain@orebokech.com> writes:
>> On Sun, Nov 23, 2014 at 04:38:02PM +0100, Lars Magne Ingebrigtsen wrote:
>>> Is there an interface function to query gnutls how many prime bits were
>>> used during connection?  If so, we could add that to the NSM, too.  (On
>>> `high', perhaps.)
>> 
>> `gnutls_dh_get_prime_bits'

LMI> Great.  I'll report that as a wishlist bug so that we don't forget to
LMI> implement it.

Thanks!

Ted

Re: The Network Security Manager is now on the trunk

[Tassilo Horn]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> `network-security-level' defaults to `low', though, so it will not
> actually be used, so there should currently be no impact on anybody,
> unless I made a boo-boo somewhere.

I've set it to high and all my mail servers seem to be ok except for
gmane where I had to confirm my connection attempt.  BTW, the
confirmation prompts could be improved a bit: I think it said Yes, No or
Always without telling me what I need to type.  Ok, ok, guessing "a" for
Always wasn't that challenging but (y)es, (n)o, (a)lways would be even
clearer.

Bye,
Tassilo

Re: The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

I've now added a mini-essay to the lispref manual on network security,
but perhaps this sort of thing should be in the Emacs manual instead?

If so, where in the Emacs manual should it be?

(I tried avoiding using the words "NSA" and "China".)

36.15 Network Security
======================

After establishing a network connection, the connection is then passed
on to the Network Security Manager (NSM).

   The `network-security-level' variable determines the security level.
If this is `low', no security checks are performed.

   If this variable is `medium' (which is the default), a number of
checks will be performed.  If the NSM determines that the network
connection might be unsafe, the user is made aware of this, and the NSM
will ask the user what to do about the network connection.

   The user is given the choice of registering a permanent security
exception, a temporary one, or whether to refuse the connection
entirely.

   Below is a list of the checks done on the `medium' level.

unable to verify a TLS certificate
     If the connection is a TLS, SSL or STARTTLS connection, the NSM
     will check whether the certificate used to establish the identity
     of the server we're connecting to can be verified.

     While an invalid certificate is often the cause for concern (there
     may be a Man-in-the-Middle hijacking your network connection and
     stealing your password), there may be valid reasons for going
     ahead with the connection anyway.

     For instance, the server may be using a self-signed certificate, or
     the certificate may have expired.  It's up to the user to determine
     whether it's acceptable to continue the connection.

a self-signed certificate has changed
     If you've previously accepted a self-signed certificate, but it has
     now changed, that either means that the server has just changed the
     certificate, or this might mean that the network connection has
     been hijacked.

previously encrypted connection now unencrypted
     If the connection is unencrypted, but it was encrypted in previous
     sessions, this might mean that there is a proxy between you and the
     server that strips away STARTTLS announcements, leaving the
     connection unencrypted.  This is usually very suspicious.

talking to an unencrypted service when sending a password
     When connecting to an IMAP or POP3 server, these should usually be
     encrypted, because it's common to send passwords over these
     connections.  Similarly, if you're sending email via SMTP that
     requires a password, you usually want that connection to be
     encrypted.  If the connection isn't encrypted, the NSM will warn
     you.


   If `network-security-level' is `high', the following checks will be
made:

a validated certificate changes the public key
     Servers change their keys occasionally, and that is normally
     nothing to be concerned about.  However, if you are worried that
     your network connections are being hijacked by agencies who have
     access to pliable Certificate Authorities that issue new
     certificates for third-party services, you may want to keep track
     of these changes.

   Finally, if `network-security-level' is `paranoid', you will also be
notified the first time the NSM sees any new certificate.  This will
allow you to inspect all the certificates from all the connections that
Emacs makes.


-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: The Network Security Manager is now on the trunk

[Eli Zaretskii]

> From: Lars Magne Ingebrigtsen <larsi@gnus.org>
> Date: Mon, 24 Nov 2014 17:49:23 +0100
> 
> I've now added a mini-essay to the lispref manual on network security,
> but perhaps this sort of thing should be in the Emacs manual instead?

If it's user (as opposed to Lisp programmer) level information, it
should be in the user manual.

> If so, where in the Emacs manual should it be?

A chapter near "Sending mail", "Rmail", "Gnus", etc.

And don't forget NEWS.

Thanks.

Re: The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

Eli Zaretskii <eliz@gnu.org> writes:

>> If so, where in the Emacs manual should it be?
>
> A chapter near "Sending mail", "Rmail", "Gnus", etc.
>
> And don't forget NEWS.

Ok; done.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: The Network Security Manager is now on the trunk

[Stefan Monnier]

>    If this variable is `medium' (which is the default), a number of
> checks will be performed.  If the NSM determines that the network
> connection might be unsafe, the user is made aware of this, and the NSM
                      ^^^^^^
I think this is not what we really mean: the connection itself is
generally not dangerous.  Maybe "trustworthy" is closer.


        Stefan

Re: The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

Stefan Monnier <monnier@IRO.UMontreal.CA> writes:

>>    If this variable is `medium' (which is the default), a number of
>> checks will be performed.  If the NSM determines that the network
>> connection might be unsafe, the user is made aware of this, and the NSM
>                       ^^^^^^
> I think this is not what we really mean: the connection itself is
> generally not dangerous.  Maybe "trustworthy" is closer.

Yes, that sounds better.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: The Network Security Manager is now on the trunk

[Robert Pluim]

Lars Magne Ingebrigtsen <larsi@gnus.org> writes:

> `network-security-level' defaults to `low', though, so it will not
> actually be used, so there should currently be no impact on anybody,
> unless I made a boo-boo somewhere.

I tried to customize network-security-level, and failed. I had to launch
gnus before I could do so. I expected to be able to declare my paranoia
before I actually connected to anything....

Regards

Robert

Re: The Network Security Manager is now on the trunk

[Eli Zaretskii]

> From: Robert Pluim <rpluim@gmail.com>
> Date: Mon, 24 Nov 2014 19:19:08 +0100
> 
> Lars Magne Ingebrigtsen <larsi@gnus.org> writes:
> 
> > `network-security-level' defaults to `low', though, so it will not
> > actually be used, so there should currently be no impact on anybody,
> > unless I made a boo-boo somewhere.
> 
> I tried to customize network-security-level, and failed. I had to launch
> gnus before I could do so. I expected to be able to declare my paranoia
> before I actually connected to anything....

You need to "M-x load-library RET nsm RET", and then you can customize
it.

Lars, this variable needs to be auto-loaded, I think.

And why does the manual says the default is 'medium', but the truth is
that it's 'low'?

Re: The Network Security Manager is now on the trunk

[Glenn Morris]

Eli Zaretskii wrote:

>> I tried to customize network-security-level, and failed. I had to launch
[...]
> You need to "M-x load-library RET nsm RET", and then you can customize
> it.
>
> Lars, this variable needs to be auto-loaded, I think.

As a general comment, auto-loading defcustoms just so people can
customize them in a vanilla Emacs is discouraged (IIRC). (I know nothing
about this specific case.)

See eg
https://lists.gnu.org/archive/html/help-gnu-emacs/2007-06/msg00360.html

Re: The Network Security Manager is now on the trunk

[Glenn Morris]

Glenn Morris wrote:

> https://lists.gnu.org/archive/html/help-gnu-emacs/2007-06/msg00360.html

Better reference:

http://lists.gnu.org/archive/html/emacs-devel/2010-01/msg01188.html

    Autoloading of some defcustoms should not be used just because some
    option is "important". It should only be used when it's *necessary*
    for technical reasons.

Re: The Network Security Manager is now on the trunk

[Eli Zaretskii]

> From: Glenn Morris <rgm@gnu.org>
> Cc: emacs-devel@gnu.org
> Date: Mon, 24 Nov 2014 14:00:01 -0500
> 
> Glenn Morris wrote:
> 
> > https://lists.gnu.org/archive/html/help-gnu-emacs/2007-06/msg00360.html
> 
> Better reference:
> 
> http://lists.gnu.org/archive/html/emacs-devel/2010-01/msg01188.html
> 
>     Autoloading of some defcustoms should not be used just because some
>     option is "important". It should only be used when it's *necessary*
>     for technical reasons.

This one is.

Re: The Network Security Manager is now on the trunk

[Lars Magne Ingebrigtsen]

Eli Zaretskii <eliz@gnu.org> writes:

> You need to "M-x load-library RET nsm RET", and then you can customize
> it.
>
> Lars, this variable needs to be auto-loaded, I think.

Yeah...   Or I could move it to a file that's dumped with Emacs,
perhaps? 

> And why does the manual says the default is 'medium', but the truth is
> that it's 'low'?

It's going to default to `medium' in five days.  I wanted to get the
basic build problems addressed before switching it on.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no