* A couple of questions and concerns about Emacs network security @ 2018-06-22 22:00 Jimmy Yuen Ho Wong 2018-06-22 22:43 ` Paul Eggert 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-22 22:00 UTC (permalink / raw) To: emacs-devel Hi everyone, I've been digging around Emacs' network security settings lately and I've noticed a couple of oddities. I was wondering what the reasos are and if there are any plans to improve them. For `--with-gnutls` builds using GnuTLS 3.5.18: 1. `gnutls-verify-error` is set to nil by default, so server certs aren't verified by default. 2. `gnutls-min-prime-bits` has been 256 by default since 2012, whereas a reasonable number should probably be 2048 in 2018. 3. `gnutls-algorithm-priority` is nil by default. All of this means there's zero network security OTTB for Emacs. After some experimentation, I've come up with the following settings that brings the balance of default security and compatibility to as good as I could: (setq gnutls-algorithm-priority "SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:%PROFILE_MEDIUM" gnutls-min-prime-bits 2048 gnutl-verify-error t) However, this setting still fail the following tests rather alarmingly: (mapcar (lambda (host) (ignore-errors (url-retrieve-synchronously host))) '("https://revoked.badssl.com/" "https://pinning-test.badssl.com/" "https://invalid-expected-sct.badssl.com/")) ;; This should return a list of `'(nil nil nil)`, but doesn't. My questions are: 1. Can we update the default network security settings? 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't seem to be doing a very good job, can we link to something better maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS? Lastly, I notice there's this thing call `nsm.el` seemingly doing redundant checks if your TLS settings are reasonable, what's the history of it and why is it not obsolete when `tls.el` and `starttls.el` are? Thanks in advance, Jimmy Wong ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 22:00 A couple of questions and concerns about Emacs network security Jimmy Yuen Ho Wong @ 2018-06-22 22:43 ` Paul Eggert 2018-06-22 23:21 ` Lars Ingebrigtsen ` (2 more replies) 0 siblings, 3 replies; 221+ messages in thread From: Paul Eggert @ 2018-06-22 22:43 UTC (permalink / raw) To: Jimmy Yuen Ho Wong, emacs-devel; +Cc: Lars Magne Ingebrigtsen On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: > 1. Can we update the default network security settings? Yes, I would think so, in the master branch. As you say, the current defaults are inappropriate for today's users. > 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't > seem to be doing a very good job, can we link to something better > maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS? I would think the answer to that could be "yes" too. Despite its name, GnuTLS is no longer GNU code, and we're under no obligation to promote it. However, this would take some work. We'd surely want the option to link to either GnuTLS or OpenSSL/etc. > there's this thing call `nsm.el` seemingly > doing redundant checks if your TLS settings are reasonable, what's the > history of it and why is it not obsolete when `tls.el` and `starttls.el` > are? Lars is the person to ask about that. I'll CC: him. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 22:43 ` Paul Eggert @ 2018-06-22 23:21 ` Lars Ingebrigtsen 2018-06-22 23:33 ` Lars Ingebrigtsen 2018-06-23 0:00 ` Paul Eggert 2018-06-23 2:17 ` Noam Postavsky 2018-06-23 6:45 ` Eli Zaretskii 2 siblings, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-22 23:21 UTC (permalink / raw) To: Paul Eggert; +Cc: Jimmy Yuen Ho Wong, emacs-devel Paul Eggert <eggert@cs.ucla.edu> writes: > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: >> 1. Can we update the default network security settings? > > Yes, I would think so, in the master branch. As you say, the current > defaults are inappropriate for today's users. They are? In what way? >> there's this thing call `nsm.el` seemingly doing redundant checks if >> your TLS settings are reasonable, what's the history of it and why is >> it not obsolete when `tls.el` and `starttls.el` are? > > Lars is the person to ask about that. I'll CC: him. They are not redundant checks. Emacs lets network actions happen, and then passes the result to nsm.el, which is very similar to how all other applications do this stuff (Firefox etc). The Emacs Network Security Manager does the user interface job handling various classes of (insecure) network access classes. Are there places where it fails to do its job? You'd set `gnutls-verify-error' and friends only if you don't want to query the user for how to handle TLS-related problems, but fail immediately. But that's not a good default for an interactive application. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 23:21 ` Lars Ingebrigtsen @ 2018-06-22 23:33 ` Lars Ingebrigtsen 2018-06-23 1:35 ` Jimmy Yuen Ho Wong 2018-06-23 0:00 ` Paul Eggert 1 sibling, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-22 23:33 UTC (permalink / raw) To: Paul Eggert; +Cc: Jimmy Yuen Ho Wong, emacs-devel OK, I've now read the original email message, and there seems to be a fundamental misunderstanding. Network security management is done by nsm.el, not by the underlying libraries. The NSM provides, as the name implies, network security, and does stuff like certificate pinning and warns you if a STARTTLS connection has degraded to a non-TLS connection (which, of course, the gnutls.el functions can't do on its own). Perhaps the doc strings of gnutls.el should mention that the variables is provides are useful only if you don't use `open-network-stream' and call the low-level functions directly... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 23:33 ` Lars Ingebrigtsen @ 2018-06-23 1:35 ` Jimmy Yuen Ho Wong 2018-06-23 10:23 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-23 1:35 UTC (permalink / raw) To: Lars Ingebrigtsen, Paul Eggert; +Cc: emacs-devel On 23/06/2018 00:33, Lars Ingebrigtsen wrote: > OK, I've now read the original email message, and there seems to be a > fundamental misunderstanding. Ok I see why NSM was written now. It's basically works like browsers used to work before Snowden. However, while I think the intention was good, as there are some good checks in there, I think it still falls far short from ideal. NSM is heavily dependent on GnuTLS, and it's not particularly good at presenting NSM good peer status for NSM to do something about it. For example, leaving all `nsm` and `gnutls` settings at default, this is a list of URLs where NSM failed to ask me if I wanted to trust the cert. (mapcar (lambda (host) (ignore-errors (url-retrieve-synchronously host))) '("https://expired.badssl.com/" "https://wrong.host.badssl.com/" "https://self-signed.badssl.com/" "https://untrusted-root.badssl.com/" "https://revoked.badssl.com/" ;; fail, very concerning "https://pinning-test.badssl.com/" ;; fail, very concerning "https://sha1-intermediate.badssl.com/" ;; fail, very concerning "https://rc4-md5.badssl.com/" "https://rc4.badssl.com/" "https://3des.badssl.com/" ;; fail "https://null.badssl.com/" "https://mozilla-old.badssl.com/" ;; fail "https://dh480.badssl.com/" ;; fail "https://dh512.badssl.com/" ;; fail "https://dh-small-subgroup.badssl.com/" ;; fail "https://dh-composite.badssl.com/" ;; fail "https://invalid-expected-sct.badssl.com/" ;; fail, a bit concerning "https://subdomain.preloaded-hsts.badssl.com/" "https://superfish.badssl.com/" "https://edellroot.badssl.com/" "https://dsdtestprovider.badssl.com/" "https://preact-cli.badssl.com/" "https://webpack-dev-server.badssl.com/" "https://captive-portal.badssl.com/" "https://mitm-software.badssl.com/" "https://sha1-2017.badssl.com/")) If I set `network-security-level` to `'high`, only the dh480 and dh512 tests passed. At the very least, NSM should ask me for the 3 very concerning certs. Even if I set `gnutls-algorithm-priority` to `SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:%PROFILE_MEDIUM`, revoked and pinning are still failing. I don't see how you are going to get around that without reinventing CRL and HPKP in ELISP. > Perhaps the doc strings of gnutls.el should mention that the variables > is provides are useful only if you don't use `open-network-stream' and > call the low-level functions directly... Yes this is a very good idea. I don't think anybody on Reddit understands how to twiddle Emacs's network security knobs to make it do what it's supposed to do. Jimmy ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 1:35 ` Jimmy Yuen Ho Wong @ 2018-06-23 10:23 ` Lars Ingebrigtsen 2018-06-23 10:34 ` Lars Ingebrigtsen ` (2 more replies) 0 siblings, 3 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-23 10:23 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Paul Eggert, emacs-devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > NSM is heavily dependent on GnuTLS, and it's not particularly good at > presenting NSM good peer status for NSM to do something about it. For > example, leaving all `nsm` and `gnutls` settings at default, this is a > list of URLs where NSM failed to ask me if I wanted to trust the cert. > > "https://revoked.badssl.com/" ;; fail, very > concerning Yes, Emacs should support the Online Certificate Status Protocol; patches welcome... > "https://pinning-test.badssl.com/" ;; fail, very > concerning For those who don't know what this is: Some browsers now ship with built-in lists of certificate hashes, so if you're visiting that site and presented with a different than expected certificate, you'll know that somebody else has issued a certificate for the site, and somebody has hijacked the connection. Or, perhaps, that they just lost the private key and had to generate a new certificate and now, oops, everybody that uses the browsers with the built-in list will be unable to visit the site. If Emacs is to do the HPKP (HTTP Public Key Pinning) thing, we can't really do that in the Emacs distribution itself, since Emacs is released so seldom. It makes sense for Chrome, which has a new release every three days (it sometimes seems like), but Emacs could do this via ELPA, I think. Whether it's worth doing is another issue; I think the jury is still out on that one... HPKP is also a "trust on first use" thing, where there's a HTTP header that instructs the user agent to pin the certificate. Since the NSM already has public key pinning implemented, if we want to support this, I think it might make sense to implement this on the url.el level -- make it call out to the NSM and ask it to pin a certificate if it detects the header. > "https://sha1-intermediate.badssl.com/" ;; fail, very > concerning We discussed the sha1 authority thing last year and our conclusion was that we should move the sha1 check to `medium', and then I just forgot to do it. Sorry! I should have filed a bug report to remind myself... > "https://3des.badssl.com/" ;; fail > "https://mozilla-old.badssl.com/" ;; fail > "https://dh-small-subgroup.badssl.com/" ;; fail > "https://dh-composite.badssl.com/" ;; fail These are all types of crypto that are now considered to probably be easy to hack by state actors (and others with a beefy laptop, probably). When we discussed these previously, we wondered whether we should do more layering of how we present these issues beyond warn/don't warn. For instance, Firefox happily accepts 3des.badssl.com and gives no warning, but it's kinda weak. Should the NSM propagate this information up to the calling application and then it could do... something? For instance, eww will display "secure" content with a green title bar. Should eww remove that stamp of approval from weak sites, even if we don't warn the user about it? I think so. > "https://dh480.badssl.com/" ;; fail > "https://dh512.badssl.com/" ;; fail These ones should be warned about on the `medium' level, I think, because they're really weak. > "https://invalid-expected-sct.badssl.com/" ;; fail, a bit > concerning Oh, geez, another TLA. This one is Signed Certificate Timestamps (SCTs), and is something I didn't know existed. :-) Neither does Firefox, so I think we're on the same level here. > If I set `network-security-level` to `'high`, only the dh480 and dh512 > tests passed. Oh, there's no test for dh480 and dh512 at all? That should, indeed, be fixed. > I don't see how you are going to get around that without reinventing > CRL and HPKP in ELISP. HPKP is trivail to implement, I think? Especially in Lisp. The Certificate Revocation List and the pre-shipped HPKP thing is also easy to do; you just have to find a volunteer to update an ELPA package with the info... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 10:23 ` Lars Ingebrigtsen @ 2018-06-23 10:34 ` Lars Ingebrigtsen 2018-06-23 10:48 ` Jimmy Yuen Ho Wong 2018-07-05 13:33 ` Perry E. Metzger 2 siblings, 0 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-23 10:34 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: emacs-devel Lars Ingebrigtsen <larsi@gnus.org> writes: > We discussed the sha1 authority thing last year and our conclusion was > that we should move the sha1 check to `medium', and then I just forgot > to do it. Sorry! I should have filed a bug report to remind myself... And now I remember why I didn't: I meant to refactor the protocol checks in nsm.el so that they're more easily extensible and also allow the user more fine-grained control of what protocol issues they care about. Something like (defvar network-security-tls-problems '((low-diffie-hellman-prime-bits medium) (rc4 low) (dh-small-subgroup high))) or something, and then a separate function for each of these tests to avoid an ever-growing huge function with a `cond' in it, and also allow users to add their own tests. I'll bug report it to remind myself... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 10:23 ` Lars Ingebrigtsen 2018-06-23 10:34 ` Lars Ingebrigtsen @ 2018-06-23 10:48 ` Jimmy Yuen Ho Wong 2018-06-23 11:32 ` Lars Ingebrigtsen 2018-07-05 13:33 ` Perry E. Metzger 2 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-23 10:48 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Paul Eggert, emacs-devel [-- Attachment #1: Type: text/plain, Size: 5008 bytes --] There are more problems with NSM than just these tests. One other thing I can think of is, if I've set `gnutls-min-prime-bits` to 2048, and presented with a cert with 1536 bits, NSM does nothing for me. What I'm getting at is, it's all well and fine if you can fix these issues in LISP, but if you are going to implement a real network security layer anyway, might as well switch to an underlying library that'll do all these for you, both from a performance perspective, and the advantage of not having a emacs-speed cycle for security related issues. On Sat, Jun 23, 2018 at 11:23 AM, Lars Ingebrigtsen <larsi@gnus.org> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > NSM is heavily dependent on GnuTLS, and it's not particularly good at > > presenting NSM good peer status for NSM to do something about it. For > > example, leaving all `nsm` and `gnutls` settings at default, this is a > > list of URLs where NSM failed to ask me if I wanted to trust the cert. > > > > "https://revoked.badssl.com/" ;; fail, very > > concerning > > Yes, Emacs should support the Online Certificate Status Protocol; > patches welcome... > > > "https://pinning-test.badssl.com/" ;; fail, very > > concerning > > For those who don't know what this is: Some browsers now ship with > built-in lists of certificate hashes, so if you're visiting that site > and presented with a different than expected certificate, you'll know > that somebody else has issued a certificate for the site, and somebody > has hijacked the connection. > > Or, perhaps, that they just lost the private key and had to generate a > new certificate and now, oops, everybody that uses the browsers with the > built-in list will be unable to visit the site. > > If Emacs is to do the HPKP (HTTP Public Key Pinning) thing, we can't > really do that in the Emacs distribution itself, since Emacs is released > so seldom. It makes sense for Chrome, which has a new release every > three days (it sometimes seems like), but Emacs could do this via ELPA, > I think. Whether it's worth doing is another issue; I think the jury is > still out on that one... > > HPKP is also a "trust on first use" thing, where there's a HTTP header > that instructs the user agent to pin the certificate. Since the NSM > already has public key pinning implemented, if we want to support this, > I think it might make sense to implement this on the url.el level -- > make it call out to the NSM and ask it to pin a certificate if it > detects the header. > > > "https://sha1-intermediate.badssl.com/" ;; fail, very > > concerning > > We discussed the sha1 authority thing last year and our conclusion was > that we should move the sha1 check to `medium', and then I just forgot > to do it. Sorry! I should have filed a bug report to remind myself... > > > "https://3des.badssl.com/" ;; fail > > "https://mozilla-old.badssl.com/" ;; fail > > "https://dh-small-subgroup.badssl.com/" ;; fail > > "https://dh-composite.badssl.com/" ;; fail > > These are all types of crypto that are now considered to probably be > easy to hack by state actors (and others with a beefy laptop, > probably). When we discussed these previously, we wondered whether we > should do more layering of how we present these issues beyond warn/don't > warn. > > For instance, Firefox happily accepts 3des.badssl.com and gives no > warning, but it's kinda weak. Should the NSM propagate this information > up to the calling application and then it could do... something? For > instance, eww will display "secure" content with a green title bar. > Should eww remove that stamp of approval from weak sites, even if we > don't warn the user about it? > > I think so. > > > "https://dh480.badssl.com/" ;; fail > > "https://dh512.badssl.com/" ;; fail > > These ones should be warned about on the `medium' level, I think, > because they're really weak. > > > "https://invalid-expected-sct.badssl.com/" ;; fail, a bit > > concerning > > Oh, geez, another TLA. This one is Signed Certificate Timestamps > (SCTs), and is something I didn't know existed. :-) Neither does > Firefox, so I think we're on the same level here. > > > If I set `network-security-level` to `'high`, only the dh480 and dh512 > > tests passed. > > Oh, there's no test for dh480 and dh512 at all? That should, indeed, be > fixed. > > > I don't see how you are going to get around that without reinventing > > CRL and HPKP in ELISP. > > HPKP is trivail to implement, I think? Especially in Lisp. > > The Certificate Revocation List and the pre-shipped HPKP thing is also > easy to do; you just have to find a volunteer to update an ELPA package > with the info... > > -- > (domestic pets only, the antidote for overdose, milk.) > bloggy blog: http://lars.ingebrigtsen.no > [-- Attachment #2: Type: text/html, Size: 7432 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 10:48 ` Jimmy Yuen Ho Wong @ 2018-06-23 11:32 ` Lars Ingebrigtsen 2018-06-23 11:55 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-23 11:32 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Paul Eggert, emacs-devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > There are more problems with NSM than just these tests. One other > thing I can think of is, if I've set `gnutls-min-prime-bits` to 2048, > and presented with a cert with 1536 bits, NSM does nothing for me. It's not supposed to -- the connection is stopped at the gnutls level. Which is why that variable defaults to 256, so that the NSM can handle the problem. > What I'm getting at is, it's all well and fine if you can fix these > issues in LISP, but if you are going to implement a real network > security layer anyway, might as well switch to an underlying library > that'll do all these for you, both from a performance perspective, and > the advantage of not having a emacs-speed cycle for security related > issues. No, these are user interface issues, and changing libraries does nothing to help with that. But instead of me re-arguing that case, you can just read https://lars.ingebrigtsen.no/2014/12/01/the-emacs-network-security-manager/ -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 11:32 ` Lars Ingebrigtsen @ 2018-06-23 11:55 ` Jimmy Yuen Ho Wong 2018-06-23 12:05 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-23 11:55 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Paul Eggert, emacs-devel [-- Attachment #1: Type: text/plain, Size: 1050 bytes --] On Sat, Jun 23, 2018 at 12:32 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > There are more problems with NSM than just these tests. One other > > thing I can think of is, if I've set `gnutls-min-prime-bits` to 2048, > > and presented with a cert with 1536 bits, NSM does nothing for me. > > It's not supposed to -- the connection is stopped at the gnutls level. > Which is why that variable defaults to 256, so that the NSM can handle > the problem. > How about moving the min-prime-bits knob over to NSM so it can warn instead of silently bypassing it by fiddling options directly related to GnuTLS? I also notice there's a `nsm-noninteractive` var, it's only used in 1 place so far. Can we defcustom it and sprinkle a check for this var strategically such that people who are using Emacs in a script can still do it without fiddling with the GnuTLS options? In fact, what if we merged all the NSM and GnuTLS options into NSM so various modules can rely on it as a central point of control? [-- Attachment #2: Type: text/html, Size: 1507 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 11:55 ` Jimmy Yuen Ho Wong @ 2018-06-23 12:05 ` Lars Ingebrigtsen 2018-06-23 12:13 ` Eli Zaretskii 2018-06-23 12:45 ` Jimmy Yuen Ho Wong 0 siblings, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-23 12:05 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Paul Eggert, emacs-devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > It's not supposed to -- the connection is stopped at the gnutls level. > Which is why that variable defaults to 256, so that the NSM can handle > the problem. > > How about moving the min-prime-bits knob over to NSM so it can warn > instead of silently bypassing it by fiddling options directly related > to GnuTLS? The NSM does warn about this. Unless you've fiddled with the options, which you've chosen to do yourself. The low-level variables doc strings should mention that you're not supposed to fiddle with them unless you have very specific needs and point you to the NSM instead. > I also notice there's a `nsm-noninteractive` var, it's only used in 1 > place so far. Can we defcustom it and sprinkle a check for this var > strategically such that people who are using Emacs in a script can > still do it without fiddling with the GnuTLS options? In fact, what if > we merged all the NSM and GnuTLS options into NSM so various modules > can rely on it as a central point of control? Well... The low-level variables (which probably shouldn't be defcustoms) are useful in some scenarios. If you're writing an application that needs very specific connection parameters, you have to be able to pass them in to the library. let-binding them provides that flexibility. I don't think `nsm-noninteractive' should be a defcustom, but perhaps there should be a `quit' value to `network-security-level' that just aborts on any network strangeness without querying the user. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 12:05 ` Lars Ingebrigtsen @ 2018-06-23 12:13 ` Eli Zaretskii 2018-06-23 12:15 ` Lars Ingebrigtsen 2018-06-23 12:45 ` Jimmy Yuen Ho Wong 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-06-23 12:13 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Date: Sat, 23 Jun 2018 14:05:29 +0200 > Cc: Paul Eggert <eggert@cs.ucla.edu>, emacs-devel@gnu.org > > The low-level variables doc strings should mention that you're not > supposed to fiddle with them unless you have very specific needs and > point you to the NSM instead. I'd like us to make that change on the emacs-26 branch ASAP. Can you point me to those variables, or tell how I decide which ones should have this note, and also suggest the wording for the reference to NSM? (Alternatively, feel free to do this yourself ;-) Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 12:13 ` Eli Zaretskii @ 2018-06-23 12:15 ` Lars Ingebrigtsen 2018-06-23 12:26 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-23 12:15 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, wyuenho, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: > I'd like us to make that change on the emacs-26 branch ASAP. Can you > point me to those variables, or tell how I decide which ones should > have this note, and also suggest the wording for the reference to NSM? > (Alternatively, feel free to do this yourself ;-) I'll try to get around to doing the doc fixes on the emacs-26 branch tomorrow, which I hope is sufficiently ASAP. :-) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 12:15 ` Lars Ingebrigtsen @ 2018-06-23 12:26 ` Eli Zaretskii 2018-07-07 9:57 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-06-23 12:26 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: wyuenho@gmail.com, eggert@cs.ucla.edu, emacs-devel@gnu.org > Date: Sat, 23 Jun 2018 14:15:32 +0200 > > Eli Zaretskii <eliz@gnu.org> writes: > > > I'd like us to make that change on the emacs-26 branch ASAP. Can you > > point me to those variables, or tell how I decide which ones should > > have this note, and also suggest the wording for the reference to NSM? > > (Alternatively, feel free to do this yourself ;-) > > I'll try to get around to doing the doc fixes on the emacs-26 branch > tomorrow, which I hope is sufficiently ASAP. :-) It definitely is, TIA. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 12:26 ` Eli Zaretskii @ 2018-07-07 9:57 ` Eli Zaretskii 2018-07-08 14:01 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 9:57 UTC (permalink / raw) To: larsi; +Cc: eggert, wyuenho, emacs-devel > Date: Sat, 23 Jun 2018 15:26:56 +0300 > From: Eli Zaretskii <eliz@gnu.org> > Cc: eggert@cs.ucla.edu, wyuenho@gmail.com, emacs-devel@gnu.org > > > From: Lars Ingebrigtsen <larsi@gnus.org> > > Cc: wyuenho@gmail.com, eggert@cs.ucla.edu, emacs-devel@gnu.org > > Date: Sat, 23 Jun 2018 14:15:32 +0200 > > > > Eli Zaretskii <eliz@gnu.org> writes: > > > > > I'd like us to make that change on the emacs-26 branch ASAP. Can you > > > point me to those variables, or tell how I decide which ones should > > > have this note, and also suggest the wording for the reference to NSM? > > > (Alternatively, feel free to do this yourself ;-) > > > > I'll try to get around to doing the doc fixes on the emacs-26 branch > > tomorrow, which I hope is sufficiently ASAP. :-) > > It definitely is, TIA. Lars, looks like "tomorrow" never happened? Is there any ETA? My offer to help with this still stands, provided that you point me to the right variables. Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 9:57 ` Eli Zaretskii @ 2018-07-08 14:01 ` Lars Ingebrigtsen 2018-07-08 14:53 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 14:01 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, wyuenho, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: >> > > I'd like us to make that change on the emacs-26 branch ASAP. Can you >> > > point me to those variables, or tell how I decide which ones should >> > > have this note, and also suggest the wording for the reference to NSM? >> > > (Alternatively, feel free to do this yourself ;-) >> > >> > I'll try to get around to doing the doc fixes on the emacs-26 branch >> > tomorrow, which I hope is sufficiently ASAP. :-) >> >> It definitely is, TIA. > > Lars, looks like "tomorrow" never happened? Is there any ETA? My > offer to help with this still stands, provided that you point me to > the right variables. I thought I did them? Did I forget to push them? Let's see.. Gah! I did. I've now pushed the doc fixes to the emacs-26 branch. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:01 ` Lars Ingebrigtsen @ 2018-07-08 14:53 ` Eli Zaretskii 2018-07-08 15:06 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 14:53 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: eggert@cs.ucla.edu, wyuenho@gmail.com, emacs-devel@gnu.org > Date: Sun, 08 Jul 2018 16:01:57 +0200 > > > Lars, looks like "tomorrow" never happened? Is there any ETA? My > > offer to help with this still stands, provided that you point me to > > the right variables. > > I thought I did them? Did I forget to push them? Let's see.. > > Gah! I did. I've now pushed the doc fixes to the emacs-26 branch. Thanks. This bit confuses me: +This variable can be useful for modifying low-level TLS +connection parameters (for instance if you need to connect to a +host that only accepts a specific algorithm), but general Emacs +network security is handled by the Network Security Manager. The "but" part confuses me: did you mean "however", perhaps? That is, did you mean to say that the default is nil so that the NSM could do its job under user control? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:53 ` Eli Zaretskii @ 2018-07-08 15:06 ` Lars Ingebrigtsen 2018-07-08 15:23 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 15:06 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, wyuenho, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: > This bit confuses me: > > +This variable can be useful for modifying low-level TLS > +connection parameters (for instance if you need to connect to a > +host that only accepts a specific algorithm), but general Emacs > +network security is handled by the Network Security Manager. > > The "but" part confuses me: did you mean "however", perhaps? That is, > did you mean to say that the default is nil so that the NSM could do > its job under user control? Yup. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 15:06 ` Lars Ingebrigtsen @ 2018-07-08 15:23 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 15:23 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: eggert@cs.ucla.edu, wyuenho@gmail.com, emacs-devel@gnu.org > Date: Sun, 08 Jul 2018 17:06:29 +0200 > > > +This variable can be useful for modifying low-level TLS > > +connection parameters (for instance if you need to connect to a > > +host that only accepts a specific algorithm), but general Emacs > > +network security is handled by the Network Security Manager. > > > > The "but" part confuses me: did you mean "however", perhaps? That is, > > did you mean to say that the default is nil so that the NSM could do > > its job under user control? > > Yup. OK, I clarified that. Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 12:05 ` Lars Ingebrigtsen 2018-06-23 12:13 ` Eli Zaretskii @ 2018-06-23 12:45 ` Jimmy Yuen Ho Wong 2018-06-24 12:53 ` Lars Ingebrigtsen 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-23 12:45 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Paul Eggert, emacs-devel [-- Attachment #1: Type: text/plain, Size: 2658 bytes --] On Sat, Jun 23, 2018 at 1:05 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > It's not supposed to -- the connection is stopped at the gnutls level. > > Which is why that variable defaults to 256, so that the NSM can handle > > the problem. > > > > How about moving the min-prime-bits knob over to NSM so it can warn > > instead of silently bypassing it by fiddling options directly related > > to GnuTLS? > > The NSM does warn about this. Unless you've fiddled with the options, > which you've chosen to do yourself. > > The low-level variables doc strings should mention that you're not > supposed to fiddle with them unless you have very specific needs and > point you to the NSM instead. > Let me spell this out clearer: Currently `network-security-level` 'high and above *only* checks for the case with prime bits < 1024. I can't fine tune the specific checks (very much necessary given Emacs' release cycle) in `network-security-level` to something like: (setq gnutls-algorithm-priority "SECURE192:+SECURE128:-VERS-AL L:+VERS-TLS1.2:%PROFILE_MEDIUM" gnutls-min-prime-bits 2048) **AND** have NSM warn me if I'm presented a 3DES cert or a cert with a DH prime between 1024 and 2048. What I'm proposing is, very similar to what you think should happen, but even straighter, and unified in terms of the UX - Emacs should talk to GnuTLS the C lib using as low a setting as reasonable, so you can do the checks in NSM, checks such as does the cypher or MAC in this cert satisfy the GnuTLS priority string? Did DH exchange use a lower than specified prime bits? > I don't think `nsm-noninteractive' should be a defcustom, but perhaps > there should be a `quit' value to `network-security-level' that just > aborts on any network strangeness without querying the user. > > -- > (domestic pets only, the antidote for overdose, milk.) > bloggy blog: http://lars.ingebrigtsen.no > We can keep the current behavior of silencing NSM by `(setq gnutls-verify-error t)`, but rename it to `nsm-noninteractive` or something like that. By unifying NSM and GnuTLS knobs, in interactive sessions, we can still ask the user whether he should trust the cert if it violates the user's preference, because as you say, "only the user can really say whether visiting a web site that has a problematic certificate is justified or not.". In non-interactive sessions, whatever `gnutls-verify-error` becomes controls it all. I'm probably bikeshedding here a bit, but I think having better named variables and intuitive OTTB behavior is vastly better than documentation. I hope you don't mind. [-- Attachment #2: Type: text/html, Size: 4194 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 12:45 ` Jimmy Yuen Ho Wong @ 2018-06-24 12:53 ` Lars Ingebrigtsen 0 siblings, 0 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 12:53 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Paul Eggert, emacs-devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > Currently `network-security-level` 'high and above *only* checks for the case > with prime bits < 1024. I can't fine tune the specific checks (very much > necessary given Emacs' release cycle) in `network-security-level` to > something like: > > (setq gnutls-algorithm-priority > "SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:%PROFILE_MEDIUM" > gnutls-min-prime-bits 2048) > > **AND** have NSM warn me if I'm presented a 3DES cert or a cert with a DH > prime between 1024 and 2048. Like I said in a different email, I'll be rewriting the checks to allow the user to add as fine-grained checks they want to the NSM via something like: (defvar network-security-tls-problems '((low-diffie-hellman-prime-bits medium) (rc4 low) (dh-small-subgroup high))) But you'd leave the gnutls variables alone. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 10:23 ` Lars Ingebrigtsen 2018-06-23 10:34 ` Lars Ingebrigtsen 2018-06-23 10:48 ` Jimmy Yuen Ho Wong @ 2018-07-05 13:33 ` Perry E. Metzger 2018-07-05 13:49 ` Eli Zaretskii ` (2 more replies) 2 siblings, 3 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 13:33 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Paul Eggert, Jimmy Yuen Ho Wong, emacs-devel Old thread, but I thought I'd reply on it. On Sat, 23 Jun 2018 12:23:31 +0200 Lars Ingebrigtsen <larsi@gnus.org> wrote: > For those who don't know what this is: Some browsers now ship with > built-in lists of certificate hashes, so if you're visiting that > site and presented with a different than expected certificate, > you'll know that somebody else has issued a certificate for the > site, and somebody has hijacked the connection. > > Or, perhaps, that they just lost the private key and had to > generate a new certificate and now, oops, everybody that uses the > browsers with the built-in list will be unable to visit the site. What you depict there never happens. People don't lose keys in such circumstances. Pinning is what is done by sites like gmail to prevent third world dictatorships from using stolen certificate credentials to spy on their citizens. People who have been victims of this have had their email read, been arrested by state security forces for dissent, and have been tortured to death for lack of certificate pinning working in their browsers. This is a matter of life and death for many people. > do this via ELPA, I think. Whether it's worth doing is another > issue; I think the jury is still out on that one... Do you think it's worth keeping people from quite literally being tortured to death? For most of the secure HTTP stuff we've been discussing, I would far rather be inconvenienced here and there than know my slight extra convenience was being paid for in human blood. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 13:33 ` Perry E. Metzger @ 2018-07-05 13:49 ` Eli Zaretskii 2018-07-05 15:29 ` Perry E. Metzger 2018-07-05 13:50 ` Jimmy Yuen Ho Wong 2018-07-05 22:44 ` Richard Stallman 2 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-05 13:49 UTC (permalink / raw) To: Perry E. Metzger; +Cc: larsi, eggert, wyuenho, emacs-devel > Date: Thu, 5 Jul 2018 09:33:46 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: Paul Eggert <eggert@cs.ucla.edu>, Jimmy Yuen Ho Wong <wyuenho@gmail.com>, > emacs-devel@gnu.org > > Pinning is what is done by sites like gmail to prevent third world > dictatorships from using stolen certificate credentials to spy on > their citizens. People who have been victims of this have had their > email read, been arrested by state security forces for dissent, and > have been tortured to death for lack of certificate pinning working > in their browsers. > > This is a matter of life and death for many people. > > > do this via ELPA, I think. Whether it's worth doing is another > > issue; I think the jury is still out on that one... > > Do you think it's worth keeping people from quite literally being > tortured to death? > > For most of the secure HTTP stuff we've been discussing, I would far > rather be inconvenienced here and there than know my slight extra > convenience was being paid for in human blood. It isn't the Emacs way to second-guess our users' needs, definitely not to decide for them what is and what isn't a matter of life and death for them. We provide options with some reasonable defaults, and then let users make informed decisions which defaults are not good enough for them. It is IMO unreasonable to make our defaults match what happens in dictatorships that you describe, because that would unnecessarily inconvenience the majority of the users. Let's not follow the bad example of the TSA (whose rationale is, unsurprisingly, also matters of life and death). ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 13:49 ` Eli Zaretskii @ 2018-07-05 15:29 ` Perry E. Metzger 2018-07-05 18:55 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 15:29 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, eggert, wyuenho, rms, emacs-devel On Thu, 05 Jul 2018 16:49:30 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > Date: Thu, 5 Jul 2018 09:33:46 -0400 > > From: "Perry E. Metzger" <perry@piermont.com> > > Cc: Paul Eggert <eggert@cs.ucla.edu>, Jimmy Yuen Ho Wong > > <wyuenho@gmail.com>, emacs-devel@gnu.org > > > > Pinning is what is done by sites like gmail to prevent third world > > dictatorships from using stolen certificate credentials to spy on > > their citizens. People who have been victims of this have had > > their email read, been arrested by state security forces for > > dissent, and have been tortured to death for lack of certificate > > pinning working in their browsers. > > > > This is a matter of life and death for many people. > > > > > do this via ELPA, I think. Whether it's worth doing is another > > > issue; I think the jury is still out on that one... > > > > Do you think it's worth keeping people from quite literally being > > tortured to death? > > > > For most of the secure HTTP stuff we've been discussing, I would > > far rather be inconvenienced here and there than know my slight > > extra convenience was being paid for in human blood. > > It isn't the Emacs way to second-guess our users' needs, Most users do not know or understand anything about setting security, so defaults have to do the right thing. > definitely > not to decide for them what is and what isn't a matter of life and > death for them. Most users depend on software vendors to set the correct amount of security. They have no understanding of the protocols in use and it is unreasonable to ask them to make such decisions by default. I'm dead serious in saying if you do not obey the standards for how browsers are supposed to behave, you might quite literally kill someone. People have died this way. Do you want me to start posting names and incidents? You want descriptions of dissidents having their genitals electrocuted and being locked upright in freezing cold rooms, I'll happily start linking to Amnesty International reports for you. Many countries now use the internet as an instrument of control and oppression. We should not be making their job easier. If people want to remove security on their own, that's their business, but providing defaults that are not even as secure as what Chrome or Firefox does is totally irresponsible. > We provide options with some reasonable defaults, > and then let users make informed decisions which defaults are not > good enough for them. > > It is IMO unreasonable to make our defaults match what happens in > dictatorships that you describe, You do not understand the issue and are thus incompetent to make a decision on this. Certificate pinning has nothing to do with defaults that are set only for such countries. It is a general mechanism deployed in any browser you can download today, and was created to prevent people using browsers who cannot trust their network -- which is to say, all users -- from having untrustworthy certificates substituted in by malign actors who intend to man-in-the-middle attack TLS connections. Various web sites, like gmail, have deliberately requested pinning of certs used with their sites to prevent this from happening, and it is not our place to second-guess their security policies. Do you really want me to describe some of the things that have happened to people who have had their communications intercepted because software developers were irresponsible? You can find pretty graphic descriptions online. > because that would unnecessarily > inconvenience the majority of the users. Certificate pinning is used by Chrome, Firefox, Safari and all other browsers. Do you think they inconvenience their users? Have you ever even gotten a single false error from this? No you haven't. I assure you that the people setting the standards for such things spend a lot of time making sure that it is invisible to their users. If a site demands pinning, you should accept that they have made this decision for good reasons. > Let's not follow the bad > example of the TSA (whose rationale is, unsurprisingly, also matters > of life and death). Your metaphor is completely inaccurate. The TSA misses something over 95% of weapons in adversarial tests for example. Security professionals have set standards in bodies like the IETF for how browsers should behave by default. If you want to allow consenting adults to turn off such defenses that's one thing, but the default should be to provide security to the users. Richard has a blurb in every one of his emails because state security actors are of that much concern to him, and you honestly propose ignoring the need to protect users from network based attacks? Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:29 ` Perry E. Metzger @ 2018-07-05 18:55 ` Eli Zaretskii 2018-07-05 19:26 ` Paul Eggert 2018-07-05 20:45 ` Perry E. Metzger 0 siblings, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-05 18:55 UTC (permalink / raw) To: Perry E. Metzger; +Cc: larsi, eggert, wyuenho, rms, emacs-devel > Date: Thu, 5 Jul 2018 11:29:20 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: larsi@gnus.org, eggert@cs.ucla.edu, wyuenho@gmail.com, > emacs-devel@gnu.org, rms@gnu.org > > > It isn't the Emacs way to second-guess our users' needs, > > Most users do not know or understand anything about setting > security, so defaults have to do the right thing. > [...] > > definitely > > not to decide for them what is and what isn't a matter of life and > > death for them. > > Most users depend on software vendors to set the correct amount of > security. > [...] > They have no understanding of the protocols in use and it > is unreasonable to ask them to make such decisions by default. Emacs always gives users who do understand the freedom to make their choices. Paternalism is not our way. Where something needs to be explained, we document it in a way that gives the users enough information to make up their minds. We don't decide for them, because such decisions will never be good enough. > I'm dead serious in saying if you do not obey the standards for how > browsers are supposed to behave, you might quite literally kill > someone. People have died this way. Do you want me to start posting > names and incidents? You want descriptions of dissidents having their > genitals electrocuted and being locked upright in freezing cold > rooms, I'll happily start linking to Amnesty International reports > for you. > > Many countries now use the internet as an instrument of control and > oppression. We should not be making their job easier. People die on the roads every day, but restricting free movement due to that somehow doesn't sound right to me. > If people want to remove security on their own, that's their business, > but providing defaults that are not even as secure as what Chrome or > Firefox does is totally irresponsible. Emacs is not a Web browser, we have different priorities. So the solutions need not be the same. Blindly copying from browsers is not a good way of dealing with these issues. We need to carefully analyze the potential risks and the preventive measures, and decide what makes sense as the defaults. (And Firefox's defaults are sometimes quite annoying, I turn some of them off for that very reason.) > > It is IMO unreasonable to make our defaults match what happens in > > dictatorships that you describe, > > You do not understand the issue and are thus incompetent to make a > decision on this. Please drop the attitude if you want me to take you seriously. You don't know the first thing about me to talk like this. If anything, my familiarity with real dictatorships is much closer and firsthand than from reading Amnesty International reports. If you want to convince, explain, do not try to scare and suppress. > Do you really want me to describe some of the things that have > happened to people who have had their communications intercepted > because software developers were irresponsible? You can find pretty > graphic descriptions online. Yes, and 9/11 was also pretty scary and detrimental to health. But TSA is not the solution, even if it were more effective than it is. > you honestly propose ignoring the need to protect users from network > based attacks? I said nothing of the kind. I said that we need to have "the right amount" of security, that's all. Dumping all the possible protection methods on users without careful analysis of what is more and less important is a bad starting point. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 18:55 ` Eli Zaretskii @ 2018-07-05 19:26 ` Paul Eggert 2018-07-05 19:35 ` Eli Zaretskii 2018-07-05 20:46 ` Perry E. Metzger 2018-07-05 20:45 ` Perry E. Metzger 1 sibling, 2 replies; 221+ messages in thread From: Paul Eggert @ 2018-07-05 19:26 UTC (permalink / raw) To: Eli Zaretskii, Perry E. Metzger; +Cc: larsi, wyuenho, rms, emacs-devel Eli Zaretskii wrote: > Emacs is not a Web browser, we have different priorities. So the > solutions need not be the same. Quite true. However, when Emacs is used to browse the web there's a powerful argument to model its security practices on those of other web browsers. A lot of practical experience has gone into the Firefox and Chrome security models, and it would be much, much more efficient for us Emacs developers to reuse those wheels instead of reinventing them. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 19:26 ` Paul Eggert @ 2018-07-05 19:35 ` Eli Zaretskii 2018-07-05 20:01 ` Eli Zaretskii 2018-07-06 17:03 ` Paul Eggert 2018-07-05 20:46 ` Perry E. Metzger 1 sibling, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-05 19:35 UTC (permalink / raw) To: Paul Eggert; +Cc: larsi, emacs-devel, wyuenho, rms, perry > From: Paul Eggert <eggert@cs.ucla.edu> > Date: Thu, 5 Jul 2018 12:26:47 -0700 > Cc: larsi@gnus.org, wyuenho@gmail.com, rms@gnu.org, emacs-devel@gnu.org > > Eli Zaretskii wrote: > > Emacs is not a Web browser, we have different priorities. So the > > solutions need not be the same. > > Quite true. However, when Emacs is used to browse the web there's a powerful > argument to model its security practices on those of other web browsers. I agree, but even there we should not blindly copy every technique the browsers use. More importantly, Web browsing is a niche application in Emacs, while NSM is about all kinds of network connections, not just those created on behalf of EWW. > A lot of practical experience has gone into the Firefox and Chrome > security models, and it would be much, much more efficient for us > Emacs developers to reuse those wheels instead of reinventing them. We reuse most of them anyway, because we use the same security-related libraries. And finally, I think the suggestions were use what then browsers do and then add to that what they don't do. This means we don't follow the browsers, but instead make our own decisions what should and shouldn't be done, so in that case what Firefox etc. do is less important. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 19:35 ` Eli Zaretskii @ 2018-07-05 20:01 ` Eli Zaretskii 2018-07-06 17:03 ` Paul Eggert 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-05 20:01 UTC (permalink / raw) To: eggert; +Cc: larsi, perry, wyuenho, rms, emacs-devel > Date: Thu, 05 Jul 2018 22:35:24 +0300 > From: Eli Zaretskii <eliz@gnu.org> > Cc: larsi@gnus.org, emacs-devel@gnu.org, wyuenho@gmail.com, rms@gnu.org, > perry@piermont.com > > And finally, I think the suggestions were use what then browsers do > and then add to that what they don't do. Sorry, that went out in a confusing way. What I meant to say is this: I think the suggestions were to use what the browsers do and then add to that what they don't do. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 19:35 ` Eli Zaretskii 2018-07-05 20:01 ` Eli Zaretskii @ 2018-07-06 17:03 ` Paul Eggert 2018-07-06 17:36 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-07-06 17:03 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, emacs-devel, wyuenho, rms, perry Eli Zaretskii wrote: >> From: Paul Eggert <eggert@cs.ucla.edu> > Web browsing is a niche application in Emacs, while > NSM is about all kinds of network connections, not just those created > on behalf of EWW. Absolutely. Emacs has a more-general security problem than Firefox does. However, when Emacs is used to browse the web, Firefox is a good model for what Emacs's default security should be. We should not waste our time (and our users' security and/or time) reinventing that wheel, nor should we be excessively cautious about improving Emacs's default web-browsing security to be something more like Firefox circa 2018 instead of like Netscape Navigator circa 1998 (I exaggerate for the purposes of conversation :-). ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 17:03 ` Paul Eggert @ 2018-07-06 17:36 ` Eli Zaretskii 2018-07-06 18:15 ` Paul Eggert 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 17:36 UTC (permalink / raw) To: Paul Eggert; +Cc: larsi, emacs-devel, wyuenho, rms, perry > Cc: perry@piermont.com, larsi@gnus.org, wyuenho@gmail.com, rms@gnu.org, > emacs-devel@gnu.org > From: Paul Eggert <eggert@cs.ucla.edu> > Date: Fri, 6 Jul 2018 10:03:27 -0700 > > Eli Zaretskii wrote: > >> From: Paul Eggert <eggert@cs.ucla.edu> > > > Web browsing is a niche application in Emacs, while > > NSM is about all kinds of network connections, not just those created > > on behalf of EWW. > > Absolutely. Emacs has a more-general security problem than Firefox does. > > However, when Emacs is used to browse the web, Firefox is a good model for what > Emacs's default security should be. Once again, this discussion is about the NSM, not about EWW. NSM is used for every net connection, not just those on behalf of EWW. If you are arguing that NSM should apply different settings to EWW connections and to the other kind, then this is a separate issue. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 17:36 ` Eli Zaretskii @ 2018-07-06 18:15 ` Paul Eggert 2018-07-07 7:04 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-07-06 18:15 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, emacs-devel, wyuenho, rms, perry Eli Zaretskii wrote: > this discussion is about the NSM, not about EWW. NSM is > used for every net connection, not just those on behalf of EWW. If > you are arguing that NSM should apply different settings to EWW > connections and to the other kind, then this is a separate issue. I'm not arguing that, no. All I'm saying is that the EWW defaults should be similar to what Firefox and the other browsers use; that's just common sense. If there are good reasons for the NSM to use different default settings for non-EWW connections, then of course the NSM should do that. Inertia is not a good reason here, though, as attacks are now more sophisticated and settings defaults that were OK years ago are not OK now. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 18:15 ` Paul Eggert @ 2018-07-07 7:04 ` Eli Zaretskii 2018-07-07 10:30 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 7:04 UTC (permalink / raw) To: Paul Eggert; +Cc: larsi, emacs-devel, wyuenho, rms, perry > Cc: perry@piermont.com, larsi@gnus.org, wyuenho@gmail.com, rms@gnu.org, > emacs-devel@gnu.org > From: Paul Eggert <eggert@cs.ucla.edu> > Date: Fri, 6 Jul 2018 11:15:13 -0700 > > All I'm saying is that the EWW defaults should be > similar to what Firefox and the other browsers use; that's just common sense. We agree on that (provided that those browsers don't do something that is known to be silly). > If there are good reasons for the NSM to use different default > settings for non-EWW connections, then of course the NSM should do > that. That's exactly the essence of the discussion. In any case, the current baseline seems to be that we do quite a lot more than the browsers, AFAIU. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 7:04 ` Eli Zaretskii @ 2018-07-07 10:30 ` Jimmy Yuen Ho Wong 2018-07-07 11:35 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 10:30 UTC (permalink / raw) To: Eli Zaretskii Cc: Lars Ingebrigtsen, Paul Eggert, Emacs-Devel devel, rms, Perry E. Metzger On Sat, Jul 7, 2018 at 8:04 AM, Eli Zaretskii <eliz@gnu.org> wrote: >> Cc: perry@piermont.com, larsi@gnus.org, wyuenho@gmail.com, rms@gnu.org, >> emacs-devel@gnu.org >> From: Paul Eggert <eggert@cs.ucla.edu> >> Date: Fri, 6 Jul 2018 11:15:13 -0700 >> >> All I'm saying is that the EWW defaults should be >> similar to what Firefox and the other browsers use; that's just common sense. > > We agree on that (provided that those browsers don't do something that > is known to be silly). > >> If there are good reasons for the NSM to use different default >> settings for non-EWW connections, then of course the NSM should do >> that. > > That's exactly the essence of the discussion. In any case, the > current baseline seems to be that we do quite a lot more than the > browsers, AFAIU. I keep hearing we are doing more than the browsers, but that's not straightly comparible. For the 10 low checks for example, I check for TLS 1.0 in the protocol version check, browsers haven't disabled them but Mozilla's Telemetry shows that at least on Firefox, TLS 1.0 only count of 0.02% of all successful TLS handshakes. I've included it only because PCI DSS has deprecate it back in 2016, and the deadline for that has just passed on June 30th, 2018. Not that we care about PCI compliance, but might as well since TLS 1.0 has effectively been neutered by the other checks. For the rest of the low level checks other than the cert checks, browsers have removed all the features or implemented the RFCs to mitigate the issues, but we still support older version of GnuTLS, checks for things like RC4 and TLS compression are necessary. (Speaking of which, I've put in the GnuTLS version numbers in the docstrings where these checks are applicable to). Similarly, so are the checks for medium and 3 out of 4 of the high level checks. There's an extra CBC check on the high level that's not dealt with by browsers because of compatibility concerns. I throw it in because CBC mode ciphers are known to be problematic due to padding oracles. This hole has been plugged by the encrypt-then-MAC TLS extension (RFC 7366), so the 2 CBC checks are only done when encrypt-then-MAC is not enabled after the handshake. Basically, all of the checks are tailors to Emacs' multiple network security levels and GnuTLS version changes. They take inspirations from browsers but they are not a direct copy. We don't ever restrict what the users do, if they want to enable RC4, they can still do it by adjusting `gnutls-algorithm-priority`, we just warn them when that happens. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 10:30 ` Jimmy Yuen Ho Wong @ 2018-07-07 11:35 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 11:35 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, emacs-devel, rms, perry > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sat, 7 Jul 2018 11:30:54 +0100 > Cc: Paul Eggert <eggert@cs.ucla.edu>, "Perry E. Metzger" <perry@piermont.com>, > Lars Ingebrigtsen <larsi@gnus.org>, rms@gnu.org, Emacs-Devel devel <emacs-devel@gnu.org> > > I keep hearing we are doing more than the browsers, but that's not > straightly comparible. > [...] > Basically, all of the checks are tailors to Emacs' multiple network > security levels and GnuTLS version changes. They take inspirations > from browsers but they are not a direct copy. That's what I meant, thanks for expressing that more accurately, and sorry for any potential confusion I could cause with my inaccurate wording. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 19:26 ` Paul Eggert 2018-07-05 19:35 ` Eli Zaretskii @ 2018-07-05 20:46 ` Perry E. Metzger 1 sibling, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 20:46 UTC (permalink / raw) To: Paul Eggert; +Cc: Eli Zaretskii, emacs-devel, larsi, rms, wyuenho On Thu, 5 Jul 2018 12:26:47 -0700 Paul Eggert <eggert@cs.ucla.edu> wrote: > Eli Zaretskii wrote: > > Emacs is not a Web browser, we have different priorities. So the > > solutions need not be the same. > > Quite true. However, when Emacs is used to browse the web there's a > powerful argument to model its security practices on those of other > web browsers. A lot of practical experience has gone into the > Firefox and Chrome security models, and it would be much, much more > efficient for us Emacs developers to reuse those wheels instead of > reinventing them. Exactly. -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 18:55 ` Eli Zaretskii 2018-07-05 19:26 ` Paul Eggert @ 2018-07-05 20:45 ` Perry E. Metzger 2018-07-06 6:29 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 20:45 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, eggert, wyuenho, rms, emacs-devel On Thu, 05 Jul 2018 21:55:04 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > I'm dead serious in saying if you do not obey the standards for > > how browsers are supposed to behave, you might quite literally > > kill someone. People have died this way. Do you want me to start > > posting names and incidents? You want descriptions of dissidents > > having their genitals electrocuted and being locked upright in > > freezing cold rooms, I'll happily start linking to Amnesty > > International reports for you. > > > > Many countries now use the internet as an instrument of control > > and oppression. We should not be making their job easier. > > People die on the roads every day, but restricting free movement due > to that somehow doesn't sound right to me. No one's freedom is restricted by providing sane default security in anything that can be used as a browser. You're not removing the ability of users to reconfigure things any way they want. They can turn off the security any time they want. However, by setting sane defaults, you're making things work reasonably so that, for example, thugs cannot intercept their email. (Emacs is, after all, a mail reader for many of us, and we would prefer that random sets of thugs with torture chambers _not_ be able to intercept our IMAP connections by default by forging certificates.) This is no more a "restriction" than configuring a vacuum cleaner so that, by default, it does not electrocute its users who are just trying to clean their floors, or, by default, not putting poison into food. People are still free to add poison to their own food or to modify their vacuums to electrocute them if they're complete morons. Emacs even makes it easy to customize things. We're just giving people reasonable defaults. As I noted, RMS cares about this stuff enough that the front of every single email he sends talks about state sponsored espionage on citizens. Why would we not implement simple, sane things like setting reasonable minimum keylengths for Diffie-Hellman to prevent known downgrade attacks? > > If people want to remove security on their own, that's their > > business, but providing defaults that are not even as secure as > > what Chrome or Firefox does is totally irresponsible. > > Emacs is not a Web browser, It is if you use it to browse the web. TLS is also used for a variety of other things -- email, file transfer, etc. -- that Emacs does pretty regularly for people. > > you honestly propose ignoring the need to protect users from > > network based attacks? > > I said nothing of the kind. I said that we need to have "the right > amount" of security, that's all. Dumping all the possible > protection methods on users without careful analysis of what is > more and less important is a bad starting point. How the heck does obeying a site's explicit request for pinning or CT "dump all the possible protection methods on users without careful analysis"? If the site owners want to specify a particular key be used, why is it up to us to not allow that? How does requiring a minimum of 1024 bit keys, which is already way too low, "dump all the possible protection methods on users without careful analysis"? What careful analysis do you need to know that 256 bit DH keys can be cracked even by amateurs? How does not allowing the use of compromised cryptographic algorithms that are no longer accepted for use by any browser or command line tool "dump all the possible protection methods on users without careful analysis"? Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 20:45 ` Perry E. Metzger @ 2018-07-06 6:29 ` Eli Zaretskii 2018-07-06 23:08 ` Richard Stallman 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 6:29 UTC (permalink / raw) To: Perry E. Metzger; +Cc: larsi, eggert, wyuenho, rms, emacs-devel > Date: Thu, 5 Jul 2018 16:45:00 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: larsi@gnus.org, eggert@cs.ucla.edu, wyuenho@gmail.com, > emacs-devel@gnu.org, rms@gnu.org > > > People die on the roads every day, but restricting free movement due > > to that somehow doesn't sound right to me. > > No one's freedom is restricted by providing sane default security in > anything that can be used as a browser. Restricting free movement on roads doesn't necessarily restrict the freedom, it usually is a rather large annoyance. Likewise excess security: you get annoying prompts, popups and tooltips all over the place. I'm saying that the annoyance should be proportionate to the dangers, and that we should find the fine balance where they are proportionate. > You're not removing the ability of users to reconfigure things any > way they want. They can turn off the security any time they > want. However, by setting sane defaults, you're making things work > reasonably so that, for example, thugs cannot intercept their > email. (Emacs is, after all, a mail reader for many of us, and we > would prefer that random sets of thugs with torture chambers _not_ > be able to intercept our IMAP connections by default by forging > certificates.) I think we should assume people generally know whether thugs with torture chambers might be after them. I see no reason to assume each and every Emacs user is in this situation, and I see no reason to annoy each and every Emacs user with alerts and prompts based on that assumption. As for "they can turn off" part: since the additions are almost all of them proposed for the 'medium' level of security, the only way of "turning off" is to go to 'low', which in Emacs means no security at all, and that makes even less sense to me. Which brings me to the main comment on everything that you wrote against my opinions: please read my comments and questions in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31946#89. Because that's the only/main thing that bothers me in the patches discussed in this and other related threads, and without reading that, your comments will generally miss the point. > Emacs even makes it easy to customize things. We're just giving > people reasonable defaults. We should do that, yes. I'm questioning whether the proposed defaults are "reasonable", that's all. > As I noted, RMS cares about this stuff enough that the front of every > single email he sends talks about state sponsored espionage on > citizens. Why would we not implement simple, sane things like setting > reasonable minimum keylengths for Diffie-Hellman to prevent known > downgrade attacks? See above: you are missing my point, because you haven't read my comments to the patches. > > > If people want to remove security on their own, that's their > > > business, but providing defaults that are not even as secure as > > > what Chrome or Firefox does is totally irresponsible. > > > > Emacs is not a Web browser, > > It is if you use it to browse the web. TLS is also used for a variety > of other things -- email, file transfer, etc. -- that Emacs does > pretty regularly for people. I'm saying that the defaults used by browsers are not necessarily correct for non-browser applications, including email and file transfer. Some of them might be appropriate, some might be less so. In any case, please note that the current proposals don't copy what the browsers do, they add a lot of tests the browsers don't (yet) do, at least not by default. So arguments about what the browsers do are already not very convincing, as we explicitly consider to deviate from what they do (and rightfully so). > > I said nothing of the kind. I said that we need to have "the right > > amount" of security, that's all. Dumping all the possible > > protection methods on users without careful analysis of what is > > more and less important is a bad starting point. > > How the heck does obeying a site's explicit request for pinning or CT > "dump all the possible protection methods on users without careful > analysis"? If the site owners want to specify a particular key be > used, why is it up to us to not allow that? How does > requiring a minimum of 1024 bit keys, which is already way too low, > "dump all the possible protection methods on users without careful > analysis"? What careful analysis do you need to know that 256 bit DH > keys can be cracked even by amateurs? How does not allowing the use > of compromised cryptographic algorithms that are no longer accepted > for use by any browser or command line tool "dump all the possible > protection methods on users without careful analysis"? You are again missing the main point of my concerns. Please read the comments for the patches submitted in bug#31946. In a nutshell, I of course have nothing against each one of these measures, it's their sum total that is being put into the 'medium' level that bothers me. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 6:29 ` Eli Zaretskii @ 2018-07-06 23:08 ` Richard Stallman 2018-07-07 12:18 ` Perry E. Metzger 0 siblings, 1 reply; 221+ messages in thread From: Richard Stallman @ 2018-07-06 23:08 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, eggert, emacs-devel, wyuenho, perry [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > I think we should assume people generally know whether thugs with > torture chambers might be after them. I agree, provided we encourage them to ask themselves the question. Until a dictatorship gets totally and openly vicious, people have a tendency to think things like, "They couldn't possibly consider me important enough to do that to me." So it would be good to ask a question that would lead people to think about this, dismissing that tendency. I see no reason to assume each > and every Emacs user is in this situation, and I see no reason to > annoy each and every Emacs user with alerts and prompts based on that > assumption. I agree. But we should ask each Emacs user to think about whether perse needs this level of security. We should not turn it off by default. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 23:08 ` Richard Stallman @ 2018-07-07 12:18 ` Perry E. Metzger 2018-07-07 13:19 ` Eli Zaretskii 2018-07-07 23:45 ` Richard Stallman 0 siblings, 2 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-07 12:18 UTC (permalink / raw) To: Richard Stallman; +Cc: Eli Zaretskii, eggert, emacs-devel, larsi, wyuenho On Fri, 06 Jul 2018 19:08:58 -0400 Richard Stallman <rms@gnu.org> wrote: > [[[ To any NSA and FBI agents reading my email: please > consider ]]] [[[ whether defending the US Constitution against > all enemies, ]]] [[[ foreign or domestic, requires you to > follow Snowden's example. ]]] > > > I think we should assume people generally know whether thugs > > with torture chambers might be after them. > > I agree, provided we encourage them to ask themselves the question. There is ample evidence that people in such situations rarely if ever understand what the right thing to do is. There's also another issue we've discovered: at one time, people believed having software provide "levels" of security made sense,but we now understand based on bitter experience that everyone, whether their greatest threat is unimportant or whether their greatest threat is a nation state, uses the same software and same default settings 99% of the time, so software needs to be built with the needs of people under threat in mind. And let me repeat, there's excellent field evidence that people under threat generally have no technical expertise to make serious security decisions, and that includes people with programming backgrounds. The other thing is, in spite of the constant claims, running with the level of security provided by Firefox or Chrome or Safari isn't the least bit inconvenient, so there's no obvious reason not to do at least _that_. It's not like there's any actual tradeoff involved. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 12:18 ` Perry E. Metzger @ 2018-07-07 13:19 ` Eli Zaretskii 2018-07-07 13:46 ` Perry E. Metzger 2018-07-07 23:45 ` Richard Stallman 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 13:19 UTC (permalink / raw) To: Perry E. Metzger; +Cc: wyuenho, larsi, eggert, rms, emacs-devel > Date: Sat, 7 Jul 2018 08:18:33 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: Eli Zaretskii <eliz@gnu.org>, eggert@cs.ucla.edu, emacs-devel@gnu.org, > larsi@gnus.org, wyuenho@gmail.com > > There is ample evidence that people in such situations rarely if ever > understand what the right thing to do is. That doesn't necessarily mean we need to assume none of them will understand that, if the considerations are explained in clear terms that can be mapped to the user's environment. > There's also another issue we've discovered: at one time, people > believed having software provide "levels" of security made sense,but > we now understand based on bitter experience that everyone, whether > their greatest threat is unimportant or whether their greatest threat > is a nation state, uses the same software and same default settings > 99% of the time, so software needs to be built with the needs of > people under threat in mind. I don't see how this is relevant, since we are talking about just one piece of software: Emacs. For the purposes of this discussion, whether they use the same browsers or different ones, because we are not discussing those browsers. And my personal experience definitely contradicts your "everyone" claim: e.g., my home network is set up with several non-default defenses, and so is my smartphone. Why should we assume a significant part of Emacs users is in the "everyone" camp? They did choose to use Emacs, didn't they? > And let me repeat, there's excellent field evidence that > people under threat generally have no technical expertise to make > serious security decisions, and that includes people with programming > backgrounds. You are entitled to your opinions, but I don't agree that we should design our defaults based on the assumption that we cannot expect our users to make informed decisions. I expect that much from Emacs developers, and I'm certainly not going to behave differently when such decisions depend on me. > The other thing is, in spite of the constant claims, running with the > level of security provided by Firefox or Chrome or Safari isn't the > least bit inconvenient, so there's no obvious reason not to do at > least _that_. One would think that those "constant claims" might just provide such a reason. Besides, we don't really follow what those browsers do, so it's a moot point to argue anyway. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 13:19 ` Eli Zaretskii @ 2018-07-07 13:46 ` Perry E. Metzger 2018-07-07 14:17 ` Eli Zaretskii 2018-07-07 14:32 ` Jimmy Yuen Ho Wong 0 siblings, 2 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-07 13:46 UTC (permalink / raw) To: Eli Zaretskii; +Cc: wyuenho, larsi, eggert, rms, emacs-devel On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > Date: Sat, 7 Jul 2018 08:18:33 -0400 > > From: "Perry E. Metzger" <perry@piermont.com> > > Cc: Eli Zaretskii <eliz@gnu.org>, eggert@cs.ucla.edu, > > emacs-devel@gnu.org, larsi@gnus.org, wyuenho@gmail.com > > > > There is ample evidence that people in such situations rarely if > > ever understand what the right thing to do is. > > That doesn't necessarily mean we need to assume none of them will > understand that, if the considerations are explained in clear terms > that can be mapped to the user's environment. The difference between "none" and "under 5%" is so small as to be unimportant. In tests, even with very careful explanations, only a really tiny fraction of users seem to make good decisions some of the time, and that's even when computer science undergraduates are the test subjects. Go and check the literature on this if you don't believe me. Once the decisions are complicated, like figuring out whether to trust a certificate or not, the ability to make correct choices, even among security professionals, drops to the noise floor. > > There's also another issue we've discovered: at one time, people > > believed having software provide "levels" of security made > > sense,but we now understand based on bitter experience that > > everyone, whether their greatest threat is unimportant or whether > > their greatest threat is a nation state, uses the same software > > and same default settings 99% of the time, so software needs to > > be built with the needs of people under threat in mind. > > I don't see how this is relevant, since we are talking about just > one piece of software: Emacs. For the purposes of this discussion, > whether they use the same browsers or different ones, because we are > not discussing those browsers. You may not see the relevance, but others do. > And my personal experience definitely contradicts your "everyone" > claim: e.g., my home network is set up with several non-default > defenses, and so is my smartphone. Why should we assume a > significant part of Emacs users is in the "everyone" camp? They > did choose to use Emacs, didn't they? The difference between one person in a hundred and no one is so small for purposes of deciding on default behavior as to be unimportant. As for your own configuration, you're free to change the defaults any way you like, so why are you arguing anyway? No one will stop you from selecting 256 bit D-H keys or turning off encryption entirely or turning off CT if that's what you really insist on. > > And let me repeat, there's excellent field evidence that > > people under threat generally have no technical expertise to make > > serious security decisions, and that includes people with > > programming backgrounds. > > You are entitled to your opinions These are not opinions. They're facts. They're based on decades of field experience and objective studies published in the academic literature. There is almost universal agreement among the studies, too -- there are no published outliers that I'm aware of. So, my statements are not matters of opinion any more than the claim that most people get hungry if they don't eat for long enough is a matter of opinion. You are, of course, entitled to claim the moon is made of green cheese or that most users can make informed security decisions for themselves about things like key length or certificate origins. These claims are both wrong, and no one should pay attention to such claims, but one is entitled to say it. Others should ignore such statements, however, because they are counterfactual. > but I don't agree that we should > design our defaults based on the assumption that we cannot expect > our users to make informed decisions. And this sets you apart from people who have worked in the field for decades, and from people who have done objective studies in the field. It's fine to let the tiny fraction of users who understand what they're doing to go into their .emacs file and set whatever they prefer. Asking users to make "informed decisions" in real time simply doesn't work, and this is not opinion, it is fact, and though you are going to argue until the end of time regardless of evidence, your opinion is simply wrong. I strongly suspect, by the way, that I could easily get you to make a bad security decision in a test environment. I don't trust myself to evaluate the origin of certificates in real time -- it's just too difficult to read an x.509 cert's contents and verify everything you need to (including the hash algorithms used in the entire chain, figuring out if the CA is one I should be expecting for this particular host, etc.) That is in spite of the fact that I've been doing this professionally for a very long time. I suspect I could easily cook up certs that you wouldn't be able to figure out, and that you would make the wrong decision if prompted to look at them. That said, I have no objections to your being able to set whatever parameters you want by editing your configs. So you see, we can both have our way. You can run Windows XP until the end of time, and you can set your default configuration for TLS interactions badly, and other people can run much more secure free operating systems and can have strong TLS defaults, and everyone can be happy. > > The other thing is, in spite of the constant claims, running with > > the level of security provided by Firefox or Chrome or Safari > > isn't the least bit inconvenient, so there's no obvious reason > > not to do at least _that_. > > One would think that those "constant claims" might just provide > such a reason. The only one making this claim is _you_. No one can provide good examples of how following the usual practice in the rest of the community would inconvenience anyone, but you keep implying this anyway. No one else is making this claim, but you are constantly and consistently implying that it is the case even though there's basically no evidence for it. > Besides, we don't really follow what those browsers do, But we should. It's insane not to. You keep going on and on about how somehow setting such defaults would be inconvenient, but there's not the slightest evidence that it would be, and there's excellent evidence that there's good reason to follow those practices. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 13:46 ` Perry E. Metzger @ 2018-07-07 14:17 ` Eli Zaretskii 2018-07-07 15:25 ` Perry E. Metzger 2018-07-07 14:32 ` Jimmy Yuen Ho Wong 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 14:17 UTC (permalink / raw) To: Perry E. Metzger; +Cc: wyuenho, larsi, eggert, rms, emacs-devel > Date: Sat, 7 Jul 2018 09:46:22 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: rms@gnu.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, larsi@gnus.org, > wyuenho@gmail.com > > On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > > Date: Sat, 7 Jul 2018 08:18:33 -0400 > > > From: "Perry E. Metzger" <perry@piermont.com> > > > Cc: Eli Zaretskii <eliz@gnu.org>, eggert@cs.ucla.edu, > > > emacs-devel@gnu.org, larsi@gnus.org, wyuenho@gmail.com > > > > > > There is ample evidence that people in such situations rarely if > > > ever understand what the right thing to do is. > > > > That doesn't necessarily mean we need to assume none of them will > > understand that, if the considerations are explained in clear terms > > that can be mapped to the user's environment. > > The difference between "none" and "under 5%" is so small as to be > unimportant. I don't know where you took that number. Any idea what is the correlation between those 5% and the percentage of people who use Emacs, btw? > In tests, even with very careful explanations, only a > really tiny fraction of users seem to make good decisions some of > the time, and that's even when computer science undergraduates are the > test subjects. We are not talking about the same decisions in the same terms. Once again, I suggest to re-read my comments to Jimmy's patches and the following discussion. > > And my personal experience definitely contradicts your "everyone" > > claim: e.g., my home network is set up with several non-default > > defenses, and so is my smartphone. Why should we assume a > > significant part of Emacs users is in the "everyone" camp? They > > did choose to use Emacs, didn't they? > > The difference between one person in a hundred and no one is so small > for purposes of deciding on default behavior as to be unimportant. I don't think your estimation of the percentage is accurate, wrt Emacs users. They are not the typical mass user of computers. > As for your own configuration, you're free to change the defaults any > way you like, so why are you arguing anyway? Because I think there are many others like me. I'm not special in any way, neither in my Emacs usage patterns nor in how I approach security. > > You are entitled to your opinions > > These are not opinions. They're facts. They're based on decades of > field experience and objective studies published in the academic > literature. There is almost universal agreement among the > studies, too -- there are no published outliers that I'm aware of. I meant your opinions about how Emacs should design its security-related UI and treat its users. They are definitely not facts, because we are talking about something that doesn't yet exist, so it couldn't be a subject of decades of studies. > > but I don't agree that we should > > design our defaults based on the assumption that we cannot expect > > our users to make informed decisions. > > And this sets you apart from people who have worked in the field for > decades, and from people who have done objective studies in the field. Studies on Emacs users? > I strongly suspect, by the way, that I could easily get you to make a > bad security decision in a test environment. I don't trust myself to > evaluate the origin of certificates in real time -- it's just too > difficult to read an x.509 cert's contents and verify everything you > need to (including the hash algorithms used in the entire chain, > figuring out if the CA is one I should be expecting for this > particular host, etc.) That is in spite of the fact that I've been > doing this professionally for a very long time. I suspect I could > easily cook up certs that you wouldn't be able to figure out, and > that you would make the wrong decision if prompted to look at them. You are completely missing the point. No one claimed we should expect users to judge certificates. > > > The other thing is, in spite of the constant claims, running with > > > the level of security provided by Firefox or Chrome or Safari > > > isn't the least bit inconvenient, so there's no obvious reason > > > not to do at least _that_. > > > > One would think that those "constant claims" might just provide > > such a reason. > > The only one making this claim is _you_. My "claims" are facts. I see these issues every day, using mostly Firefox and IE. I'd be surprised if I were the only one, because there's nothing special in my setups. > > Besides, we don't really follow what those browsers do, > > But we should. It's insane not to. Please read Jimmy's comments on this, and respond to them if you want. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 14:17 ` Eli Zaretskii @ 2018-07-07 15:25 ` Perry E. Metzger 2018-07-07 16:08 ` Eli Zaretskii 2018-07-07 23:46 ` Richard Stallman 0 siblings, 2 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-07 15:25 UTC (permalink / raw) To: Eli Zaretskii; +Cc: wyuenho, larsi, eggert, rms, emacs-devel On Sat, 07 Jul 2018 17:17:24 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > Date: Sat, 7 Jul 2018 09:46:22 -0400 > > From: "Perry E. Metzger" <perry@piermont.com> > > Cc: rms@gnu.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, > > larsi@gnus.org, wyuenho@gmail.com > > > > On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <eliz@gnu.org> > > wrote: > > > > Date: Sat, 7 Jul 2018 08:18:33 -0400 > > > > From: "Perry E. Metzger" <perry@piermont.com> > > > > Cc: Eli Zaretskii <eliz@gnu.org>, eggert@cs.ucla.edu, > > > > emacs-devel@gnu.org, larsi@gnus.org, wyuenho@gmail.com > > > > > > > > There is ample evidence that people in such situations rarely > > > > if ever understand what the right thing to do is. > > > > > > That doesn't necessarily mean we need to assume none of them > > > will understand that, if the considerations are explained in > > > clear terms that can be mapped to the user's environment. > > > > The difference between "none" and "under 5%" is so small as to be > > unimportant. > > I don't know where you took that number. Maybe you should learn about the topics you have such strong opinions on before expressing the strong opinions. If you were actually in the field or even reading the literature, you wouldn't need to ask such things. > > > And my personal experience definitely contradicts your > > > "everyone" claim: e.g., my home network is set up with several > > > non-default defenses, and so is my smartphone. Why should we > > > assume a significant part of Emacs users is in the "everyone" > > > camp? They did choose to use Emacs, didn't they? > > > > The difference between one person in a hundred and no one is so > > small for purposes of deciding on default behavior as to be > > unimportant. > > I don't think your estimation of the percentage is accurate, wrt > Emacs users. They are not the typical mass user of computers. *I* cannot make such decisions safely, and *I* am one of the people who created the protocols in question. I'm certain I can construct certs that will fool *you*. There's no point in pretending sufficiently educated humans can make such decisions when the decisions are too complicated and must be made correctly _every single time_ or you're done for. Humans cannot reliably make complicated decisions with perfect safety thousands of times in a row. > > As for your own configuration, you're free to change the defaults > > any way you like, so why are you arguing anyway? > > Because I think there are many others like me. So the others like you can change the defaults any way you like. WHAT IS THE PROBLEM. > > > You are entitled to your opinions > > > > These are not opinions. They're facts. They're based on decades of > > field experience and objective studies published in the academic > > literature. There is almost universal agreement among the > > studies, too -- there are no published outliers that I'm aware > > of. > > I meant your opinions about how Emacs should design its > security-related UI and treat its users. They are definitely not > facts, So far, I hear a number of people saying "the reasonable thing is to use the same default behavior that pretty much everything else uses", and I hear Eli saying "no, no, I want to make things more complicated because I claim that somehow there will be great inconvenience if the software rejects obviously forged certificates or obviously insecure cipher suites by default". What exactly is the inconvenience you anticipate if an Emacs IMAP user connecting to google rejects a certificate that isn't vouched for by the CT mechanism? Can you explain _precisely_ why you insist that it is necessary to have different defaults than everyone else uses? > > > but I don't agree that we should > > > design our defaults based on the assumption that we cannot > > > expect our users to make informed decisions. > > > > And this sets you apart from people who have worked in the field > > for decades, and from people who have done objective studies in > > the field. > > Studies on Emacs users? Emacs users are for the most part human beings, yes. They browse the web and read email using the same sorts of brains that evolution gave everyone else. > > I strongly suspect, by the way, that I could easily get you to > > make a bad security decision in a test environment. I don't trust > > myself to evaluate the origin of certificates in real time -- > > it's just too difficult to read an x.509 cert's contents and > > verify everything you need to (including the hash algorithms used > > in the entire chain, figuring out if the CA is one I should be > > expecting for this particular host, etc.) That is in spite of the > > fact that I've been doing this professionally for a very long > > time. I suspect I could easily cook up certs that you wouldn't be > > able to figure out, and that you would make the wrong decision if > > prompted to look at them. > > You are completely missing the point. No one claimed we should > expect users to judge certificates. Then what the hell are you arguing for? What exactly is it about the defaults that Firefox, Chrome, Safari, Edge and the rest use that you don't like? If your answer is "I don't know, I haven't looked at them", shouldn't you be just a trace ashamed of yourself for having a strong opinion in the absence of any examination? > > > > The other thing is, in spite of the constant claims, running > > > > with the level of security provided by Firefox or Chrome or > > > > Safari isn't the least bit inconvenient, so there's no > > > > obvious reason not to do at least _that_. > > > > > > One would think that those "constant claims" might just provide > > > such a reason. > > > > The only one making this claim is _you_. > > My "claims" are facts. Your claim is not a fact. > I see these issues every day, using mostly > Firefox and IE. Why are you using IE? And what exactly is failing for you? I haven't hit a single problem connecting to anything which wasn't a legitimate failure (that is, the browser actually protecting me when it should) in many months, possibly longer. There are careful studies the browser vendors make of such things, and failures are currently pretty damn rare. And yes, that's a fact. > Please read Jimmy's comments on this, and respond to them if you > want. Jimmy is entirely reasonable here. I'm not arguing with him because he's not saying anything terribly wrong. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 15:25 ` Perry E. Metzger @ 2018-07-07 16:08 ` Eli Zaretskii 2018-07-07 23:46 ` Richard Stallman 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 16:08 UTC (permalink / raw) To: Perry E. Metzger; +Cc: wyuenho, larsi, eggert, rms, emacs-devel > Date: Sat, 7 Jul 2018 11:25:44 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: rms@gnu.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, larsi@gnus.org, > wyuenho@gmail.com > > > I don't know where you took that number. > > Maybe you should learn about the topics you have such strong opinions > on before expressing the strong opinions. If you were actually in the > field or even reading the literature, you wouldn't need to ask such > things. Maybe you should learn to talk with people who are not specialists, and maybe you should learn to recognize "strong opinions" when you see one. > > > As for your own configuration, you're free to change the defaults > > > any way you like, so why are you arguing anyway? > > > > Because I think there are many others like me. > > So the others like you can change the defaults any way you like. WHAT > IS THE PROBLEM. Irrelevant. We are talking about the defaults. > > I meant your opinions about how Emacs should design its > > security-related UI and treat its users. They are definitely not > > facts, > > So far, I hear a number of people saying "the reasonable thing is to > use the same default behavior that pretty much everything else uses", > and I hear Eli saying "no, no, I want to make things more complicated > because I claim that somehow there will be great inconvenience if > the software rejects obviously forged certificates or obviously > insecure cipher suites by default". So maybe you should learn to listen more carefully. And read, for that matter. > What exactly is the inconvenience you anticipate if an Emacs IMAP > user connecting to google rejects a certificate that isn't vouched > for by the CT mechanism? Can you explain _precisely_ why you insist > that it is necessary to have different defaults than everyone else > uses? I already did. PLEASE RE-READ WHAT I WROTE, and not necessarily to in response to your posts. > > > And this sets you apart from people who have worked in the field > > > for decades, and from people who have done objective studies in > > > the field. > > > > Studies on Emacs users? > > Emacs users are for the most part human beings, yes. They are not a representative sample of computer users, however. So what by and large is correct for the bulk of the users is not necessarily correct for Emacs users. > > You are completely missing the point. No one claimed we should > > expect users to judge certificates. > > Then what the hell are you arguing for? READ MY MESSAGES!! > > I see these issues every day, using mostly > > Firefox and IE. > > Why are you using IE? Because I sometimes have to. And there's nothing special about it, it actually sometimes works better than Firefox. > > Please read Jimmy's comments on this, and respond to them if you > > want. > > Jimmy is entirely reasonable here. I'm not arguing with him because > he's not saying anything terribly wrong. Then you don't have any argument with me, either, because I don't have any argument with Jimmy. (And please leave out ad-hominem, your unconcealed disdain makes this a very unpleasant discussion.) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 15:25 ` Perry E. Metzger 2018-07-07 16:08 ` Eli Zaretskii @ 2018-07-07 23:46 ` Richard Stallman 2018-07-08 0:25 ` Perry E. Metzger 2018-07-08 2:44 ` Eli Zaretskii 1 sibling, 2 replies; 221+ messages in thread From: Richard Stallman @ 2018-07-07 23:46 UTC (permalink / raw) To: Perry E. Metzger; +Cc: wyuenho, eliz, eggert, larsi, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > What exactly is the inconvenience you anticipate if an Emacs IMAP > user connecting to google rejects a certificate that isn't vouched > for by the CT mechanism? Can you explain _precisely_ why you insist > that it is necessary to have different defaults than everyone else > uses? Here is an idea. Let's implement the browser-like security in master as an option disabled by default. Then Eli and others can try it out for a few weeks and report each inconvenience. Then we will see how much, or how little, inconvenience results from this mode of operation. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 23:46 ` Richard Stallman @ 2018-07-08 0:25 ` Perry E. Metzger 2018-07-08 2:44 ` Eli Zaretskii 1 sibling, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-08 0:25 UTC (permalink / raw) To: Richard Stallman; +Cc: wyuenho, eliz, eggert, larsi, emacs-devel On Sat, 07 Jul 2018 19:46:49 -0400 Richard Stallman <rms@gnu.org> wrote: > > What exactly is the inconvenience you anticipate if an Emacs > > IMAP user connecting to google rejects a certificate that isn't > > vouched for by the CT mechanism? Can you explain _precisely_ > > why you insist that it is necessary to have different defaults > > than everyone else uses? > > Here is an idea. Let's implement the browser-like security in > master as an option disabled by default. Then Eli and others can > try it out for a few weeks and report each inconvenience. > > Then we will see how much, or how little, inconvenience results from > this mode of operation. This is an excellent suggestion. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 23:46 ` Richard Stallman 2018-07-08 0:25 ` Perry E. Metzger @ 2018-07-08 2:44 ` Eli Zaretskii 2018-07-08 22:55 ` Richard Stallman 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 2:44 UTC (permalink / raw) To: rms; +Cc: larsi, eggert, emacs-devel, wyuenho, perry > From: Richard Stallman <rms@gnu.org> > Date: Sat, 07 Jul 2018 19:46:49 -0400 > Cc: wyuenho@gmail.com, eliz@gnu.org, eggert@cs.ucla.edu, larsi@gnus.org, > emacs-devel@gnu.org > > Here is an idea. Let's implement the browser-like security in master > as an option disabled by default. Then Eli and others can try it out > for a few weeks and report each inconvenience. > > Then we will see how much, or how little, inconvenience results from > this mode of operation. I think the plan is to enable that by default on master, which I think is even better, since more people will be able to test it. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 2:44 ` Eli Zaretskii @ 2018-07-08 22:55 ` Richard Stallman 0 siblings, 0 replies; 221+ messages in thread From: Richard Stallman @ 2018-07-08 22:55 UTC (permalink / raw) To: Eli Zaretskii; +Cc: perry, larsi, eggert, wyuenho, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > I think the plan is to enable that by default on master, which I think > is even better, since more people will be able to test it. Ok by me. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 13:46 ` Perry E. Metzger 2018-07-07 14:17 ` Eli Zaretskii @ 2018-07-07 14:32 ` Jimmy Yuen Ho Wong 2018-07-07 15:15 ` Perry E. Metzger 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 14:32 UTC (permalink / raw) To: Perry E. Metzger Cc: Lars Ingebrigtsen, Eli Zaretskii, Paul Eggert, rms, Emacs-Devel devel >> >> I don't see how this is relevant, since we are talking about just >> one piece of software: Emacs. For the purposes of this discussion, >> whether they use the same browsers or different ones, because we are >> not discussing those browsers. > > You may not see the relevance, but others do. > The relevance is what browsers do is a very good heuristics for someone like me who wants a starting point to find out what problems to look out for. Another piece of information these browsers give me is being able to predict the future. These browsers hold enormous power in shaping the internet. Just Google deprecating SHA1 certs alone is enough to make them drop to exactly 0 within a month[1]. I don't see any other relevance beyond these two. I know Perry you probably want to copy what browsers do - basically removing unsafe ciphers and only offer one security levels, and perhaps drop support for GnuTLS version other than the most recent stable version. I can tell you now that in practical terms, they make very little difference. For Gmail, 85% outbound and 91% inbound emails are secured with TLS[2]. For HTTP, most of the checks I've implemented is already supported by a vast majority of servers out there, and given that the time people spend on the web vs the websites' Alexa rankings follows the Pareto distribution, most of the time you won't even get a warning. No warning, no decision to make. For the 20% of time you are not spending on Alexa top 20k, we can infer from SSLLabs' SSLPulse data to get a sense of how dangerous they are. SSLPulse tracks the Alexa top 150K websites, with the exception of protocol downgrade defense, no other problems that I check for exceed 5% on this list of servers. 5% of 20% is 1%. If you only consider cipher suites independently, given that browsers have removed a shit ton of unsafe cipher suites already, the chance of getting an unsafe cipher suite from a handshake is very very very small. The whole reason I'm working on fixing Emacs' network security is I believe Emacs' esoteric user base is probably extreme outliers, and Emacs' TLS defence is next to useless. I'm not working on this for normal people here. [1]: "Certificate Signature Algorithms" Jan 2017 - Feb 2017. https://www.ssllabs.com/ssl-pulse/ [2]: https://transparencyreport.google.com/safer-email/overview ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 14:32 ` Jimmy Yuen Ho Wong @ 2018-07-07 15:15 ` Perry E. Metzger 2018-07-07 15:39 ` Jimmy Yuen Ho Wong 2018-07-07 15:57 ` Eli Zaretskii 0 siblings, 2 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-07 15:15 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Lars Ingebrigtsen, Eli Zaretskii, Paul Eggert, rms, Emacs-Devel devel On Sat, 7 Jul 2018 15:32:19 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > I know Perry you probably want to copy what browsers do - basically > removing unsafe ciphers and only offer one security levels, and > perhaps drop support for GnuTLS version other than the most recent > stable version. I can tell you now that in practical terms, they > make very little difference. For Gmail, 85% outbound and 91% > inbound emails are secured with TLS[2]. My main concern in the case of users reading their mail with Emacs is certificate forgery, and not the use of TLS itself. (The stats you are quoting are regardless for the use of TLS with SMTP, not with IMAP which is the relevant issue, and they don't tell us anything about the interception of mail by man-in-the-middle attacks against IMAP TLS connections.) Pinning (or later CT) is needed to prevent malefactors, including, lets be blunt, several major states, from using the equipment they've bought from Bluecoat and other vendors to intercept the TLS connections by using forged certificates. It's not a theoretical concern, the equipment to do this is deployed, and only CT and the rest will help. Downgrade attacks are also a concern of course. > For HTTP, most of the > checks I've implemented is already supported by a vast majority of > servers out there, and given that the time people spend on the web > vs the websites' Alexa rankings follows the Pareto distribution, > most of the time you won't even get a warning. No warning, no > decision to make. I'm also concerned about pinning or CT for things like mail.google.com and the like when they're accessed over HTTPS. > For the 20% of time you are not spending on Alexa top 20k, we can > infer from SSLLabs' SSLPulse data to get a sense of how dangerous > they are. SSLPulse tracks the Alexa top 150K websites, with the > exception of protocol downgrade defense, no other problems that I > check for exceed 5% on this list of servers. 5% of 20% is 1%. If > you only consider cipher suites independently, given that browsers > have removed a shit ton of unsafe cipher suites already, the chance > of getting an unsafe cipher suite from a handshake is very very > very small. The chance of getting an unsafe cipher suite in legitimate use is essentially zero. The chance of getting a downgrade attack is very very high because there are companies that sell hardware specifically to perform such attacks, and there's homemade equipment in deployed use by a number of state actors that have larger budgets and more custom interests. > The whole reason I'm working on fixing Emacs' network security is I > believe Emacs' esoteric user base is probably extreme outliers, and > Emacs' TLS defence is next to useless. I'm not working on this for > normal people here. So, I'm a security professional, partially responsible for the creation of some of the protocols in question, I use Emacs for purposes like reading email and the like, and I'm concerned that I want my security to be good and that the current mechanisms don't really give me what I need. And no, I don't want to be asked when I'm presented with a cert that Google specifically said isn't valid, I want it to be rejected so I won't accidentally say yes at 3am when I'm exhausted and not paying attention. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 15:15 ` Perry E. Metzger @ 2018-07-07 15:39 ` Jimmy Yuen Ho Wong 2018-07-07 18:16 ` Paul Eggert 2018-07-07 15:57 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 15:39 UTC (permalink / raw) To: Perry E. Metzger Cc: Lars Ingebrigtsen, Eli Zaretskii, Paul Eggert, rms, Emacs-Devel devel Can you preempt me with an OCSP patch, or better yet, a CT patch already... C hurts my head and I spend more time answering emails than writing code this week... Stop... both of you.... P.S. If it makes you feel any better, GnuTLS does checks OCSP stapling automatically already, and I've already submitted a patch to do CRL, not that IGTF's CRL is particularly good... On Sat, Jul 7, 2018 at 4:15 PM, Perry E. Metzger <perry@piermont.com> wrote: > On Sat, 7 Jul 2018 15:32:19 +0100 Jimmy Yuen Ho Wong > <wyuenho@gmail.com> wrote: >> I know Perry you probably want to copy what browsers do - basically >> removing unsafe ciphers and only offer one security levels, and >> perhaps drop support for GnuTLS version other than the most recent >> stable version. I can tell you now that in practical terms, they >> make very little difference. For Gmail, 85% outbound and 91% >> inbound emails are secured with TLS[2]. > > My main concern in the case of users reading their mail with Emacs is > certificate forgery, and not the use of TLS itself. (The stats you > are quoting are regardless for the use of TLS with SMTP, not with > IMAP which is the relevant issue, and they don't tell us anything > about the interception of mail by man-in-the-middle attacks against > IMAP TLS connections.) Pinning (or later CT) is needed to prevent > malefactors, including, lets be blunt, several major states, from > using the equipment they've bought from Bluecoat and other vendors to > intercept the TLS connections by using forged certificates. It's not a > theoretical concern, the equipment to do this is deployed, and only > CT and the rest will help. > > Downgrade attacks are also a concern of course. > >> For HTTP, most of the >> checks I've implemented is already supported by a vast majority of >> servers out there, and given that the time people spend on the web >> vs the websites' Alexa rankings follows the Pareto distribution, >> most of the time you won't even get a warning. No warning, no >> decision to make. > > I'm also concerned about pinning or CT for things like > mail.google.com and the like when they're accessed over HTTPS. > >> For the 20% of time you are not spending on Alexa top 20k, we can >> infer from SSLLabs' SSLPulse data to get a sense of how dangerous >> they are. SSLPulse tracks the Alexa top 150K websites, with the >> exception of protocol downgrade defense, no other problems that I >> check for exceed 5% on this list of servers. 5% of 20% is 1%. If >> you only consider cipher suites independently, given that browsers >> have removed a shit ton of unsafe cipher suites already, the chance >> of getting an unsafe cipher suite from a handshake is very very >> very small. > > The chance of getting an unsafe cipher suite in legitimate use is > essentially zero. The chance of getting a downgrade attack is very > very high because there are companies that sell hardware specifically > to perform such attacks, and there's homemade equipment in deployed > use by a number of state actors that have larger budgets and more > custom interests. > >> The whole reason I'm working on fixing Emacs' network security is I >> believe Emacs' esoteric user base is probably extreme outliers, and >> Emacs' TLS defence is next to useless. I'm not working on this for >> normal people here. > > So, I'm a security professional, partially responsible for the > creation of some of the protocols in question, I use Emacs for > purposes like reading email and the like, and I'm concerned that I > want my security to be good and that the current mechanisms don't > really give me what I need. And no, I don't want to be asked when I'm > presented with a cert that Google specifically said isn't valid, I > want it to be rejected so I won't accidentally say yes at 3am when > I'm exhausted and not paying attention. > > Perry > -- > Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 15:39 ` Jimmy Yuen Ho Wong @ 2018-07-07 18:16 ` Paul Eggert 2018-07-07 23:03 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-07-07 18:16 UTC (permalink / raw) To: Jimmy Yuen Ho Wong, Perry E. Metzger Cc: Lars Ingebrigtsen, Eli Zaretskii, rms, Emacs-Devel devel Jimmy Yuen Ho Wong wrote: > Can you preempt me with an OCSP patch, or better yet, a CT patch > already... C hurts my head and I spend more time answering emails than > writing code this week... What C code do you need? You mentioned something earlier, but I didn't understand the use case. I can easily write and debug C code, if that would help. > Stop... both of you.... My sentiments too. C'mon, we have active volunteers who are real experts in this area. It'd be silly to let this opportunity pass. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 18:16 ` Paul Eggert @ 2018-07-07 23:03 ` Jimmy Yuen Ho Wong 0 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 23:03 UTC (permalink / raw) To: Paul Eggert Cc: Lars Ingebrigtsen, Eli Zaretskii, Emacs-Devel devel, rms, Perry E. Metzger > > What C code do you need? You mentioned something earlier, but I didn't > understand the use case. I can easily write and debug C code, if that would help. > Whooo thanks for lending a hand. ATM, in order to implement `nsm-trust-local-network` properly for IPv6, I need some code to resolve a hostname to an IP address, preferrably in Emacs' internal format as documented in make-network-process. There's an ancient function called dnsResolve that delegates to url-gateway-nslookup-host. It shells out to the system's nslookup for an IPv4 address now, but I need to something that'll give me back an IPv6. I could modify url-gateway-nslookup-host, but the nastiest thing is translating a short-form IPv6 address into a vector of numbers. I don't really care if it's C code for this one. The one thing that I need help the most is implementing the client-side of RFC 6962. https://tools.ietf.org/html/rfc6962 . The general idea is you need to implement an X.509 certificate extension and a TLS extension called Signed Certificate Timestamp using GnuTLS's API. Once you can extract that from a handshake, just put the SCT data into the list returned by gnutls_certificate_details (I have renamed it to emacs_gnutls_certificate_details, but you might want to change it back). Once you have the SCT on the LISP side, you can write a check for `nsm-tls-checks` that opens up another connection to the auditor to validate the SCT. In addition, you may have to modify how GnutTLS deals with OCSP stapling as well because that's the third way SCT can be delivered. You can take your time on this one if you decide to help out, I understand this is a rather large project on its own. Thanks! ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 15:15 ` Perry E. Metzger 2018-07-07 15:39 ` Jimmy Yuen Ho Wong @ 2018-07-07 15:57 ` Eli Zaretskii 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 15:57 UTC (permalink / raw) To: Perry E. Metzger; +Cc: larsi, eggert, emacs-devel, wyuenho, rms > Date: Sat, 7 Jul 2018 11:15:17 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: Eli Zaretskii <eliz@gnu.org>, rms@gnu.org, Paul Eggert > <eggert@cs.ucla.edu>, Emacs-Devel devel <emacs-devel@gnu.org>, Lars > Ingebrigtsen <larsi@gnus.org> > > So, I'm a security professional, partially responsible for the > creation of some of the protocols in question, I use Emacs for > purposes like reading email and the like, and I'm concerned that I > want my security to be good and that the current mechanisms don't > really give me what I need. And no, I don't want to be asked when I'm > presented with a cert that Google specifically said isn't valid, I > want it to be rejected so I won't accidentally say yes at 3am when > I'm exhausted and not paying attention. There's nothing to prevent you from customizing your Emacs to do precisely what you want. Being a security professional, you are probably qualified to do that better than moist of us. My concern is mainly about the rest of us. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 12:18 ` Perry E. Metzger 2018-07-07 13:19 ` Eli Zaretskii @ 2018-07-07 23:45 ` Richard Stallman 1 sibling, 0 replies; 221+ messages in thread From: Richard Stallman @ 2018-07-07 23:45 UTC (permalink / raw) To: Perry E. Metzger; +Cc: wyuenho, eliz, eggert, larsi, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > I think we should assume people generally know whether thugs > > > with torture chambers might be after them. > > > > I agree, provided we encourage them to ask themselves the question. > There is ample evidence that people in such situations rarely if ever > understand what the right thing to do is. That seems to be a subtle change of topic. If we urge users to ask themselves, "Might thugs with torture chambers be spying on me," that question is not technical at all. "What is the right thing to do about it" is a different question, a technical question. I said we should encourage users to pose the first question to themselves. I think we all agree that Emacs should DTRT for users who conclude the answer might be yes. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 13:33 ` Perry E. Metzger 2018-07-05 13:49 ` Eli Zaretskii @ 2018-07-05 13:50 ` Jimmy Yuen Ho Wong 2018-07-05 15:30 ` Perry E. Metzger 2018-07-05 22:44 ` Richard Stallman 2 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-05 13:50 UTC (permalink / raw) To: Perry E. Metzger, Lars Ingebrigtsen; +Cc: Paul Eggert, emacs-devel I'm currently doing a second pass for my patch for bug#31946. I also have a preliminary OCSP patch. Emacs network security is going to be a lot better soon, I promise. Meanwhile, GnuTLS doesn't seem to have support Certificate Transparency (gnutls#232), but you could export the extension as DER bytes, so feel free to figure out how to deal with that in elisp. On 05/07/2018 14:33, Perry E. Metzger wrote: > Old thread, but I thought I'd reply on it. > > On Sat, 23 Jun 2018 12:23:31 +0200 Lars Ingebrigtsen <larsi@gnus.org> > wrote: >> For those who don't know what this is: Some browsers now ship with >> built-in lists of certificate hashes, so if you're visiting that >> site and presented with a different than expected certificate, >> you'll know that somebody else has issued a certificate for the >> site, and somebody has hijacked the connection. >> >> Or, perhaps, that they just lost the private key and had to >> generate a new certificate and now, oops, everybody that uses the >> browsers with the built-in list will be unable to visit the site. > What you depict there never happens. People don't lose keys in such > circumstances. > > Pinning is what is done by sites like gmail to prevent third world > dictatorships from using stolen certificate credentials to spy on > their citizens. People who have been victims of this have had their > email read, been arrested by state security forces for dissent, and > have been tortured to death for lack of certificate pinning working > in their browsers. > > This is a matter of life and death for many people. > >> do this via ELPA, I think. Whether it's worth doing is another >> issue; I think the jury is still out on that one... > Do you think it's worth keeping people from quite literally being > tortured to death? > > For most of the secure HTTP stuff we've been discussing, I would far > rather be inconvenienced here and there than know my slight extra > convenience was being paid for in human blood. > > Perry ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 13:50 ` Jimmy Yuen Ho Wong @ 2018-07-05 15:30 ` Perry E. Metzger 2018-07-05 15:36 ` Stefan Monnier 0 siblings, 1 reply; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 15:30 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Lars Ingebrigtsen, Paul Eggert, emacs-devel On Thu, 5 Jul 2018 14:50:10 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > I'm currently doing a second pass for my patch for bug#31946. I also > have a preliminary OCSP patch. Emacs network security is going to > be a lot better soon, I promise. Meanwhile, GnuTLS doesn't seem to > have support Certificate Transparency (gnutls#232), but you could > export the extension as DER bytes, so feel free to figure out how > to deal with that in elisp. In spite of the name "gnu" in "gnutls", gnutls is not FSF or Gnu software. I think Emacs should be using OpenSSL, as it is a much better maintained library. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:30 ` Perry E. Metzger @ 2018-07-05 15:36 ` Stefan Monnier 2018-07-05 16:05 ` Perry E. Metzger 0 siblings, 1 reply; 221+ messages in thread From: Stefan Monnier @ 2018-07-05 15:36 UTC (permalink / raw) To: emacs-devel > In spite of the name "gnu" in "gnutls", gnutls is not FSF or Gnu > software. I think Emacs should be using OpenSSL, as it is a much > better maintained library. I don't have a strong preference either way, but I've heard the above argument combined with arguments of security, but AFAIK gnutls is still maintained and its security track record is no worse than that of OpenSSL. IOW someone really concerned about security would likely choose something else than OpenSSL or gnutls. E.g. something not written in a language that makes it hard to write safe code, for instance. Stefan ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:36 ` Stefan Monnier @ 2018-07-05 16:05 ` Perry E. Metzger 0 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 16:05 UTC (permalink / raw) To: Stefan Monnier; +Cc: emacs-devel On Thu, 05 Jul 2018 11:36:55 -0400 Stefan Monnier <monnier@iro.umontreal.ca> wrote: > > In spite of the name "gnu" in "gnutls", gnutls is not FSF or Gnu > > software. I think Emacs should be using OpenSSL, as it is a much > > better maintained library. > > I don't have a strong preference either way, but I've heard the > above argument combined with arguments of security, but AFAIK > gnutls is still maintained and its security track record is no > worse than that of OpenSSL. It's had CVEs that OpenSSL hasn't, and admittedly vice versa. > IOW someone really concerned about security would likely choose > something else than OpenSSL or gnutls. E.g. something not written > in a language that makes it hard to write safe code, for instance. So if one wants to go down that path, Firefox now uses components of the cryptographic libraries from Project Everest, in which the code is almost (but not yet) fully formally verified: https://project-everest.github.io/ (So far they're just using the HACL* component.) This goes the whole thing one better. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 13:33 ` Perry E. Metzger 2018-07-05 13:49 ` Eli Zaretskii 2018-07-05 13:50 ` Jimmy Yuen Ho Wong @ 2018-07-05 22:44 ` Richard Stallman 2018-07-06 6:01 ` Eli Zaretskii 2 siblings, 1 reply; 221+ messages in thread From: Richard Stallman @ 2018-07-05 22:44 UTC (permalink / raw) To: Perry E. Metzger; +Cc: larsi, eggert, wyuenho, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] I don't know what this issue concretely involves, so I don't have an opinion about what concretely we should do. But I'd like to suggest a possible avenue for choosing a good response. The idea is that we make sure users see a chance to choose between the alternatives (convenience and safety) early enough that they won't be unsafe. The choice should come with an explanation of each option, first stating what situations it is recommended for, then what it does. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 22:44 ` Richard Stallman @ 2018-07-06 6:01 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 6:01 UTC (permalink / raw) To: rms; +Cc: larsi, eggert, emacs-devel, wyuenho, perry > From: Richard Stallman <rms@gnu.org> > Date: Thu, 05 Jul 2018 18:44:14 -0400 > Cc: larsi@gnus.org, eggert@cs.ucla.edu, wyuenho@gmail.com, emacs-devel@gnu.org > > The idea is that we make sure users see a chance to choose between the > alternatives (convenience and safety) early enough that they won't be > unsafe. The choice should come with an explanation of each option, > first stating what situations it is recommended for, then what it does. The early enough part is already in place, I think: the NSM pops up the first time some security related issue is discovered, and asks the user to decide what to do about that. The user then is given the option of making the decision permanent or only for this particular connection. The other part of your proposal is exactly what I think we should do, and that was the motive behind all my comments to the recent related bug reports and contributions: we should have the issues and their remedies explained and documented, so that users could make informed decisions when those matter. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 23:21 ` Lars Ingebrigtsen 2018-06-22 23:33 ` Lars Ingebrigtsen @ 2018-06-23 0:00 ` Paul Eggert 2018-06-23 0:10 ` Stefan Monnier 1 sibling, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-06-23 0:00 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Jimmy Yuen Ho Wong, emacs-devel On 06/22/2018 04:21 PM, Lars Ingebrigtsen wrote: > Paul Eggert <eggert@cs.ucla.edu> writes: > >> On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: >>> 1. Can we update the default network security settings? >> Yes, I would think so, in the master branch. As you say, the current >> defaults are inappropriate for today's users. > They are? In what way? I was concerned about Emacs Lisp code that calls the gnutls API directly. However, you wrote in a later message that Emacs Lisp code desiring network security should use open-network-stream and use NSM, so perhaps very little (if any) Emacs code is like what I was worried about. If so, the defaults shouldn't matter too much. I like your suggestion of changing the doc strings of gnutls.el to make it less likely to get future bug reports about this (a la bug#17660 etc.). I'm not expert enough in GnuTLS to know what should go into those doc strings, though. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 0:00 ` Paul Eggert @ 2018-06-23 0:10 ` Stefan Monnier 2018-06-23 9:57 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Stefan Monnier @ 2018-06-23 0:10 UTC (permalink / raw) To: emacs-devel > I like your suggestion of changing the doc strings of gnutls.el to make it > less likely to get future bug reports about this (a la bug#17660 etc.). I'm > not expert enough in GnuTLS to know what should go into those doc > strings, though. Maybe an alternative is to change those default settings to be extremely strict, and loosen them as needed/appropriate when we go through the NSM. Stefan ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 0:10 ` Stefan Monnier @ 2018-06-23 9:57 ` Lars Ingebrigtsen 0 siblings, 0 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-23 9:57 UTC (permalink / raw) To: Stefan Monnier; +Cc: emacs-devel Stefan Monnier <monnier@iro.umontreal.ca> writes: >> I like your suggestion of changing the doc strings of gnutls.el to make it >> less likely to get future bug reports about this (a la bug#17660 etc.). I'm >> not expert enough in GnuTLS to know what should go into those doc >> strings, though. > > Maybe an alternative is to change those default settings to be extremely > strict, and loosen them as needed/appropriate when we go through the NSM. Hm... I may be misunderstanding what you mean here, but do you mean doing things like set `gnutls-min-prime-bits' to, say, 4096 (extremely strict :-)), and then have the NSM `medium' `network-security-level' change the setting back to 256 and reconnect? If so, that would to me seem to achieve little in practice and just make all (TLS) network connections slower... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 22:43 ` Paul Eggert 2018-06-22 23:21 ` Lars Ingebrigtsen @ 2018-06-23 2:17 ` Noam Postavsky 2018-06-23 6:40 ` Eli Zaretskii 2018-07-05 15:10 ` Perry E. Metzger 2018-06-23 6:45 ` Eli Zaretskii 2 siblings, 2 replies; 221+ messages in thread From: Noam Postavsky @ 2018-06-23 2:17 UTC (permalink / raw) To: Paul Eggert; +Cc: Lars Magne Ingebrigtsen, Jimmy Yuen Ho Wong, Emacs developers On 22 June 2018 at 18:43, Paul Eggert <eggert@cs.ucla.edu> wrote: > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: >> >> 1. Can we update the default network security settings? > > > Yes, I would think so, in the master branch. As you say, the current > defaults are inappropriate for today's users. Can we bump gnutls-min-prime-bits to 1024 on the release branch? I know it has a reference to Bug#11267 which describes some mail server that works only with 256 bits primes, but surely people using such software can set the option themselves. I mean, a 256 bit DH prime is just a toy example, not real crypto. It's inappropriate for yesterday's users. Even 1024 is probably a bit low, but at least it's something. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 2:17 ` Noam Postavsky @ 2018-06-23 6:40 ` Eli Zaretskii 2018-06-23 10:21 ` Jimmy Yuen Ho Wong ` (2 more replies) 2018-07-05 15:10 ` Perry E. Metzger 1 sibling, 3 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-23 6:40 UTC (permalink / raw) To: Noam Postavsky; +Cc: larsi, eggert, wyuenho, emacs-devel > From: Noam Postavsky <npostavs@gmail.com> > Date: Fri, 22 Jun 2018 22:17:56 -0400 > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, > Jimmy Yuen Ho Wong <wyuenho@gmail.com>, > Emacs developers <emacs-devel@gnu.org> > > On 22 June 2018 at 18:43, Paul Eggert <eggert@cs.ucla.edu> wrote: > > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: > >> > >> 1. Can we update the default network security settings? > > > > > > Yes, I would think so, in the master branch. As you say, the current > > defaults are inappropriate for today's users. > > Can we bump gnutls-min-prime-bits to 1024 on the release branch? No, I don't think so. Changing these settings needs a prolonged testing period to uncover any subtle problems with non-conforming servers that users must be able to access, and such testing is unlikely to happen on emacs-26 before the next bug-fix release. If we change this now on emacs-26, we should probably not release Emacs 26.2 before a year goes by. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 6:40 ` Eli Zaretskii @ 2018-06-23 10:21 ` Jimmy Yuen Ho Wong 2018-06-23 11:26 ` Eli Zaretskii 2018-06-23 22:28 ` Noam Postavsky 2018-07-05 15:33 ` Perry E. Metzger 2 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-23 10:21 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Paul Eggert, Noam Postavsky, emacs-devel [-- Attachment #1: Type: text/plain, Size: 1340 bytes --] On Sat, Jun 23, 2018 at 7:40 AM, Eli Zaretskii <eliz@gnu.org> wrote: > > From: Noam Postavsky <npostavs@gmail.com> > > Date: Fri, 22 Jun 2018 22:17:56 -0400 > > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, > > Jimmy Yuen Ho Wong <wyuenho@gmail.com>, > > Emacs developers <emacs-devel@gnu.org> > > > > On 22 June 2018 at 18:43, Paul Eggert <eggert@cs.ucla.edu> wrote: > > > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: > > >> > > >> 1. Can we update the default network security settings? > > > > > > > > > Yes, I would think so, in the master branch. As you say, the current > > > defaults are inappropriate for today's users. > > > > Can we bump gnutls-min-prime-bits to 1024 on the release branch? > > No, I don't think so. Changing these settings needs a prolonged > testing period to uncover any subtle problems with non-conforming > servers that users must be able to access, and such testing is > unlikely to happen on emacs-26 before the next bug-fix release. > > If we change this now on emacs-26, we should probably not release > Emacs 26.2 before a year goes by. > I don't understand this. Just because a small amount of people need 256 bit default to connect to some non-conforming servers, you think the trade-off should be to use a default that put the vast majority of Emacs users at risk out of the box? [-- Attachment #2: Type: text/html, Size: 2080 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 10:21 ` Jimmy Yuen Ho Wong @ 2018-06-23 11:26 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-23 11:26 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, npostavs, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sat, 23 Jun 2018 11:21:49 +0100 > Cc: Noam Postavsky <npostavs@gmail.com>, Paul Eggert <eggert@cs.ucla.edu>, > Lars Ingebrigtsen <larsi@gnus.org>, emacs-devel@gnu.org > > > Can we bump gnutls-min-prime-bits to 1024 on the release branch? > > No, I don't think so. Changing these settings needs a prolonged > testing period to uncover any subtle problems with non-conforming > servers that users must be able to access, and such testing is > unlikely to happen on emacs-26 before the next bug-fix release. > > If we change this now on emacs-26, we should probably not release > Emacs 26.2 before a year goes by. > > I don't understand this. Just because a small amount of people need 256 bit default to connect to some > non-conforming servers, you think the trade-off should be to use a default that put the vast majority of Emacs > users at risk out of the box? No, you are missing my point, I think. I'm saying that changes in these areas tend to cause unintended breakage, and it takes time to uncover those and fix them. We cannot risk such breakage on the release branch without delaying the next bug-fix release too much. IOW, this is about the relative importance of other bugs we fixed since 26.1 and need to be released soon, and this particular issue, which isn't new. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 6:40 ` Eli Zaretskii 2018-06-23 10:21 ` Jimmy Yuen Ho Wong @ 2018-06-23 22:28 ` Noam Postavsky 2018-06-24 14:23 ` Eli Zaretskii 2018-07-05 15:33 ` Perry E. Metzger 2 siblings, 1 reply; 221+ messages in thread From: Noam Postavsky @ 2018-06-23 22:28 UTC (permalink / raw) To: Eli Zaretskii Cc: Lars Magne Ingebrigtsen, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers On 23 June 2018 at 02:40, Eli Zaretskii <eliz@gnu.org> wrote: >> Can we bump gnutls-min-prime-bits to 1024 on the release branch? > > No, I don't think so. Changing these settings needs a prolonged > testing period to uncover any subtle problems with non-conforming > servers that users must be able to access, and such testing is > unlikely to happen on emacs-26 before the next bug-fix release. I'm not sure what testing would be needed: if the connection to a server fails, the user sets the variable to the previous default. Also, would this attack published in 2015 make a difference to the decision? https://weakdh.org/ https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. RECOMMENDATIONS Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger. Browsers and clients should raise the minimum accepted size for Diffie-Hellman groups to at least 1024 bits in order to avoid downgrade attacks when communicating with servers that still use smaller groups. Primes of less than 1024 bits should not be considered secure, even against an attacker with moderate resources. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 22:28 ` Noam Postavsky @ 2018-06-24 14:23 ` Eli Zaretskii 2018-06-24 14:34 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-06-24 14:23 UTC (permalink / raw) To: Noam Postavsky; +Cc: larsi, eggert, wyuenho, emacs-devel > From: Noam Postavsky <npostavs@gmail.com> > Date: Sat, 23 Jun 2018 18:28:15 -0400 > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>, > Jimmy Yuen Ho Wong <wyuenho@gmail.com>, Emacs developers <emacs-devel@gnu.org> > > On 23 June 2018 at 02:40, Eli Zaretskii <eliz@gnu.org> wrote: > > >> Can we bump gnutls-min-prime-bits to 1024 on the release branch? > > > > No, I don't think so. Changing these settings needs a prolonged > > testing period to uncover any subtle problems with non-conforming > > servers that users must be able to access, and such testing is > > unlikely to happen on emacs-26 before the next bug-fix release. > > I'm not sure what testing would be needed: if the connection to a > server fails, the user sets the variable to the previous default. If too many users will have to reset to previous defaults, then what exactly did we accomplish, except annoying those users by having stuff not work OOTB? > Also, would this attack published in 2015 make a difference to the decision? > > https://weakdh.org/ > https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf > > The Logjam attack allows a man-in-the-middle attacker to downgrade > vulnerable TLS connections to 512-bit export-grade cryptography. > > RECOMMENDATIONS > > Server operators should disable DHE_EXPORT and configure DHE > ciphersuites to use primes of 2048 bits or larger. Browsers > and clients should raise the minimum accepted size for > Diffie-Hellman groups to at least 1024 bits in order to avoid > downgrade attacks when communicating with servers that still > use smaller groups. Primes of less than 1024 bits should not > be considered secure, even against an attacker with moderate > resources. Is this relevant to Emacs? Given the explanations by Lars here: http://lists.gnu.org/archive/html/emacs-devel/2018-06/msg00736.html having the GnuTLS related values low is by design, so that NSM (and the users) could be in control of what is allowed, instead of silently failing connections at a low level. Am I missing something? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 14:23 ` Eli Zaretskii @ 2018-06-24 14:34 ` Lars Ingebrigtsen 2018-06-24 14:48 ` Noam Postavsky 2018-06-24 20:58 ` Lars Ingebrigtsen 0 siblings, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 14:34 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, emacs-devel, Noam Postavsky, wyuenho Eli Zaretskii <eliz@gnu.org> writes: > Is this relevant to Emacs? Given the explanations by Lars here: > > http://lists.gnu.org/archive/html/emacs-devel/2018-06/msg00736.html > > having the GnuTLS related values low is by design, so that NSM (and > the users) could be in control of what is allowed, instead of silently > failing connections at a low level. Am I missing something? I don't think so, but I partially dropped the ball on this one, for which I apologise. I had meant to implement warnings for this stuff on the default `medium' level instead of letting it remain on the `high' level, but I simply forgot. I'll be changing that on master hopefully sometime next week. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 14:34 ` Lars Ingebrigtsen @ 2018-06-24 14:48 ` Noam Postavsky 2018-06-24 15:30 ` Eli Zaretskii 2018-06-24 20:58 ` Lars Ingebrigtsen 1 sibling, 1 reply; 221+ messages in thread From: Noam Postavsky @ 2018-06-24 14:48 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers On 24 June 2018 at 10:34, Lars Ingebrigtsen <larsi@gnus.org> wrote: > I had meant to implement warnings for this stuff on the default `medium' > level instead of letting it remain on the `high' level, but I simply > forgot. I'll be changing that on master hopefully sometime next week. Yeah, I think that's a good way to block this vulnerability. Though it's unfortunate that we're still going to release a 26.2 which silently accepts primes smaller than 1024 bits by default. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 14:48 ` Noam Postavsky @ 2018-06-24 15:30 ` Eli Zaretskii 2018-06-24 16:57 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-06-24 15:30 UTC (permalink / raw) To: Noam Postavsky; +Cc: larsi, eggert, wyuenho, emacs-devel > From: Noam Postavsky <npostavs@gmail.com> > Date: Sun, 24 Jun 2018 10:48:10 -0400 > Cc: Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, > Jimmy Yuen Ho Wong <wyuenho@gmail.com>, > Emacs developers <emacs-devel@gnu.org> > > On 24 June 2018 at 10:34, Lars Ingebrigtsen <larsi@gnus.org> wrote: > > > I had meant to implement warnings for this stuff on the default `medium' > > level instead of letting it remain on the `high' level, but I simply > > forgot. I'll be changing that on master hopefully sometime next week. > > Yeah, I think that's a good way to block this vulnerability. Though > it's unfortunate that we're still going to release a 26.2 which > silently accepts primes smaller than 1024 bits by default. When the changes are pushed to master, we could look at them and consider whether they (or some of their parts) are safe enough for emacs-26. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 15:30 ` Eli Zaretskii @ 2018-06-24 16:57 ` Lars Ingebrigtsen 2018-06-24 17:10 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 16:57 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, emacs-devel, Noam Postavsky, wyuenho Eli Zaretskii <eliz@gnu.org> writes: > When the changes are pushed to master, we could look at them and > consider whether they (or some of their parts) are safe enough for > emacs-26. Yup. I'm going through the current recommendations for TLS security, and most of them are straightforward and require just some added NSM checks. However, the check for intermediary sha1 certificates checks requires a C-level change: gnutls.c doesn't expose to Lisp the certificate chain, so I'll have to add that, too. It's not a complicated addition, but it's C level, so you'll have to decide whether something that has the potential for crashing Emacs is worth the risk for Emacs 26.2. But I guess we'll see once I've implemented this (hopefully next week). -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 16:57 ` Lars Ingebrigtsen @ 2018-06-24 17:10 ` Jimmy Yuen Ho Wong 2018-06-24 17:39 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-24 17:10 UTC (permalink / raw) To: Lars Ingebrigtsen, Eli Zaretskii; +Cc: eggert, Noam Postavsky, emacs-devel I have just been looking at how to add OCSP as well, I noticed `gnutls-boot` already accepts `:crlfiles`, I have a `gnutls.el` patch that'll supply it to `gnutls-boot-parameters`. I'm testing it now, but I'm haven't a bit of trouble generating a CRL in PEM. Anyway, do you think it's worth it as a quick win to include in either master to 26.2 if it works? On 24/06/2018 17:57, Lars Ingebrigtsen wrote: > Eli Zaretskii <eliz@gnu.org> writes: > >> When the changes are pushed to master, we could look at them and >> consider whether they (or some of their parts) are safe enough for >> emacs-26. > Yup. > > I'm going through the current recommendations for TLS security, and most > of them are straightforward and require just some added NSM checks. > However, the check for intermediary sha1 certificates checks requires a > C-level change: gnutls.c doesn't expose to Lisp the certificate chain, > so I'll have to add that, too. > > It's not a complicated addition, but it's C level, so you'll have to > decide whether something that has the potential for crashing Emacs is > worth the risk for Emacs 26.2. But I guess we'll see once I've > implemented this (hopefully next week). > ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 17:10 ` Jimmy Yuen Ho Wong @ 2018-06-24 17:39 ` Lars Ingebrigtsen 2018-06-24 18:29 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 17:39 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Eli Zaretskii, eggert, Noam Postavsky, emacs-devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > I have just been looking at how to add OCSP as well, I noticed > `gnutls-boot` already accepts `:crlfiles`, I have a `gnutls.el` patch > that'll supply it to `gnutls-boot-parameters`. I'm not quite sure I follow you here. OCSP is the online query stuff, and is something that gnutls doesn't do, I think, and which is probably not something we want to do either. (Chrome doesn't, for instance.) But a certificate revocation list is something we could consider distributing via ELPA, but that's a bigger project... Or do you mean OCSP stapling? There's so much going on in this area (because it's a clusterfuck to begin with) that it can be challenging keeping track. :-) > I'm testing it now, but I'm haven't a bit of trouble generating a CRL > in PEM. Anyway, do you think it's worth it as a quick win to include > in either master to 26.2 if it works? If you're talking about distributing a certificate revocation list with Emacs, I don't think that would be all that useful. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 17:39 ` Lars Ingebrigtsen @ 2018-06-24 18:29 ` Jimmy Yuen Ho Wong 2018-06-24 18:51 ` Eli Zaretskii 2018-06-24 21:30 ` Jimmy Yuen Ho Wong 0 siblings, 2 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-24 18:29 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, emacs-devel [-- Attachment #1: Type: text/plain, Size: 1651 bytes --] > > > I'm not quite sure I follow you here. OCSP is the online query stuff, > and is something that gnutls doesn't do, I think, and which is probably > not something we want to do either. (Chrome doesn't, for instance.) > > GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This is how you do it <https://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html#OCSP-certificate-status-checking> according to the manual. Chrome's primary check OOTB is its own curated CRLSet, but it does use OCSP for some EV certs, and relies on the underlying library to do OCSP <https://dev.chromium.org/Home/chromium-security/crlsets>. You can also enable it in Chrome if you want. > But a certificate revocation list is something we could consider > distributing via ELPA, but that's a bigger project... > > No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) it looks for now, the same can be done for CRL files. Users can periodically update their CA bundle and CRL bundle. The CA bundle on *nix is typically Mozilla's, which is covered by the default list in `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't exists on most systems, but can be generated with `igtf-ca-bundle` + `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also be a matter of installing a few packages and running `fetch-crl`. > Or do you mean OCSP stapling? There's so much going on in this area > (because it's a clusterfuck to begin with) that it can be challenging > keeping track. :-) > > Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP above. [-- Attachment #2: Type: text/html, Size: 2531 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 18:29 ` Jimmy Yuen Ho Wong @ 2018-06-24 18:51 ` Eli Zaretskii 2018-06-24 21:30 ` Jimmy Yuen Ho Wong 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-24 18:51 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, npostavs, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 24 Jun 2018 19:29:24 +0100 > Cc: Eli Zaretskii <eliz@gnu.org>, Noam Postavsky <npostavs@gmail.com>, Paul Eggert <eggert@cs.ucla.edu>, > emacs-devel@gnu.org > > Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) it looks for now, the same can be > done for CRL files. Users can periodically update their CA bundle and CRL bundle. On my system, GnuTLS uses HAVE_GNUTLS_X509_SYSTEM_TRUST, and gnutls-trustfiles is not used. The "system trust" is updated whenever the system is updated. I think this is a better arrangement than asking users to maintain their bundles. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 18:29 ` Jimmy Yuen Ho Wong 2018-06-24 18:51 ` Eli Zaretskii @ 2018-06-24 21:30 ` Jimmy Yuen Ho Wong 2018-06-25 1:25 ` Van L 2018-06-25 17:16 ` Eli Zaretskii 1 sibling, 2 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-24 21:30 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, emacs-devel [-- Attachment #1.1: Type: text/plain, Size: 2476 bytes --] Here's the patch to get GnuTLS to do CRL checking. On Debian, you can get a bunch of CRL PEM files by the following: $ sudo apt-get install igtf-policy-bundle $ sudo apt-get install fetch-crl $ sudo fetch-crl -p 8 --format pem On macOS with MacPorts: $ sudo port install igtf-ca-bundle $ sudo fetch-crl -p 8 --format pem Now if you do M-: (url-retrieve-synchronously "https://revoked.grc.com/") RET You should see a prompt from NSM. Possible improvement: Checking static CRL is still spotty. "https://revoked.badssl.com" still fails to trigger a prompt from NSM. For that we'll definitely need OCSP and some of the newer Certificate Transparency tricks. On Sun, Jun 24, 2018 at 7:29 PM, Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > >> I'm not quite sure I follow you here. OCSP is the online query stuff, >> and is something that gnutls doesn't do, I think, and which is probably >> not something we want to do either. (Chrome doesn't, for instance.) >> >> > GnuTLS has had the ability to do OCSP since 3.1.3 released back in 2012. This > is how you do it > <https://www.gnutls.org/manual/html_node/OCSP-certificate-status-checking.html#OCSP-certificate-status-checking> > according to the manual. > > Chrome's primary check OOTB is its own curated CRLSet, but it does use > OCSP for some EV certs, and relies on the underlying library to do OCSP > <https://dev.chromium.org/Home/chromium-security/crlsets>. You can also > enable it in Chrome if you want. > > > >> But a certificate revocation list is something we could consider >> distributing via ELPA, but that's a bigger project... >> >> > No. Emacs has a defined list of CA bundle PEM files (`gnutls-trustfiles`) > it looks for now, the same can be done for CRL files. Users can > periodically update their CA bundle and CRL bundle. The CA bundle on *nix > is typically Mozilla's, which is covered by the default list in > `gnutls-trustfiles`. A complete list of CRL in PEM format typically don't > exists on most systems, but can be generated with `igtf-ca-bundle` + > `fetch-crl`. I just generated them on macOS via MacPorts, Linux should also > be a matter of installing a few packages and running `fetch-crl`. > > >> Or do you mean OCSP stapling? There's so much going on in this area >> (because it's a clusterfuck to begin with) that it can be challenging >> keeping track. :-) >> >> > Nah, it's just a couple more lines of C code. See GnuTLS's manual on OCSP > above. > > [-- Attachment #1.2: Type: text/html, Size: 4032 bytes --] [-- Attachment #2: 0001-Check-TLS-certs-against-CRL.patch --] [-- Type: application/octet-stream, Size: 3140 bytes --] From 9938360f7388ffe92a6979a409d684bbb2c5d867 Mon Sep 17 00:00:00 2001 From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> Date: Sun, 24 Jun 2018 22:08:28 +0100 Subject: [PATCH] Check TLS certs against CRL * lisp/net/gnutls.el (gnutls-boot-parameters): Return `gnutls-crlfiles' in `:crlfiles'. (gnutls-crlfiles): New defcustom. (gnutls--get-files): New defun. (gnutls-trustfiles, gnutls-crlfiles): Delegate to `gnutls--get-files' to return a list of filenames, accepts glob pattern. --- lisp/net/gnutls.el | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 09df019e2e..dff3ce2ec6 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -96,12 +96,25 @@ gnutls-trustfiles "/etc/ssl/cert.pem" ; macOS ) "List of CA bundle location filenames or a function returning said list. +If a file path contains a glob pattern, it will be expanded. The files may be in PEM or DER format, as per the GnuTLS documentation. The files may not exist, in which case they will be ignored." :group 'gnutls :type '(choice (function :tag "Function to produce list of bundle filenames") (repeat (file :tag "Bundle filename")))) +(defcustom gnutls-crlfiles + '( + "/etc/grid-security/certificates/*.crl.pem" + ) + "List of CRL file paths or a function returning said list. +If a file path contains a glob pattern, it will be expanded. +The files may be in PEM or DER format, as per the GnuTLS documentation. +The files may not exist, in which case they will be ignored." + :group 'gnutls + :type '(choice (function :tag "Function to produce list of CRL filenames") + (repeat (file :tag "CRL filename")))) + ;;;###autoload (defcustom gnutls-min-prime-bits 256 ;; Several mail servers send fewer bits than the GnuTLS default. @@ -263,6 +276,7 @@ gnutls-log-level It must be omitted, a number, or nil; if omitted or nil it defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." (let* ((trustfiles (or trustfiles (gnutls-trustfiles))) + (crlfiles (or crlfiles (gnutls-crlfiles))) (maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p)) ":%DUMBFW" "")) @@ -304,13 +318,18 @@ gnutls-log-level :verify-error ,verify-error :callbacks nil))) +(defun gnutls--get-files (files) + (cl-loop for f in files + if f do (setq f (if (functionp f) (funcall f) f)) + append (cl-delete-if-not #'file-exists-p (file-expand-wildcards f t)))) + (defun gnutls-trustfiles () "Return a list of usable trustfiles." - (delq nil - (mapcar (lambda (f) (and f (file-exists-p f) f)) - (if (functionp gnutls-trustfiles) - (funcall gnutls-trustfiles) - gnutls-trustfiles)))) + (gnutls--get-files gnutls-trustfiles)) + +(defun gnutls-crlfiles () + "Return a list of usable CRL files." + (gnutls--get-files gnutls-crlfiles)) (declare-function gnutls-error-string "gnutls.c" (error)) -- 2.18.0 ^ permalink raw reply related [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 21:30 ` Jimmy Yuen Ho Wong @ 2018-06-25 1:25 ` Van L 2018-06-25 2:28 ` Jimmy Yuen Ho Wong 2018-06-25 17:16 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Van L @ 2018-06-25 1:25 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Emacs-Devel devel > Jimmy Yuen Ho Wong wrote: > > On Debian, you can get a bunch of CRL PEM files by the following: > > $ sudo apt-get install igtf-policy-bundle > $ sudo apt-get install fetch-crl > $ sudo fetch-crl -p 8 --format pem On Debian (stretch), do you change sources.list? All packages are up to date. /etc/apt # apt install igtf-policy-bundle Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package igtf-policy-bundle There are `igtf-policy-` things but not `bundle`: https://packages.debian.org/stretch/igtf-policy-iota ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 1:25 ` Van L @ 2018-06-25 2:28 ` Jimmy Yuen Ho Wong 2018-06-25 2:38 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 2:28 UTC (permalink / raw) To: Van L; +Cc: Emacs-Devel devel [-- Attachment #1: Type: text/plain, Size: 829 bytes --] It's in misc, so yes, you have to edit sources.list. https://packages.debian.org/source/stretch/igtf-policy-bundle On Mon, Jun 25, 2018 at 2:25 AM, Van L <van@scratch.space> wrote: > > > Jimmy Yuen Ho Wong wrote: > > > > On Debian, you can get a bunch of CRL PEM files by the following: > > > > $ sudo apt-get install igtf-policy-bundle > > $ sudo apt-get install fetch-crl > > $ sudo fetch-crl -p 8 --format pem > > On Debian (stretch), do you change sources.list? > > All packages are up to date. > /etc/apt # apt install igtf-policy-bundle > Reading package lists... Done > Building dependency tree > Reading state information... Done > E: Unable to locate package igtf-policy-bundle > > There are `igtf-policy-` things but not `bundle`: > > https://packages.debian.org/stretch/igtf-policy-iota > [-- Attachment #2: Type: text/html, Size: 1484 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 2:28 ` Jimmy Yuen Ho Wong @ 2018-06-25 2:38 ` Jimmy Yuen Ho Wong 0 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 2:38 UTC (permalink / raw) To: Van L; +Cc: Emacs-Devel devel [-- Attachment #1: Type: text/plain, Size: 1037 bytes --] Actually sorry, that's the source package. You should probably install igtf-policy-classic. On Mon, Jun 25, 2018 at 3:28 AM, Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > It's in misc, so yes, you have to edit sources.list. > > https://packages.debian.org/source/stretch/igtf-policy-bundle > > On Mon, Jun 25, 2018 at 2:25 AM, Van L <van@scratch.space> wrote: > >> >> > Jimmy Yuen Ho Wong wrote: >> > >> > On Debian, you can get a bunch of CRL PEM files by the following: >> > >> > $ sudo apt-get install igtf-policy-bundle >> > $ sudo apt-get install fetch-crl >> > $ sudo fetch-crl -p 8 --format pem >> >> On Debian (stretch), do you change sources.list? >> >> All packages are up to date. >> /etc/apt # apt install igtf-policy-bundle >> Reading package lists... Done >> Building dependency tree >> Reading state information... Done >> E: Unable to locate package igtf-policy-bundle >> >> There are `igtf-policy-` things but not `bundle`: >> >> https://packages.debian.org/stretch/igtf-policy-iota >> > > [-- Attachment #2: Type: text/html, Size: 2009 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 21:30 ` Jimmy Yuen Ho Wong 2018-06-25 1:25 ` Van L @ 2018-06-25 17:16 ` Eli Zaretskii 2018-06-25 17:25 ` Jimmy Yuen Ho Wong 2018-06-25 18:06 ` Jimmy Yuen Ho Wong 1 sibling, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-25 17:16 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, npostavs, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 24 Jun 2018 22:30:50 +0100 > Cc: Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, > Noam Postavsky <npostavs@gmail.com>, emacs-devel@gnu.org > > Here's the patch to get GnuTLS to do CRL checking. Thanks, a few minor comments: > +(defcustom gnutls-crlfiles > + '( > + "/etc/grid-security/certificates/*.crl.pem" > + ) > + "List of CRL file paths or a function returning said list. > +If a file path contains a glob pattern, it will be expanded. > +The files may be in PEM or DER format, as per the GnuTLS documentation. > +The files may not exist, in which case they will be ignored." > + :group 'gnutls > + :type '(choice (function :tag "Function to produce list of CRL filenames") > + (repeat (file :tag "CRL filename")))) This should have a :version tag. Do we really want/need to allow a function here? Isn't a list of files enough? A function is more dangerous than a string, especially in a security-sensitive place. Finally, I think this defcustom needs to be called out in NEWS. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 17:16 ` Eli Zaretskii @ 2018-06-25 17:25 ` Jimmy Yuen Ho Wong 2018-06-25 18:06 ` Jimmy Yuen Ho Wong 1 sibling, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 17:25 UTC (permalink / raw) To: Eli Zaretskii Cc: Lars Ingebrigtsen, Paul Eggert, Noam Postavsky, Emacs-Devel devel [-- Attachment #1: Type: text/plain, Size: 385 bytes --] > > This should have a :version tag. > I'll update the patch. > > Do we really want/need to allow a function here? Isn't a list of > files enough? A function is more dangerous than a string, especially > in a security-sensitive place. > It's just convenient. fetch-crl will generate close to 100+ CRL PEM files, so it's a bit impractical to enter by hand. Thanks for reviewing! [-- Attachment #2: Type: text/html, Size: 878 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 17:16 ` Eli Zaretskii 2018-06-25 17:25 ` Jimmy Yuen Ho Wong @ 2018-06-25 18:06 ` Jimmy Yuen Ho Wong 1 sibling, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 18:06 UTC (permalink / raw) To: Eli Zaretskii Cc: Lars Ingebrigtsen, Paul Eggert, Noam Postavsky, Emacs-Devel devel [-- Attachment #1.1: Type: text/plain, Size: 1715 bytes --] Here's the updated patch. Suggested material to include in the manual or NEWS: Emacs now has preliminary checks for revoked TLS certificates. To utililize this feature, users are advised to install the IGTF trust anchor distribution and FetchCRL packages for their system, and update their .crl.pem files periodically in order to get the most updated Certificate Revocation Lists. Refer to the docstring of `gnutls-crlfiles' for details on how to supply their file locations to Emacs. On Mon, Jun 25, 2018 at 6:16 PM, Eli Zaretskii <eliz@gnu.org> wrote: > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Sun, 24 Jun 2018 22:30:50 +0100 > > Cc: Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, > > Noam Postavsky <npostavs@gmail.com>, emacs-devel@gnu.org > > > > Here's the patch to get GnuTLS to do CRL checking. > > Thanks, a few minor comments: > > > +(defcustom gnutls-crlfiles > > + '( > > + "/etc/grid-security/certificates/*.crl.pem" > > + ) > > + "List of CRL file paths or a function returning said list. > > +If a file path contains a glob pattern, it will be expanded. > > +The files may be in PEM or DER format, as per the GnuTLS documentation. > > +The files may not exist, in which case they will be ignored." > > + :group 'gnutls > > + :type '(choice (function :tag "Function to produce list of CRL > filenames") > > + (repeat (file :tag "CRL filename")))) > > This should have a :version tag. > > Do we really want/need to allow a function here? Isn't a list of > files enough? A function is more dangerous than a string, especially > in a security-sensitive place. > > Finally, I think this defcustom needs to be called out in NEWS. > [-- Attachment #1.2: Type: text/html, Size: 2577 bytes --] [-- Attachment #2: 0001-Check-TLS-certs-against-CRL.patch --] [-- Type: application/octet-stream, Size: 3164 bytes --] From 9a9b4232a28fc8a20d0d217e90541f5c7e27c7dd Mon Sep 17 00:00:00 2001 From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> Date: Mon, 25 Jun 2018 18:46:57 +0100 Subject: [PATCH] Check TLS certs against CRL * lisp/net/gnutls.el (gnutls-boot-parameters): Return `gnutls-crlfiles' in `:crlfiles'. (gnutls-crlfiles): New defcustom. (gnutls--get-files): New defun. (gnutls-trustfiles, gnutls-crlfiles): Delegate to `gnutls--get-files' to return a list of filenames, accepts glob pattern. --- lisp/net/gnutls.el | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/lisp/net/gnutls.el b/lisp/net/gnutls.el index 09df019e2e..650dbf8943 100644 --- a/lisp/net/gnutls.el +++ b/lisp/net/gnutls.el @@ -96,12 +96,26 @@ gnutls-trustfiles "/etc/ssl/cert.pem" ; macOS ) "List of CA bundle location filenames or a function returning said list. +If a file path contains glob wildcards, they will be expanded. The files may be in PEM or DER format, as per the GnuTLS documentation. The files may not exist, in which case they will be ignored." :group 'gnutls :type '(choice (function :tag "Function to produce list of bundle filenames") (repeat (file :tag "Bundle filename")))) +(defcustom gnutls-crlfiles + '( + "/etc/grid-security/certificates/*.crl.pem" + ) + "List of CRL file paths or a function returning said list. +If a file path contains glob wildcards, they will be expanded. +The files may be in PEM or DER format, as per the GnuTLS documentation. +The files may not exist, in which case they will be ignored." + :group 'gnutls + :type '(choice (function :tag "Function to produce list of CRL filenames") + (repeat (file :tag "CRL filename"))) + :version "27.1") + ;;;###autoload (defcustom gnutls-min-prime-bits 256 ;; Several mail servers send fewer bits than the GnuTLS default. @@ -263,6 +277,7 @@ gnutls-log-level It must be omitted, a number, or nil; if omitted or nil it defaults to GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT." (let* ((trustfiles (or trustfiles (gnutls-trustfiles))) + (crlfiles (or crlfiles (gnutls-crlfiles))) (maybe-dumbfw (if (memq 'ClientHello\ Padding (gnutls-available-p)) ":%DUMBFW" "")) @@ -304,13 +319,18 @@ gnutls-log-level :verify-error ,verify-error :callbacks nil))) +(defun gnutls--get-files (files) + (cl-loop for f in files + if f do (setq f (if (functionp f) (funcall f) f)) + append (cl-delete-if-not #'file-exists-p (file-expand-wildcards f t)))) + (defun gnutls-trustfiles () "Return a list of usable trustfiles." - (delq nil - (mapcar (lambda (f) (and f (file-exists-p f) f)) - (if (functionp gnutls-trustfiles) - (funcall gnutls-trustfiles) - gnutls-trustfiles)))) + (gnutls--get-files gnutls-trustfiles)) + +(defun gnutls-crlfiles () + "Return a list of usable CRL files." + (gnutls--get-files gnutls-crlfiles)) (declare-function gnutls-error-string "gnutls.c" (error)) -- 2.18.0 ^ permalink raw reply related [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 14:34 ` Lars Ingebrigtsen 2018-06-24 14:48 ` Noam Postavsky @ 2018-06-24 20:58 ` Lars Ingebrigtsen 2018-06-24 21:07 ` Lars Ingebrigtsen ` (2 more replies) 1 sibling, 3 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 20:58 UTC (permalink / raw) To: Eli Zaretskii; +Cc: wyuenho, eggert, Noam Postavsky, emacs-devel Lars Ingebrigtsen <larsi@gnus.org> writes: > I had meant to implement warnings for this stuff on the default `medium' > level instead of letting it remain on the `high' level, but I simply > forgot. I'll be changing that on master hopefully sometime next week. Or today! I've now pushed the changes to master, so let me know if I accidentally broke all Emacs network traffic. It seems to be working OK for me, though... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 20:58 ` Lars Ingebrigtsen @ 2018-06-24 21:07 ` Lars Ingebrigtsen 2018-06-24 22:47 ` Jimmy Yuen Ho Wong 2018-06-24 21:28 ` Noam Postavsky 2018-06-25 16:06 ` Eli Zaretskii 2 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 21:07 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, emacs-devel, wyuenho, Noam Postavsky Lars Ingebrigtsen <larsi@gnus.org> writes: > I've now pushed the changes to master, so let me know if I accidentally > broke all Emacs network traffic. It seems to be working OK for me, > though... (And we may want to tweak what tests are on the `medium' level. Let me know whether the tests trigger a lot in an annoying way.) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 21:07 ` Lars Ingebrigtsen @ 2018-06-24 22:47 ` Jimmy Yuen Ho Wong 2018-06-25 0:04 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-24 22:47 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, emacs-devel [-- Attachment #1: Type: text/plain, Size: 760 bytes --] The sha1-intermediate test still fails on 'medium. Also, shouldn't `network-security-protocol-checks' be a defcustom? Lastly, are the dh-small-subgroup and dh-composite tests possible to check in LISP? Thanks for your work! On Sun, Jun 24, 2018 at 10:07 PM, Lars Ingebrigtsen <larsi@gnus.org> wrote: > Lars Ingebrigtsen <larsi@gnus.org> writes: > > > I've now pushed the changes to master, so let me know if I accidentally > > broke all Emacs network traffic. It seems to be working OK for me, > > though... > > (And we may want to tweak what tests are on the `medium' level. Let me > know whether the tests trigger a lot in an annoying way.) > > -- > (domestic pets only, the antidote for overdose, milk.) > bloggy blog: http://lars.ingebrigtsen.no > [-- Attachment #2: Type: text/html, Size: 1331 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 22:47 ` Jimmy Yuen Ho Wong @ 2018-06-25 0:04 ` Lars Ingebrigtsen 2018-06-25 0:33 ` Noam Postavsky 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-25 0:04 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, emacs-devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > The sha1-intermediate test still fails on 'medium. Hm! I thought the problem was with SHA1 for intermediate certificates, not root certificates? But this is the certificate chain from https://sha1-intermediate.badssl.com/ ((:version 3 :serial-number "00:be:00:42:69:d7:58:79:57:10:3c:04:e7:aa:4e:d8:b2" :issuer "C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA" :valid-from "2017-04-13" :valid-to "2020-05-30" :subject "OU=Domain Control Validated,OU=COMODO SSL Wildcard,CN=*.badssl.com" :public-key-algorithm "RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA256") (:version 3 :serial-number "6e:ba:f0:8f:79:83:fa:9d:e1:b2:6f:96:fc:6e:98:bf" :issuer "C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root" :valid-from "2011-08-23" :valid-to "2020-05-30" :subject "C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO SSL CA" :public-key-algorithm "RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA1")) So the SHA1 is in the last certificate there, but it's the intermediary... Here's the one from eternal-september: ((:version 3 :serial-number "03:6f:ea:f0:ef:6e:57:9c:11:94:8c:1d:0e:9e:5a:a5:a7:8d" :issuer "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3" :valid-from "2018-05-07" :valid-to "2018-08-05" :subject "CN=news.eternal-september.org" :public-key-algorithm "RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA256") (:version 3 :serial-number "0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08" :issuer "O=Digital Signature Trust Co.,CN=DST Root CA X3" :valid-from "2016-03-17" :valid-to "2021-03-17" :subject "C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3" :public-key-algorithm "RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA256") (:version 3 :serial-number "44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b" :issuer "O=Digital Signature Trust Co.,CN=DST Root CA X3" :valid-from "2000-09-30" :valid-to "2021-09-30" :subject "O=Digital Signature Trust Co.,CN=DST Root CA X3" :public-key-algorithm "RSA" :certificate-security-level "Medium" :signature-algorithm "RSA-SHA1")) The third certificate here also has SHA1... but that's the root certificate? *google* Oh, I see. Some servers include the root certificate (redundantly), and some don't. How do I determine whether a certificate is a root certificate, then? There must be a way... I tried googling but didn't immediately find anything. > Also, shouldn't `network-security-protocol-checks' be a defcustom? Possibly, but editing alists in customize isn't very pleasant. > Lastly, are the dh-small-subgroup and dh-composite tests possible to > check in LISP? I wondered about that, too. I couldn't find anything in the gnutls API, but it's pretty big and I could well have missed something. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 0:04 ` Lars Ingebrigtsen @ 2018-06-25 0:33 ` Noam Postavsky 2018-06-25 0:36 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Noam Postavsky @ 2018-06-25 0:33 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers On 24 June 2018 at 20:04, Lars Ingebrigtsen <larsi@gnus.org> wrote: > *google* Oh, I see. Some servers include the root certificate > (redundantly), and some don't. How do I determine whether a certificate > is a root certificate, then? There must be a way... I tried googling > but didn't immediately find anything. Check if :issuer equals :subject? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 0:33 ` Noam Postavsky @ 2018-06-25 0:36 ` Lars Ingebrigtsen 0 siblings, 0 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-25 0:36 UTC (permalink / raw) To: Noam Postavsky Cc: Eli Zaretskii, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers Noam Postavsky <npostavs@gmail.com> writes: > On 24 June 2018 at 20:04, Lars Ingebrigtsen <larsi@gnus.org> wrote: > >> *google* Oh, I see. Some servers include the root certificate >> (redundantly), and some don't. How do I determine whether a certificate >> is a root certificate, then? There must be a way... I tried googling >> but didn't immediately find anything. > > Check if :issuer equals :subject? Ah, yes, of course. Thanks. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 20:58 ` Lars Ingebrigtsen 2018-06-24 21:07 ` Lars Ingebrigtsen @ 2018-06-24 21:28 ` Noam Postavsky 2018-06-24 21:57 ` Lars Ingebrigtsen 2018-06-25 16:06 ` Eli Zaretskii 2 siblings, 1 reply; 221+ messages in thread From: Noam Postavsky @ 2018-06-24 21:28 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers On 24 June 2018 at 16:58, Lars Ingebrigtsen <larsi@gnus.org> wrote: > I've now pushed the changes to master, so let me know if I accidentally > broke all Emacs network traffic. It seems to be working OK for me, > though... Seems to be working for me too. I noticed a bit of copy-pasta in the manual updates: +@item @acronym{3DES} cipther +The @acronym{RC4} stream cipher is believed by some to be of low +quality and may allow eavesdropping by third parties. Perhaps something along the lines of: @item @acronym{3DES} cipher The @acronym{3DES} stream cipher provides at most 112 bits of effective security, which is considered to be towards the low end. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 21:28 ` Noam Postavsky @ 2018-06-24 21:57 ` Lars Ingebrigtsen 0 siblings, 0 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-24 21:57 UTC (permalink / raw) To: Noam Postavsky Cc: Eli Zaretskii, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers Noam Postavsky <npostavs@gmail.com> writes: > Perhaps something along the lines of: > > @item @acronym{3DES} cipher > The @acronym{3DES} stream cipher provides at most 112 bits of > effective security, which is considered to be towards the low end. Thanks; updated. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-24 20:58 ` Lars Ingebrigtsen 2018-06-24 21:07 ` Lars Ingebrigtsen 2018-06-24 21:28 ` Noam Postavsky @ 2018-06-25 16:06 ` Eli Zaretskii 2018-06-25 16:29 ` Jimmy Yuen Ho Wong ` (2 more replies) 2 siblings, 3 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-25 16:06 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: wyuenho, eggert, npostavs, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: eggert@cs.ucla.edu, emacs-devel@gnu.org, Noam Postavsky <npostavs@gmail.com>, wyuenho@gmail.com > Date: Sun, 24 Jun 2018 22:58:28 +0200 > > Lars Ingebrigtsen <larsi@gnus.org> writes: > > > I had meant to implement warnings for this stuff on the default `medium' > > level instead of letting it remain on the `high' level, but I simply > > forgot. I'll be changing that on master hopefully sometime next week. > > Or today! > > I've now pushed the changes to master, so let me know if I accidentally > broke all Emacs network traffic. It seems to be working OK for me, > though... Thanks for working on this. Allow me a few comments, with an eye towards getting at least some of this to the emacs-26 branch: . First, the NEWS entry should tell users how to get the previous (less secure) behavior if they want. I think this also calls for a better documentation of the elements that can appear in network-security-protocol-checks. . The change to gnutls-peer-status is not reflected in its doc string and is not called out in NEWS. . Do I understand correctly that most of the changes, including those in gnutls.c, are so that intermediary certificates could be verified? If so, would it make sense to omit that for emacs-26, and only beef up the medium level of security in NSM with the rest of the checks? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:06 ` Eli Zaretskii @ 2018-06-25 16:29 ` Jimmy Yuen Ho Wong 2018-06-25 16:58 ` Lars Ingebrigtsen 2018-06-25 17:17 ` Eli Zaretskii 2018-06-25 16:55 ` Lars Ingebrigtsen 2018-07-06 9:01 ` Eli Zaretskii 2 siblings, 2 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 16:29 UTC (permalink / raw) To: Eli Zaretskii Cc: Lars Ingebrigtsen, Paul Eggert, Noam Postavsky, Emacs-Devel devel [-- Attachment #1: Type: text/plain, Size: 1713 bytes --] My CRL patch should work on Emacs 26.x as well. Sorry I don't know how you typically submit patches, so I just replied in the email chain. Let me know if that's not sufficient. On Mon, Jun 25, 2018 at 5:06 PM, Eli Zaretskii <eliz@gnu.org> wrote: > > From: Lars Ingebrigtsen <larsi@gnus.org> > > Cc: eggert@cs.ucla.edu, emacs-devel@gnu.org, Noam Postavsky < > npostavs@gmail.com>, wyuenho@gmail.com > > Date: Sun, 24 Jun 2018 22:58:28 +0200 > > > > Lars Ingebrigtsen <larsi@gnus.org> writes: > > > > > I had meant to implement warnings for this stuff on the default > `medium' > > > level instead of letting it remain on the `high' level, but I simply > > > forgot. I'll be changing that on master hopefully sometime next week. > > > > Or today! > > > > I've now pushed the changes to master, so let me know if I accidentally > > broke all Emacs network traffic. It seems to be working OK for me, > > though... > > Thanks for working on this. > > Allow me a few comments, with an eye towards getting at least some of > this to the emacs-26 branch: > > . First, the NEWS entry should tell users how to get the previous > (less secure) behavior if they want. I think this also calls for a > better documentation of the elements that can appear in > network-security-protocol-checks. > > . The change to gnutls-peer-status is not reflected in its doc string > and is not called out in NEWS. > > . Do I understand correctly that most of the changes, including those > in gnutls.c, are so that intermediary certificates could be > verified? If so, would it make sense to omit that for emacs-26, > and only beef up the medium level of security in NSM with the rest > of the checks? > [-- Attachment #2: Type: text/html, Size: 2489 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:29 ` Jimmy Yuen Ho Wong @ 2018-06-25 16:58 ` Lars Ingebrigtsen 2018-06-25 17:08 ` Jimmy Yuen Ho Wong 2018-06-25 17:09 ` Eli Zaretskii 2018-06-25 17:17 ` Eli Zaretskii 1 sibling, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-25 16:58 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > My CRL patch should work on Emacs 26.x as well. Sorry I don't know how you > typically submit patches, so I just replied in the email chain. Let me know if > that's not sufficient. Sorry; I haven't reviewed the patch yet, but I'll try to do so later this week. Do you have FSF copyright assignment papers on file? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:58 ` Lars Ingebrigtsen @ 2018-06-25 17:08 ` Jimmy Yuen Ho Wong 2018-06-25 17:18 ` Eli Zaretskii 2018-06-25 17:09 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 17:08 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, Emacs-Devel devel [-- Attachment #1: Type: text/plain, Size: 648 bytes --] No I don't. How do I do that? Thanks in advance for reviewing the patch. On Mon, 25 Jun 2018 at 5:58 pm, Lars Ingebrigtsen <larsi@gnus.org> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > My CRL patch should work on Emacs 26.x as well. Sorry I don't know how > you > > typically submit patches, so I just replied in the email chain. Let me > know if > > that's not sufficient. > > Sorry; I haven't reviewed the patch yet, but I'll try to do so later > this week. > > Do you have FSF copyright assignment papers on file? > > -- > (domestic pets only, the antidote for overdose, milk.) > bloggy blog: http://lars.ingebrigtsen.no > [-- Attachment #2: Type: text/html, Size: 1105 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 17:08 ` Jimmy Yuen Ho Wong @ 2018-06-25 17:18 ` Eli Zaretskii 2018-06-30 17:40 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-06-25 17:18 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, npostavs, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Mon, 25 Jun 2018 18:08:37 +0100 > Cc: Eli Zaretskii <eliz@gnu.org>, Emacs-Devel devel <emacs-devel@gnu.org>, > Noam Postavsky <npostavs@gmail.com>, Paul Eggert <eggert@cs.ucla.edu> > > No I don't. How do I do that? Thanks in advance for reviewing the patch. Form sent off-list. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 17:18 ` Eli Zaretskii @ 2018-06-30 17:40 ` Jimmy Yuen Ho Wong 2018-06-30 18:04 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-30 17:40 UTC (permalink / raw) To: Eli Zaretskii Cc: Lars Ingebrigtsen, Paul Eggert, Noam Postavsky, Emacs-Devel devel I've signed the copyright assignment form. Gnu should have my records on file now. Thanks. On Mon, Jun 25, 2018 at 6:18 PM, Eli Zaretskii <eliz@gnu.org> wrote: >> From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> >> Date: Mon, 25 Jun 2018 18:08:37 +0100 >> Cc: Eli Zaretskii <eliz@gnu.org>, Emacs-Devel devel <emacs-devel@gnu.org>, >> Noam Postavsky <npostavs@gmail.com>, Paul Eggert <eggert@cs.ucla.edu> >> >> No I don't. How do I do that? Thanks in advance for reviewing the patch. > > Form sent off-list. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-30 17:40 ` Jimmy Yuen Ho Wong @ 2018-06-30 18:04 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-30 18:04 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, npostavs, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sat, 30 Jun 2018 18:40:27 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org>, > Noam Postavsky <npostavs@gmail.com>, Paul Eggert <eggert@cs.ucla.edu> > > I've signed the copyright assignment form. Gnu should have my records > on file now. Not yet, they don't. I guess we need to wait for a few more days. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:58 ` Lars Ingebrigtsen 2018-06-25 17:08 ` Jimmy Yuen Ho Wong @ 2018-06-25 17:09 ` Eli Zaretskii 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-25 17:09 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, npostavs, wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, Emacs-Devel devel <emacs-devel@gnu.org>, Noam Postavsky <npostavs@gmail.com> > Date: Mon, 25 Jun 2018 18:58:27 +0200 > > Do you have FSF copyright assignment papers on file? No. But the patch is small enough to be considered "tiny". ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:29 ` Jimmy Yuen Ho Wong 2018-06-25 16:58 ` Lars Ingebrigtsen @ 2018-06-25 17:17 ` Eli Zaretskii 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-25 17:17 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, npostavs, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Mon, 25 Jun 2018 17:29:32 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>, > Noam Postavsky <npostavs@gmail.com>, > Emacs-Devel devel <emacs-devel@gnu.org> > > My CRL patch should work on Emacs 26.x as well. It's a new feature, so I think it should go to master. Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:06 ` Eli Zaretskii 2018-06-25 16:29 ` Jimmy Yuen Ho Wong @ 2018-06-25 16:55 ` Lars Ingebrigtsen 2018-06-25 17:06 ` Eli Zaretskii ` (2 more replies) 2018-07-06 9:01 ` Eli Zaretskii 2 siblings, 3 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-25 16:55 UTC (permalink / raw) To: Eli Zaretskii; +Cc: wyuenho, eggert, npostavs, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: > Allow me a few comments, with an eye towards getting at least some of > this to the emacs-26 branch: > > . First, the NEWS entry should tell users how to get the previous > (less secure) behavior if they want. I think this also calls for a > better documentation of the elements that can appear in > network-security-protocol-checks. > > . The change to gnutls-peer-status is not reflected in its doc string > and is not called out in NEWS. Yes, true. I'll do that later this week. > . Do I understand correctly that most of the changes, including those > in gnutls.c, are so that intermediary certificates could be > verified? If so, would it make sense to omit that for emacs-26, > and only beef up the medium level of security in NSM with the rest > of the checks? Yes, that is definitely a possibility. The nsm.el changes should be safe to backport (after they've been in master for a couple of weeks so that people can test them), while the gnutls.c change might be more dangerous. However, the thing that's protecting against (a SHA1 intermediate certificate (oops, I see I've called it "intermediary" in the code and doc; I'll fix that now)) is, I seem to remember, now being considered a realistic attack (i.e., you can generate valid-looking fake certificates based on one). Or do I misremember? I tried googling now, and I couldn't find anybody actually achieving that yet... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:55 ` Lars Ingebrigtsen @ 2018-06-25 17:06 ` Eli Zaretskii 2018-06-25 17:20 ` Jimmy Yuen Ho Wong 2018-07-08 11:43 ` Lars Ingebrigtsen 2 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-25 17:06 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: wyuenho, eggert, npostavs, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: eggert@cs.ucla.edu, emacs-devel@gnu.org, npostavs@gmail.com, wyuenho@gmail.com > Date: Mon, 25 Jun 2018 18:55:22 +0200 > > > . Do I understand correctly that most of the changes, including those > > in gnutls.c, are so that intermediary certificates could be > > verified? If so, would it make sense to omit that for emacs-26, > > and only beef up the medium level of security in NSM with the rest > > of the checks? > > Yes, that is definitely a possibility. The nsm.el changes should be > safe to backport (after they've been in master for a couple of weeks so > that people can test them), while the gnutls.c change might be more > dangerous. > > However, the thing that's protecting against (a SHA1 intermediate > certificate (oops, I see I've called it "intermediary" in the code and > doc; I'll fix that now)) is, I seem to remember, now being considered a > realistic attack (i.e., you can generate valid-looking fake certificates > based on one). If this is deemed a very serious vulnerability (I'm not an expert on these matters), then I guess we will have to wait longer before we backport the changes to emacs-26. Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:55 ` Lars Ingebrigtsen 2018-06-25 17:06 ` Eli Zaretskii @ 2018-06-25 17:20 ` Jimmy Yuen Ho Wong 2018-06-25 17:33 ` Lars Ingebrigtsen 2018-07-08 11:43 ` Lars Ingebrigtsen 2 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-25 17:20 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, Emacs-Devel devel [-- Attachment #1: Type: text/plain, Size: 688 bytes --] > > However, the thing that's protecting against (a SHA1 intermediate > certificate (oops, I see I've called it "intermediary" in the code and > doc; I'll fix that now)) is, I seem to remember, now being considered a > realistic attack (i.e., you can generate valid-looking fake certificates > based on one). > > Or do I misremember? I tried googling now, and I couldn't find anybody > actually achieving that yet... > > It's all about collisions[1], it's mostly a precaution, as no one has found an actual collistion for a cert yet, but Google has found collision for PDF last year [2]. [1]: https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html [2]: https://shattered.io/ [-- Attachment #2: Type: text/html, Size: 1158 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 17:20 ` Jimmy Yuen Ho Wong @ 2018-06-25 17:33 ` Lars Ingebrigtsen 2018-07-05 15:52 ` Perry E. Metzger 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-06-25 17:33 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Paul Eggert, Noam Postavsky, Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > It's all about collisions[1], it's mostly a precaution, as no one has found an > actual collistion for a cert yet, but Google has found collision for PDF last year > [2]. Ah, OK, then the SHA1 intermediate check isn't that vital. (I think the PDF collision was a cheat, anyway, since they just generated a lot of binary junk in a non-parsed section of the PDF. :-) ) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 17:33 ` Lars Ingebrigtsen @ 2018-07-05 15:52 ` Perry E. Metzger 2018-07-05 15:58 ` Jimmy Yuen Ho Wong 2018-07-05 18:43 ` Noam Postavsky 0 siblings, 2 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 15:52 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Emacs-Devel devel, Jimmy Yuen Ho Wong, Noam Postavsky On Mon, 25 Jun 2018 19:33:49 +0200 Lars Ingebrigtsen <larsi@gnus.org> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > It's all about collisions[1], it's mostly a precaution, as no one > > has found an actual collistion for a cert yet, but Google has > > found collision for PDF last year [2]. > > Ah, OK, then the SHA1 intermediate check isn't that vital. It is, actually. It's believed to be straightforward for national actors to forge intermediate certificates at this point. > (I think the PDF collision was a cheat, anyway, since they just > generated a lot of binary junk in a non-parsed section of the > PDF. :-) ) One of the rules in this game is attacks get better with time. Not that long after the first certificational attacks on MD5, it was discovered that parties unknown, generally thought to be nation-state actors, had been forging signatures on Microsoft software updates using MD5 collisions to enable what they were doing. I would make sure that SHA-1 defenses are in place. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:52 ` Perry E. Metzger @ 2018-07-05 15:58 ` Jimmy Yuen Ho Wong 2018-07-05 16:36 ` Perry E. Metzger 2018-07-05 18:32 ` Eli Zaretskii 2018-07-05 18:43 ` Noam Postavsky 1 sibling, 2 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-05 15:58 UTC (permalink / raw) To: Perry E. Metzger Cc: Lars Ingebrigtsen, Paul Eggert, Emacs-Devel devel, Eli Zaretskii, Noam Postavsky Ok I think I should let people know what my current plans are to avoid miscommunications: 1. Certificate pinning - HTTP Public Key Pinning is currently used by some browsers, but it's problematic. Chrome will remove it in Chrome 69[1] and go full-on Certificate Transparency (CT). 2. NSM has its own kind of certificate pinning, which is basically reinventing `$gnutls-cli --tofu`. It has a couple of problems, such as not being able to store multiple fingerprints (Google load balance between 2 certs signed by 2 different public keys), I have fixed them in my branch. I'll publish it soon. 3. There are a few security theatrics in NSM ATM, 'paranoid level is BS. If that level is justified, you can justify turning off your network card. I have removed it in my branch. 4. Certificate pinning is only a very very very small part of the entire suite of measures needed to securely deploy TLS on the client. There are a whole host of cipher suite and TLS extension checks missing in NSM currently. The current set of best practices RFC is RFC 7525. I have implemented most of the recommendations minus those not applicable to GnuTLS and some big ones like OCSP and CT. 5. The way `gnutls-min-prime-bits` was handled in whatever that bug number was was never appropriate. 256-bit default was never a good idea. I have defaulted it to `nil` in my branch, which tells GnuTLS to use an appropriate bit length according to the priority string (generally > 1024). If this breaks anyone's config, they have one of 2 options - 1) manually set `gnutls-min-prime-bits` back to whatever you were using and keep putting yourself at risk, and/or 2) complaint to your server's admin. 6. GnuTLS is behind in some features such as CT, and enables a shit ton of ciphers by default that OpenSSL has disabled. It's so seldomly used and looked at by researchers that I bet it's full of holes. Paradoxically, this is also its advantage. It's so seldomly used, mostly OpenSSL specific attacks don't apply to it. I'm not too concerned about GnuTLS at the moment. 7. Here's a preview of the latest set of checks in my fix-nsm-branch (defcustom nsm-tls-checks '((nsm-tls-check-verify-cert . low) (nsm-tls-check-same-cert . medium) (nsm-tls-check-version . medium) (nsm-tls-check-compression . medium) (nsm-tls-check-renegotiation-info-ext . medium) (nsm-tls-check-null-suite . medium) (nsm-tls-check-cbc-cipher . high) (nsm-tls-check-ecdsa-cbc-cipher . medium) (nsm-tls-check-3des-cipher . medium) (nsm-tls-check-rc4-cipher . medium) (nsm-tls-check-sha1-sig . medium) (nsm-tls-check-md5-sig . medium) (nsm-tls-check-rsa-kx . high) (nsm-tls-check-dhe-prime-kx . medium) (nsm-tls-check-dhe-kx . high) (nsm-tls-check-export-kx . medium) (nsm-tls-check-anon-kx . medium)) "This variable specifies what TLS connection checks to perform. It's an alist where the key is the name of the check, and the value is the minimum security level the check should begin. Each check function is called with the parameters HOST PORT STATUS SETTINGS. HOST is the host domain, PORT is a TCP port number, STATUS is the peer status returned by `gnutls-peer-status', and SETTINGS is the persistent and session settings for the host HOST. Please refer to the contents of `nsm-setting-file' for details. If a problem is found, the check function is required to return an error message, and nil otherwise. See also: `nsm-check-tls-connection', `nsm-save-host-names', `nsm-settings-file'" :version "27.1" :group 'nsm :type '(repeat (cons (function :tag "Check function") (choice :tag "Level" :value medium (const :tag "Low" low) (const :tag "Medium" medium) (const :tag "High" high))))) [1]: https://www.chromestatus.com/features/5903385005916160 [2]: https://tools.ietf.org/html/rfc7525 On Thu, Jul 5, 2018 at 4:52 PM, Perry E. Metzger <perry@piermont.com> wrote: > On Mon, 25 Jun 2018 19:33:49 +0200 Lars Ingebrigtsen <larsi@gnus.org> > wrote: >> Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: >> >> > It's all about collisions[1], it's mostly a precaution, as no one >> > has found an actual collistion for a cert yet, but Google has >> > found collision for PDF last year [2]. >> >> Ah, OK, then the SHA1 intermediate check isn't that vital. > > It is, actually. It's believed to be straightforward for national > actors to forge intermediate certificates at this point. > >> (I think the PDF collision was a cheat, anyway, since they just >> generated a lot of binary junk in a non-parsed section of the >> PDF. :-) ) > > One of the rules in this game is attacks get better with time. Not > that long after the first certificational attacks on MD5, it was > discovered that parties unknown, generally thought to be nation-state > actors, had been forging signatures on Microsoft software updates > using MD5 collisions to enable what they were doing. > > I would make sure that SHA-1 defenses are in place. > > Perry > -- > Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:58 ` Jimmy Yuen Ho Wong @ 2018-07-05 16:36 ` Perry E. Metzger 2018-07-05 16:51 ` Jimmy Yuen Ho Wong 2018-07-05 18:32 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 16:36 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Lars Ingebrigtsen, Paul Eggert, Emacs-Devel devel, Eli Zaretskii, Noam Postavsky On Thu, 5 Jul 2018 16:58:26 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > Ok I think I should let people know what my current plans are to > avoid miscommunications: > > 1. Certificate pinning - HTTP Public Key Pinning is currently used > by some browsers, but it's problematic. Chrome will remove it in > Chrome 69[1] and go full-on Certificate Transparency (CT). CT is definitely the long term solution. If CT is in place there's no need for pinning, which was a more interim measure. > 2. NSM has its own kind of certificate pinning, which is basically > reinventing `$gnutls-cli --tofu`. It has a couple of problems, such > as not being able to store multiple fingerprints (Google load > balance between 2 certs signed by 2 different public keys), I have > fixed them in my branch. I'll publish it soon. > > 3. There are a few security theatrics in NSM ATM, 'paranoid level is > BS. If that level is justified, you can justify turning off your > network card. I have removed it in my branch. We are best off doing what the browser vendors are doing (Chrome, Firefox, and Safari generally being good exemplars.) > 4. Certificate pinning is only a very very very small part of the > entire suite of measures needed to securely deploy TLS on the > client. There are a whole host of cipher suite and TLS extension > checks missing in NSM currently. The current set of best practices > RFC is RFC 7525. I have implemented most of the recommendations > minus those not applicable to GnuTLS and some big ones like OCSP > and CT. Good to hear. CT will be needed eventually. OpenSSL does implement it, if GnuTLS does not, that's another strike against GnuTLS. > 5. The way `gnutls-min-prime-bits` was handled in whatever that bug > number was was never appropriate. 256-bit default was never a good > idea. I have defaulted it to `nil` in my branch, which tells GnuTLS > to use an appropriate bit length according to the priority string > (generally > 1024). If this breaks anyone's config, they have one > of 2 options - 1) manually set `gnutls-min-prime-bits` back to > whatever you were using and keep putting yourself at risk, and/or > 2) complaint to your server's admin. 256 was breakable in 1990. There are no circumstances where that's acceptable. :( > 6. GnuTLS is behind in some features such as CT, and enables a shit > ton of ciphers by default that OpenSSL has disabled. It's so > seldomly used and looked at by researchers that I bet it's full of > holes. Paradoxically, this is also its advantage. It's so seldomly > used, mostly OpenSSL specific attacks don't apply to it. I'm not too > concerned about GnuTLS at the moment. Not having CT is a problem. Certificate forgery in the field is becoming a serious issue. Just a couple of days ago I was informed that the WiFi on Turkish airliners now intercepts your TLS traffic with the use of faked up certs. It's becoming so common in various countries that we simply need it. If GnuTLS won't do it, then we use something else that provides it. > 7. Here's a preview of the latest set of checks in my fix-nsm-branch > > > (defcustom nsm-tls-checks > '((nsm-tls-check-verify-cert . low) > (nsm-tls-check-same-cert . medium) > (nsm-tls-check-version . medium) > (nsm-tls-check-compression . medium) > (nsm-tls-check-renegotiation-info-ext . medium) > (nsm-tls-check-null-suite . medium) > (nsm-tls-check-cbc-cipher . high) > (nsm-tls-check-ecdsa-cbc-cipher . medium) > (nsm-tls-check-3des-cipher . medium) > (nsm-tls-check-rc4-cipher . medium) > (nsm-tls-check-sha1-sig . medium) > (nsm-tls-check-md5-sig . medium) > (nsm-tls-check-rsa-kx . high) > (nsm-tls-check-dhe-prime-kx . medium) > (nsm-tls-check-dhe-kx . high) > (nsm-tls-check-export-kx . medium) > (nsm-tls-check-anon-kx . medium)) > "This variable specifies what TLS connection checks to perform. > It's an alist where the key is the name of the check, and the > value is the minimum security level the check should begin. > > Each check function is called with the parameters HOST PORT > STATUS SETTINGS. HOST is the host domain, PORT is a TCP port > number, STATUS is the peer status returned by > `gnutls-peer-status', and SETTINGS is the persistent and session > settings for the host HOST. Please refer to the contents of > `nsm-setting-file' for details. If a problem is found, the check > function is required to return an error message, and nil > otherwise. > > See also: `nsm-check-tls-connection', `nsm-save-host-names', > `nsm-settings-file'" > :version "27.1" > :group 'nsm > :type '(repeat (cons (function :tag "Check function") > (choice :tag "Level" > :value medium > (const :tag "Low" low) > (const :tag "Medium" medium) > (const :tag "High" high))))) > > [1]: https://www.chromestatus.com/features/5903385005916160 > [2]: https://tools.ietf.org/html/rfc7525 Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 16:36 ` Perry E. Metzger @ 2018-07-05 16:51 ` Jimmy Yuen Ho Wong 2018-07-05 18:25 ` Perry E. Metzger 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-05 16:51 UTC (permalink / raw) To: Perry E. Metzger Cc: Lars Ingebrigtsen, Paul Eggert, Emacs-Devel devel, Eli Zaretskii, Noam Postavsky > > We are best off doing what the browser vendors are doing (Chrome, > Firefox, and Safari generally being good exemplars.) > AFAIK, NSM is trying to do exactly that. Lars has set up a good structure here. > > Not having CT is a problem. Certificate forgery in the field is > becoming a serious issue. Just a couple of days ago I was informed > that the WiFi on Turkish airliners now intercepts your TLS > traffic with the use of faked up certs. It's becoming so common in > various countries that we simply need it. If GnuTLS won't do it, then > we use something else that provides it. > There's a CT ticket[1] for GnuTLS. It's not coming any time soon tho, so OCSP will have to do for now. Although, I'm pretty sure you can extract the raw DER bytes and parse the SCT extension in LISP using some bit manipulation magic (I don't even want to think about it now.... feel free to pick it up). [1]: https://gitlab.com/gnutls/gnutls/issues/232 [2]: https://www.gnutls.org/manual/gnutls.html#X_002e509-extensions ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 16:51 ` Jimmy Yuen Ho Wong @ 2018-07-05 18:25 ` Perry E. Metzger 0 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 18:25 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Lars Ingebrigtsen, Paul Eggert, Noam Postavsky, Emacs-Devel devel On Thu, 5 Jul 2018 17:51:27 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > > Not having CT is a problem. Certificate forgery in the field is > > becoming a serious issue. Just a couple of days ago I was informed > > that the WiFi on Turkish airliners now intercepts your TLS > > traffic with the use of faked up certs. It's becoming so common in > > various countries that we simply need it. If GnuTLS won't do it, > > then we use something else that provides it. > > > > There's a CT ticket[1] for GnuTLS. It's not coming any time soon > tho, so OCSP will have to do for now. So again, yet more reason to use something else. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:58 ` Jimmy Yuen Ho Wong 2018-07-05 16:36 ` Perry E. Metzger @ 2018-07-05 18:32 ` Eli Zaretskii 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-05 18:32 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, eggert, emacs-devel, npostavs, perry > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Thu, 5 Jul 2018 16:58:26 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, > Noam Postavsky <npostavs@gmail.com>, Emacs-Devel devel <emacs-devel@gnu.org> > > Ok I think I should let people know what my current plans are to avoid > miscommunications: Please respond to my comments and questions in https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31946#89 I think we need to be in agreement about some principles before we discuss further plans. Thanks. > 3. There are a few security theatrics in NSM ATM, 'paranoid level is > BS. If that level is justified, you can justify turning off your > network card. I have removed it in my branch. That goes against one of my main comments in the above. I don't think I agree with having just one level of security in Emacs. One more reason to discuss my comments before going further ahead. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:52 ` Perry E. Metzger 2018-07-05 15:58 ` Jimmy Yuen Ho Wong @ 2018-07-05 18:43 ` Noam Postavsky 2018-07-05 20:31 ` Perry E. Metzger 1 sibling, 1 reply; 221+ messages in thread From: Noam Postavsky @ 2018-07-05 18:43 UTC (permalink / raw) To: Perry E. Metzger Cc: Lars Ingebrigtsen, Paul Eggert, Eli Zaretskii, Jimmy Yuen Ho Wong, Emacs-Devel devel On 5 July 2018 at 11:52, Perry E. Metzger <perry@piermont.com> wrote: > I would make sure that SHA-1 defenses are in place. The SHA-1 defenses are in master, but there is some problem with them: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31946#95 So did you mean "I would make sure [but I won't for lack of time/experience/etc]" or "I will make sure"? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 18:43 ` Noam Postavsky @ 2018-07-05 20:31 ` Perry E. Metzger 0 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 20:31 UTC (permalink / raw) To: Noam Postavsky Cc: Lars Ingebrigtsen, Paul Eggert, Eli Zaretskii, Jimmy Yuen Ho Wong, Emacs-Devel devel On Thu, 5 Jul 2018 14:43:50 -0400 Noam Postavsky <npostavs@gmail.com> wrote: > On 5 July 2018 at 11:52, Perry E. Metzger <perry@piermont.com> > wrote: > > > I would make sure that SHA-1 defenses are in place. > > The SHA-1 defenses are in master, but there is some problem with > them: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31946#95 > > So did you mean "I would make sure [but I won't for lack of > time/experience/etc]" or "I will make sure"? I don't have time right now or I'd be helping. So the former. -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:55 ` Lars Ingebrigtsen 2018-06-25 17:06 ` Eli Zaretskii 2018-06-25 17:20 ` Jimmy Yuen Ho Wong @ 2018-07-08 11:43 ` Lars Ingebrigtsen 2018-07-08 14:48 ` Eli Zaretskii 2 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 11:43 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, emacs-devel, wyuenho, npostavs Lars Ingebrigtsen <larsi@gnus.org> writes: > Eli Zaretskii <eliz@gnu.org> writes: > >> Allow me a few comments, with an eye towards getting at least some of >> this to the emacs-26 branch: >> >> . First, the NEWS entry should tell users how to get the previous >> (less secure) behavior if they want. I think this also calls for a >> better documentation of the elements that can appear in >> network-security-protocol-checks. >> >> . The change to gnutls-peer-status is not reflected in its doc string >> and is not called out in NEWS. > > Yes, true. I'll do that later this week. That was a ... 12 day week or something. :-) I've now pushed these doc fixes, and tried to explain better what these checks do. Hopefully it's not total gobbledegook -- trying to explain TLS stuff without resorting to writing acronym soup (that only explains things to people who already understands this stuff) isn't trivial. :-) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 11:43 ` Lars Ingebrigtsen @ 2018-07-08 14:48 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 14:48 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, emacs-devel, wyuenho, npostavs > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: wyuenho@gmail.com, eggert@cs.ucla.edu, npostavs@gmail.com, emacs-devel@gnu.org > Date: Sun, 08 Jul 2018 13:43:10 +0200 > > >> . First, the NEWS entry should tell users how to get the previous > >> (less secure) behavior if they want. I think this also calls for a > >> better documentation of the elements that can appear in > >> network-security-protocol-checks. > >> > >> . The change to gnutls-peer-status is not reflected in its doc string > >> and is not called out in NEWS. > > > > Yes, true. I'll do that later this week. > > That was a ... 12 day week or something. :-) Yeah, gimme 12-day weeks! with 50-hour days on top of that! > I've now pushed these doc fixes, and tried to explain better what these > checks do. Hopefully it's not total gobbledegook -- trying to explain > TLS stuff without resorting to writing acronym soup (that only explains > things to people who already understands this stuff) isn't trivial. :-) It isn't gobbledegook for me, so I guess we are fine. Thanks! ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-25 16:06 ` Eli Zaretskii 2018-06-25 16:29 ` Jimmy Yuen Ho Wong 2018-06-25 16:55 ` Lars Ingebrigtsen @ 2018-07-06 9:01 ` Eli Zaretskii 2 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 9:01 UTC (permalink / raw) To: larsi; +Cc: eggert, emacs-devel, wyuenho, npostavs Ping! > Date: Mon, 25 Jun 2018 19:06:51 +0300 > From: Eli Zaretskii <eliz@gnu.org> > Cc: wyuenho@gmail.com, eggert@cs.ucla.edu, npostavs@gmail.com, > emacs-devel@gnu.org > > Allow me a few comments, with an eye towards getting at least some of > this to the emacs-26 branch: > > . First, the NEWS entry should tell users how to get the previous > (less secure) behavior if they want. I think this also calls for a > better documentation of the elements that can appear in > network-security-protocol-checks. > > . The change to gnutls-peer-status is not reflected in its doc string > and is not called out in NEWS. > > . Do I understand correctly that most of the changes, including those > in gnutls.c, are so that intermediary certificates could be > verified? If so, would it make sense to omit that for emacs-26, > and only beef up the medium level of security in NSM with the rest > of the checks? > > ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 6:40 ` Eli Zaretskii 2018-06-23 10:21 ` Jimmy Yuen Ho Wong 2018-06-23 22:28 ` Noam Postavsky @ 2018-07-05 15:33 ` Perry E. Metzger 2018-07-05 18:58 ` Eli Zaretskii 2 siblings, 1 reply; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 15:33 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, eggert, emacs-devel, Noam Postavsky, wyuenho On Sat, 23 Jun 2018 09:40:56 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > From: Noam Postavsky <npostavs@gmail.com> > > Date: Fri, 22 Jun 2018 22:17:56 -0400 > > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org>, > > Jimmy Yuen Ho Wong <wyuenho@gmail.com>, > > Emacs developers <emacs-devel@gnu.org> > > > > On 22 June 2018 at 18:43, Paul Eggert <eggert@cs.ucla.edu> > > wrote: > > > On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote: > > >> > > >> 1. Can we update the default network security settings? > > > > > > > > > Yes, I would think so, in the master branch. As you say, the > > > current defaults are inappropriate for today's users. > > > > Can we bump gnutls-min-prime-bits to 1024 on the release branch? > > No, I don't think so. Changing these settings needs a prolonged > testing period to uncover any subtle problems with non-conforming > servers that users must be able to access, and such testing is > unlikely to happen on emacs-26 before the next bug-fix release. All modern browsers set 1024 as a minimum. There is no need for Emacs to worry about this as it has been years since you could connect to a web site with less than 1024 bits security. It should be changed as soon as possible. Even 1024 bits is too small, but this is at least better than the current situation. Generally speaking, if a security setting is the default in Chrome, Firefox, Safari, and Edge, you can feel reasonably certain that it is safe to have Emacs turn on such a setting as well without fear that it will cause inconvenience to the user community. > If we change this now on emacs-26, we should probably not release > Emacs 26.2 before a year goes by. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:33 ` Perry E. Metzger @ 2018-07-05 18:58 ` Eli Zaretskii 2018-07-06 8:36 ` Robert Pluim 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-05 18:58 UTC (permalink / raw) To: Perry E. Metzger; +Cc: larsi, eggert, emacs-devel, npostavs, wyuenho > Date: Thu, 5 Jul 2018 11:33:20 -0400 > From: "Perry E. Metzger" <perry@piermont.com> > Cc: Noam Postavsky <npostavs@gmail.com>, larsi@gnus.org, eggert@cs.ucla.edu, > wyuenho@gmail.com, emacs-devel@gnu.org > > > > Can we bump gnutls-min-prime-bits to 1024 on the release branch? > > > > No, I don't think so. Changing these settings needs a prolonged > > testing period to uncover any subtle problems with non-conforming > > servers that users must be able to access, and such testing is > > unlikely to happen on emacs-26 before the next bug-fix release. > > All modern browsers set 1024 as a minimum. There is no need for Emacs > to worry about this as it has been years since you could connect to a > web site with less than 1024 bits security. It should be changed as > soon as possible. Even 1024 bits is too small, but this is at least > better than the current situation. Emacs is not a Web browser, it uses the network for purposes other than browsing Web pages, so what browsers do is less relevant than what you seem to imply. Anyway, it seems you completely miss my point: I didn't say that we shouldn't increase the number of bits, just that we shouldn't do that on the release branch, unless we are willing to delay Emacs 26.2 significantly. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 18:58 ` Eli Zaretskii @ 2018-07-06 8:36 ` Robert Pluim 2018-07-06 8:49 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Robert Pluim @ 2018-07-06 8:36 UTC (permalink / raw) To: Eli Zaretskii Cc: eggert, wyuenho, npostavs, emacs-devel, larsi, Perry E. Metzger Eli Zaretskii <eliz@gnu.org> writes: >> Date: Thu, 5 Jul 2018 11:33:20 -0400 >> From: "Perry E. Metzger" <perry@piermont.com> >> Cc: Noam Postavsky <npostavs@gmail.com>, larsi@gnus.org, eggert@cs.ucla.edu, >> wyuenho@gmail.com, emacs-devel@gnu.org >> >> > > Can we bump gnutls-min-prime-bits to 1024 on the release branch? >> > >> > No, I don't think so. Changing these settings needs a prolonged >> > testing period to uncover any subtle problems with non-conforming >> > servers that users must be able to access, and such testing is >> > unlikely to happen on emacs-26 before the next bug-fix release. >> >> All modern browsers set 1024 as a minimum. There is no need for Emacs >> to worry about this as it has been years since you could connect to a >> web site with less than 1024 bits security. It should be changed as >> soon as possible. Even 1024 bits is too small, but this is at least >> better than the current situation. > > Emacs is not a Web browser, it uses the network for purposes other > than browsing Web pages, so what browsers do is less relevant than > what you seem to imply. > > Anyway, it seems you completely miss my point: I didn't say that we > shouldn't increase the number of bits, just that we shouldn't do that > on the release branch, unless we are willing to delay Emacs 26.2 > significantly. FWIW, Iʼve had gnutls-min-prime-bits set to 1024 since 2014-11-25, and have seen no adverse effects from it, so I donʼt think the risk is that great. Regarsd Robert ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 8:36 ` Robert Pluim @ 2018-07-06 8:49 ` Eli Zaretskii 2018-07-06 9:35 ` Robert Pluim 2018-07-06 9:45 ` Stephen Berman 0 siblings, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 8:49 UTC (permalink / raw) To: Robert Pluim; +Cc: emacs-devel > From: Robert Pluim <rpluim@gmail.com> > Cc: "Perry E. Metzger" <perry@piermont.com>, larsi@gnus.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, npostavs@gmail.com, wyuenho@gmail.com > Date: Fri, 06 Jul 2018 10:36:54 +0200 > > > Anyway, it seems you completely miss my point: I didn't say that we > > shouldn't increase the number of bits, just that we shouldn't do that > > on the release branch, unless we are willing to delay Emacs 26.2 > > significantly. > > FWIW, Iʼve had gnutls-min-prime-bits set to 1024 since 2014-11-25, and > have seen no adverse effects from it, so I donʼt think the risk is > that great. Thanks for the data point. Unfortunately, our experience is that use patterns vary widely between different Emacs users, and so problem-free experience of a single individual, or even several people, is not enough to be sure there are no significant issues. And TLS secured connections are central to many Emacs features. Emacs 26.2 is supposed to have fewer significant bugs than Emacs 26.1, so we must be careful if we make changes that could bring new problems. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 8:49 ` Eli Zaretskii @ 2018-07-06 9:35 ` Robert Pluim 2018-07-06 12:32 ` Eli Zaretskii 2018-07-06 9:45 ` Stephen Berman 1 sibling, 1 reply; 221+ messages in thread From: Robert Pluim @ 2018-07-06 9:35 UTC (permalink / raw) To: Eli Zaretskii; +Cc: emacs-devel Eli Zaretskii <eliz@gnu.org> writes: >> From: Robert Pluim <rpluim@gmail.com> >> Cc: "Perry E. Metzger" <perry@piermont.com>, larsi@gnus.org, eggert@cs.ucla.edu, emacs-devel@gnu.org, npostavs@gmail.com, wyuenho@gmail.com >> Date: Fri, 06 Jul 2018 10:36:54 +0200 >> >> > Anyway, it seems you completely miss my point: I didn't say that we >> > shouldn't increase the number of bits, just that we shouldn't do that >> > on the release branch, unless we are willing to delay Emacs 26.2 >> > significantly. >> >> FWIW, Iʼve had gnutls-min-prime-bits set to 1024 since 2014-11-25, and >> have seen no adverse effects from it, so I donʼt think the risk is >> that great. > > Thanks for the data point. > > Unfortunately, our experience is that use patterns vary widely between > different Emacs users, and so problem-free experience of a single > individual, or even several people, is not enough to be sure there are > no significant issues. And TLS secured connections are central to > many Emacs features. TLS is central to many of life's interactions now, unfortunately. > Emacs 26.2 is supposed to have fewer significant bugs than Emacs 26.1, > so we must be careful if we make changes that could bring new > problems. Yes. Would you be willing to try changing it on master? Robert ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 9:35 ` Robert Pluim @ 2018-07-06 12:32 ` Eli Zaretskii 2018-07-06 12:52 ` Robert Pluim 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 12:32 UTC (permalink / raw) To: Robert Pluim; +Cc: emacs-devel > From: Robert Pluim <rpluim@gmail.com> > Cc: emacs-devel@gnu.org > Date: Fri, 06 Jul 2018 11:35:54 +0200 > > > Emacs 26.2 is supposed to have fewer significant bugs than Emacs 26.1, > > so we must be careful if we make changes that could bring new > > problems. > > Yes. Would you be willing to try changing it on master? No objections to that, of course. But I think we already did that on master, didn't we? (I might be confused due to the sheer number of submitted patches, some of which were not yet pushed.) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 12:32 ` Eli Zaretskii @ 2018-07-06 12:52 ` Robert Pluim 2018-07-06 13:31 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Robert Pluim @ 2018-07-06 12:52 UTC (permalink / raw) To: Eli Zaretskii; +Cc: emacs-devel Eli Zaretskii <eliz@gnu.org> writes: >> From: Robert Pluim <rpluim@gmail.com> >> Cc: emacs-devel@gnu.org >> Date: Fri, 06 Jul 2018 11:35:54 +0200 >> >> > Emacs 26.2 is supposed to have fewer significant bugs than Emacs 26.1, >> > so we must be careful if we make changes that could bring new >> > problems. >> >> Yes. Would you be willing to try changing it on master? > > No objections to that, of course. But I think we already did that on > master, didn't we? (I might be confused due to the sheer number of > submitted patches, some of which were not yet pushed.) I donʼt think any of them have been pushed yet. Certainly the major changes to nsm.el by Jimmy haven't. Robert ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 12:52 ` Robert Pluim @ 2018-07-06 13:31 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 13:31 UTC (permalink / raw) To: Robert Pluim; +Cc: emacs-devel > From: Robert Pluim <rpluim@gmail.com> > Date: Fri, 06 Jul 2018 14:52:13 +0200 > Cc: emacs-devel@gnu.org > > >> Yes. Would you be willing to try changing it on master? > > > > No objections to that, of course. But I think we already did that on > > master, didn't we? (I might be confused due to the sheer number of > > submitted patches, some of which were not yet pushed.) > > I donʼt think any of them have been pushed yet. Certainly the major > changes to nsm.el by Jimmy haven't. I thought Lars did it, but I could have been easily confused. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 8:49 ` Eli Zaretskii 2018-07-06 9:35 ` Robert Pluim @ 2018-07-06 9:45 ` Stephen Berman 2018-07-06 12:41 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Stephen Berman @ 2018-07-06 9:45 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Robert Pluim, emacs-devel On Fri, 06 Jul 2018 11:49:45 +0300 Eli Zaretskii <eliz@gnu.org> wrote: >> From: Robert Pluim <rpluim@gmail.com> >> Cc: "Perry E. Metzger" <perry@piermont.com>, larsi@gnus.org, >> eggert@cs.ucla.edu, emacs-devel@gnu.org, npostavs@gmail.com, >> wyuenho@gmail.com >> Date: Fri, 06 Jul 2018 10:36:54 +0200 >> >> > Anyway, it seems you completely miss my point: I didn't say that we >> > shouldn't increase the number of bits, just that we shouldn't do that >> > on the release branch, unless we are willing to delay Emacs 26.2 >> > significantly. >> >> FWIW, Iʼve had gnutls-min-prime-bits set to 1024 since 2014-11-25, and >> have seen no adverse effects from it, so I donʼt think the risk is >> that great. > > Thanks for the data point. > > Unfortunately, our experience is that use patterns vary widely between > different Emacs users, and so problem-free experience of a single > individual, or even several people, is not enough to be sure there are > no significant issues. And TLS secured connections are central to > many Emacs features. > > Emacs 26.2 is supposed to have fewer significant bugs than Emacs 26.1, > so we must be careful if we make changes that could bring new > problems. I think in this case it is likely that the higher setting has in effect already undergone prolongued testing, since there is reason to think it has been used by many, perhaps most, Emacs users for a long time, in my case since reading this posting: From: "Herbert J. Skuhra" <hskuhra@eumx.net> Subject: Re: gnutls.c warning Newsgroups: gmane.emacs.gnus.general To: david@adboyd.com (J. David Boyd) Cc: ding@gnus.org Date: Tue, 25 Jun 2013 23:38:14 +0200 (5 years, 1 week, 3 days ago) On Tue, 25 Jun 2013 15:07:08 -0400 david@adboyd.com (J. David Boyd) wrote: > > I keep getting this warning, and can't find any way to turn it off. > > gnutls.c: [1] Note that the security level of the Diffie-Hellman key > exchange has been lowered to 256 bits and this may allow decryption > of the session data > > Is there some setting to say ok, I understand, quit nagging me? After setting gnutls-min-prime-bits to 1024 I no longer get this warning. Given this, it seems reasonable to conclude that most Emacs users who continue to use the current default setting are aware of the risk, and those who have changed it haven't experienced a problem worth reporting. Therefore, changing the default at this time is not likely to cause a problem for most long-time users, and will be safer for all new users, and most likely unproblematic for them (and if it is a problem, then they will know the trade-off). Steve Berman ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 9:45 ` Stephen Berman @ 2018-07-06 12:41 ` Eli Zaretskii 2018-07-06 13:50 ` Stephen Berman 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 12:41 UTC (permalink / raw) To: Stephen Berman; +Cc: rpluim, emacs-devel > From: Stephen Berman <stephen.berman@gmx.net> > Cc: Robert Pluim <rpluim@gmail.com>, emacs-devel@gnu.org > Date: Fri, 06 Jul 2018 11:45:17 +0200 > > After setting gnutls-min-prime-bits to 1024 I no longer get this > warning. > > Given this, it seems reasonable to conclude that most Emacs users who > continue to use the current default setting are aware of the risk, and > those who have changed it haven't experienced a problem worth reporting. > Therefore, changing the default at this time is not likely to cause a > problem for most long-time users, and will be safer for all new users, > and most likely unproblematic for them (and if it is a problem, then > they will know the trade-off). Thanks, but I don't see how can we deduce "most" from any such reports. And the users who have made such a setting don't need the defaults to change anyway. Not that "most" counts here, anyway: the whole point of prolonged testing of modified defaults is to uncover those rare use cases where the new values do some harm, and see whether we need to augment the new settings with something. I see no way around that, sorry, not when a feature as basic as network connections is concerned. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 12:41 ` Eli Zaretskii @ 2018-07-06 13:50 ` Stephen Berman 2018-07-07 7:15 ` martin rudalics 0 siblings, 1 reply; 221+ messages in thread From: Stephen Berman @ 2018-07-06 13:50 UTC (permalink / raw) To: Eli Zaretskii; +Cc: rpluim, emacs-devel On Fri, 06 Jul 2018 15:41:30 +0300 Eli Zaretskii <eliz@gnu.org> wrote: >> From: Stephen Berman <stephen.berman@gmx.net> >> Cc: Robert Pluim <rpluim@gmail.com>, emacs-devel@gnu.org >> Date: Fri, 06 Jul 2018 11:45:17 +0200 >> >> After setting gnutls-min-prime-bits to 1024 I no longer get this >> warning. >> >> Given this, it seems reasonable to conclude that most Emacs users who >> continue to use the current default setting are aware of the risk, and >> those who have changed it haven't experienced a problem worth reporting. >> Therefore, changing the default at this time is not likely to cause a >> problem for most long-time users, and will be safer for all new users, >> and most likely unproblematic for them (and if it is a problem, then >> they will know the trade-off). > > Thanks, but I don't see how can we deduce "most" from any such > reports. Strictly speaking, of course not. But since Emacs has emitted the Gnutls warning for at least five years, it doesn't seem too far-fetched that "most" Emacs users (i.e., enough to cover all but the rarest of corner cases) have been exposed to it and acted on it or at least know the risk. > And the users who have made such a setting don't need the > defaults to change anyway. No, but it's the new users who would benefit. > Not that "most" counts here, anyway: the whole point of prolonged > testing of modified defaults is to uncover those rare use cases where > the new values do some harm, and see whether we need to augment the > new settings with something. I see no way around that, sorry, not > when a feature as basic as network connections is concerned. My point was that the higher setting has in effect been tested for at least five years by many (if not "most") users, in response to the warning, and there have been no bug reports about it AFAIK. Are you expecting and planning more systematic testing beyond changing the default and waiting for bug reports? Steve Berman ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 13:50 ` Stephen Berman @ 2018-07-07 7:15 ` martin rudalics 2018-07-07 12:22 ` Stephen Berman 0 siblings, 1 reply; 221+ messages in thread From: martin rudalics @ 2018-07-07 7:15 UTC (permalink / raw) To: Stephen Berman, Eli Zaretskii; +Cc: rpluim, emacs-devel >> And the users who have made such a setting don't need the >> defaults to change anyway. > > No, but it's the new users who would benefit. Shouldn't new users face such changes with major releases only? martin ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 7:15 ` martin rudalics @ 2018-07-07 12:22 ` Stephen Berman 2018-07-07 13:22 ` Eli Zaretskii 2018-07-08 8:11 ` martin rudalics 0 siblings, 2 replies; 221+ messages in thread From: Stephen Berman @ 2018-07-07 12:22 UTC (permalink / raw) To: martin rudalics; +Cc: Eli Zaretskii, rpluim, emacs-devel On Sat, 07 Jul 2018 09:15:32 +0200 martin rudalics <rudalics@gmx.at> wrote: >>> And the users who have made such a setting don't need the >>> defaults to change anyway. >> >> No, but it's the new users who would benefit. > > Shouldn't new users face such changes with major releases only? Since this is a security-related change, it depends on the maintainers' judgment of the risks (both of making the change and of not making it). Steve Berman ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 12:22 ` Stephen Berman @ 2018-07-07 13:22 ` Eli Zaretskii 2018-07-07 13:47 ` Stephen Berman 2018-07-08 8:11 ` martin rudalics 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 13:22 UTC (permalink / raw) To: Stephen Berman; +Cc: rudalics, rpluim, emacs-devel > From: Stephen Berman <stephen.berman@gmx.net> > Cc: Eli Zaretskii <eliz@gnu.org>, rpluim@gmail.com, emacs-devel@gnu.org > Date: Sat, 07 Jul 2018 14:22:54 +0200 > > On Sat, 07 Jul 2018 09:15:32 +0200 martin rudalics <rudalics@gmx.at> wrote: > > >>> And the users who have made such a setting don't need the > >>> defaults to change anyway. > >> > >> No, but it's the new users who would benefit. > > > > Shouldn't new users face such changes with major releases only? > > Since this is a security-related change, it depends on the maintainers' > judgment of the risks (both of making the change and of not making it). When making these judgment calls, are we allowed to apply the same principle as you did, namely that the current situation "has been tested for at least five years", and therefore we can conclude that no urgent change is needed? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 13:22 ` Eli Zaretskii @ 2018-07-07 13:47 ` Stephen Berman 0 siblings, 0 replies; 221+ messages in thread From: Stephen Berman @ 2018-07-07 13:47 UTC (permalink / raw) To: Eli Zaretskii; +Cc: rudalics, rpluim, emacs-devel On Sat, 07 Jul 2018 16:22:15 +0300 Eli Zaretskii <eliz@gnu.org> wrote: >> From: Stephen Berman <stephen.berman@gmx.net> >> Cc: Eli Zaretskii <eliz@gnu.org>, rpluim@gmail.com, emacs-devel@gnu.org >> Date: Sat, 07 Jul 2018 14:22:54 +0200 >> >> On Sat, 07 Jul 2018 09:15:32 +0200 martin rudalics <rudalics@gmx.at> wrote: >> >> >>> And the users who have made such a setting don't need the >> >>> defaults to change anyway. >> >> >> >> No, but it's the new users who would benefit. >> > >> > Shouldn't new users face such changes with major releases only? >> >> Since this is a security-related change, it depends on the maintainers' >> judgment of the risks (both of making the change and of not making it). > > When making these judgment calls, are we allowed to apply the same > principle as you did, namely that the current situation "has been > tested for at least five years", and therefore we can conclude that no > urgent change is needed? If I were in a position to allow or forbid you anything, I would certainly allow you that. Steve Berman ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 12:22 ` Stephen Berman 2018-07-07 13:22 ` Eli Zaretskii @ 2018-07-08 8:11 ` martin rudalics 1 sibling, 0 replies; 221+ messages in thread From: martin rudalics @ 2018-07-08 8:11 UTC (permalink / raw) To: Stephen Berman; +Cc: Eli Zaretskii, rpluim, emacs-devel >> Shouldn't new users face such changes with major releases only? > > Since this is a security-related change, it depends on the maintainers' > judgment of the risks (both of making the change and of not making it). If a security-related change is about fixing an imminent risk, we should apply it in the next release or even make a special release for it. If a security-related change is about setting and presenting a security measure to users, it should be given as much prior testing as possible. Otherwise, we risk that too many new users get annoyed by improper security settings and switch them off. Which is probably not what we wanted in the first place. martin ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 2:17 ` Noam Postavsky 2018-06-23 6:40 ` Eli Zaretskii @ 2018-07-05 15:10 ` Perry E. Metzger 1 sibling, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 15:10 UTC (permalink / raw) To: Noam Postavsky Cc: Lars Magne Ingebrigtsen, Paul Eggert, Jimmy Yuen Ho Wong, Emacs developers On Fri, 22 Jun 2018 22:17:56 -0400 Noam Postavsky <npostavs@gmail.com> wrote: > Can we bump gnutls-min-prime-bits to 1024 on the release branch? I > know it has a reference to Bug#11267 which describes some mail > server that works only with 256 bits primes, but surely people > using such software can set the option themselves. I mean, a 256 > bit DH prime is just a toy example, not real crypto. It's > inappropriate for yesterday's users. Even 1024 is probably a bit > low, but at least it's something. That's too low, but it is the minimum in all modern browsers. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-22 22:43 ` Paul Eggert 2018-06-22 23:21 ` Lars Ingebrigtsen 2018-06-23 2:17 ` Noam Postavsky @ 2018-06-23 6:45 ` Eli Zaretskii 2018-06-23 10:34 ` Jimmy Yuen Ho Wong 2018-07-05 15:58 ` Perry E. Metzger 2 siblings, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-06-23 6:45 UTC (permalink / raw) To: Paul Eggert; +Cc: larsi, wyuenho, emacs-devel > From: Paul Eggert <eggert@cs.ucla.edu> > Date: Fri, 22 Jun 2018 15:43:35 -0700 > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org> > > > 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't > > seem to be doing a very good job, can we link to something better > > maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS? > > I would think the answer to that could be "yes" too. Despite its name, > GnuTLS is no longer GNU code, and we're under no obligation to promote > it. However, this would take some work. We'd surely want the option to > link to either GnuTLS or OpenSSL/etc. GnuTLS may not be a GNU project in the formal sense, but nothing has changed in its development methods or in its spirit since it was. OpenSSL is even less of a GNU project, and AFAIR includes components that are not even Free Software. Moreover, having 2 different libraries for the same task in Emacs will be a maintenance burden we are better without, especially given the lack of active experts on board. I'd like to remind us all that we've just switched to GnuTLS as the primary means in Emacs 26.1. So my vote would be NO for switching away from GnuTLS. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 6:45 ` Eli Zaretskii @ 2018-06-23 10:34 ` Jimmy Yuen Ho Wong 2018-07-05 15:58 ` Perry E. Metzger 1 sibling, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-06-23 10:34 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Paul Eggert, emacs-devel [-- Attachment #1: Type: text/plain, Size: 1755 bytes --] On Sat, Jun 23, 2018 at 7:45 AM, Eli Zaretskii <eliz@gnu.org> wrote: > > From: Paul Eggert <eggert@cs.ucla.edu> > > Date: Fri, 22 Jun 2018 15:43:35 -0700 > > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org> > > > > > 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't > > > seem to be doing a very good job, can we link to something better > > > maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS? > > > > I would think the answer to that could be "yes" too. Despite its name, > > GnuTLS is no longer GNU code, and we're under no obligation to promote > > it. However, this would take some work. We'd surely want the option to > > link to either GnuTLS or OpenSSL/etc. > > GnuTLS may not be a GNU project in the formal sense, but nothing has > changed in its development methods or in its spirit since it was. > OpenSSL is even less of a GNU project, and AFAIR includes components > that are not even Free Software. Moreover, having 2 different > libraries for the same task in Emacs will be a maintenance burden we > are better without, especially given the lack of active experts on > board. I'd like to remind us all that we've just switched to GnuTLS > as the primary means in Emacs 26.1. > > So my vote would be NO for switching away from GnuTLS. > While I understand this from a human resource perspective, I wonder if it's possible for the FSF to ask for some friendly help (such as the folks at EFF) on this one. I can probably ask around in London as well. In my opinion having OTTB better security is worthwhile for the switch. As to OpenSSL, they seem to have found all the past contributors already ( https://license.openssl.org/trying-to-find). It seems they are really close to switching to the Apache license. [-- Attachment #2: Type: text/html, Size: 2743 bytes --] ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-06-23 6:45 ` Eli Zaretskii 2018-06-23 10:34 ` Jimmy Yuen Ho Wong @ 2018-07-05 15:58 ` Perry E. Metzger 2018-07-05 19:20 ` Paul Eggert 2018-07-05 22:44 ` Richard Stallman 1 sibling, 2 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 15:58 UTC (permalink / raw) To: Eli Zaretskii; +Cc: larsi, Paul Eggert, wyuenho, emacs-devel On Sat, 23 Jun 2018 09:45:57 +0300 Eli Zaretskii <eliz@gnu.org> wrote: > > From: Paul Eggert <eggert@cs.ucla.edu> > > Date: Fri, 22 Jun 2018 15:43:35 -0700 > > Cc: Lars Magne Ingebrigtsen <larsi@gnus.org> > > > > > 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS > > > doesn't seem to be doing a very good job, can we link to > > > something better maintained, such as > > > OpenSSL/LibreSSL/BoringSSL/NSS? > > > > I would think the answer to that could be "yes" too. Despite its > > name, GnuTLS is no longer GNU code, and we're under no obligation > > to promote it. However, this would take some work. We'd surely > > want the option to link to either GnuTLS or OpenSSL/etc. > > GnuTLS may not be a GNU project in the formal sense, but nothing has > changed in its development methods or in its spirit since it was. > OpenSSL is even less of a GNU project, and AFAIR includes components > that are not even Free Software. So far as I can tell and am aware, OpenSSL is fully free software. There are no unfree components. > Moreover, having 2 different > libraries for the same task in Emacs will be a maintenance burden we > are better without, The security of OpenSSL is, so far as I can tell, more reliably managed. There's a large team that worries about it, and the security of cryptographic libraries is a difficult problem. Everything from timing attacks to very subtle mistakes in nonce generation has to go perfectly. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:58 ` Perry E. Metzger @ 2018-07-05 19:20 ` Paul Eggert 2018-07-05 20:46 ` Perry E. Metzger 2018-07-05 22:44 ` Richard Stallman 1 sibling, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-07-05 19:20 UTC (permalink / raw) To: Perry E. Metzger, Eli Zaretskii; +Cc: larsi, wyuenho, emacs-devel Perry E. Metzger wrote: > The security of OpenSSL is, so far as I can tell, more reliably > managed. Yes, OpenSSL is surely the best choice for current applications, despite its obvious drawbacks. That being said, Emacs shouldn't be tied down to OpenSSL, just as it should not be tied down to GnuTLS. There is currently quite a bit of interest in replacing OpenSSL with something better, and with luck we'll see improvements in the not-too-distant future. We insulate Emacs users from this turmoil as best we can. Here's a useful paper for those of us not plugged into recent work in the area: Halpin H. A roadmap for high assurance cryptography. FPS 2017. https://hal.inria.fr/hal-01673294 ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 19:20 ` Paul Eggert @ 2018-07-05 20:46 ` Perry E. Metzger 0 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-05 20:46 UTC (permalink / raw) To: Paul Eggert; +Cc: Eli Zaretskii, emacs-devel, larsi, wyuenho On Thu, 5 Jul 2018 12:20:54 -0700 Paul Eggert <eggert@cs.ucla.edu> wrote: > Perry E. Metzger wrote: > > The security of OpenSSL is, so far as I can tell, more reliably > > managed. > > Yes, OpenSSL is surely the best choice for current applications, > despite its obvious drawbacks. That being said, Emacs shouldn't be > tied down to OpenSSL, just as it should not be tied down to GnuTLS. > There is currently quite a bit of interest in replacing OpenSSL > with something better, and with luck we'll see improvements in the > not-too-distant future. We insulate Emacs users from this turmoil > as best we can. This seems completely reasonable. That said, for now, I think the best possible default should be what we recommend until some better possible default exists. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 15:58 ` Perry E. Metzger 2018-07-05 19:20 ` Paul Eggert @ 2018-07-05 22:44 ` Richard Stallman 2018-07-06 6:42 ` Jimmy Yuen Ho Wong 2018-07-06 16:53 ` Paul Eggert 1 sibling, 2 replies; 221+ messages in thread From: Richard Stallman @ 2018-07-05 22:44 UTC (permalink / raw) To: Perry E. Metzger; +Cc: eliz, eggert, emacs-devel, larsi, wyuenho [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > So far as I can tell and am aware, OpenSSL is fully free software. > There are no unfree components. OpenSSL had, in the past, a license incompatible with the GNU GPL. If its license is unchanged, using it with Emacs would require some inconvenient work to install a license exception. That is assuming there is no non-FSF-copyrighted GPL-covered code linked into Emacs. If there is some, that is not inconvenient but impossible. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 22:44 ` Richard Stallman @ 2018-07-06 6:42 ` Jimmy Yuen Ho Wong 2018-07-06 8:16 ` Eli Zaretskii 2018-07-08 14:06 ` Lars Ingebrigtsen 2018-07-06 16:53 ` Paul Eggert 1 sibling, 2 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-06 6:42 UTC (permalink / raw) To: rms; +Cc: Lars Ingebrigtsen, Paul Eggert, Emacs-Devel devel, Perry E. Metzger Whoa that's a lot of emails in one day! I understand that some of you are concerned, I am too, that's why I raised this issue. Now, given the volume, I don't want to respond individually, so please allow me to summarize and address all of your concerns here. First of all, having read all of your comments, I don't think anybody is deliberately undermining Emacs' networks security. Emacs's network security is the way it is mostly because of a lack of knowledge and personnel. I don't think any of us is trying to hide that, and I think we all want it to be better. Therefore, instead of arguing the issue on moral ground, I propose we look at our common grounds and see what we've already agreed on. Before I dive deeper, here's a diff of my branch against master: https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks I'll refer to this in the rest of this long email. You can have both freedom and security ----------------------------------------------------- A lot of us take Emacs' infinitely malleability as granted, so we don't even mention it, but that doesn't mean we don't care about freedom or are trying to be paternalistic. In my branch, I have kept the current NSM's structure - coarse grain security settings by setting `network-security-level`, and find grain security by setting `nsm-tls-checks`. This not only satisfies Eli's concern of providing reasonable settings while preserving the freedom of users to decide what's best for them, but also solves a more pertinent problem - the necessity to adjust individual network security checks quickly in case of a new kind of TLS attack outside of Emacs' release cycle. We can either change Emacs's release process or keep NSM malleable, the latter seems a quicker way out of this mess, and one which we can all agree on. Most of the checks are on `medium` level because of **secure by default** --------------------------------------------------------------------------------------------------- **Secure by default** is a mantra used by InfoSec professionals, in Emacs' lingo it means reasonable default settings. The reason 13 out of 17 checks in my branch are on `medium` level is *not* because I'm trying to mold NSM to such a way that its **security levels** are indistinguishable with **secury level**, but because most of those checks are RFC 7525's recommendation's for securely using TLS on the client. RFC 7525 is listed as BEST CURRENT PRACTICE by IETF in 2015. I have added a couple more checks to `medium` because things have evolved since 2015. The details for their inclusion are in the docstrings. As to `high`, those 3 checks ideally should be included in `medium` but can't for fear of being too naggy due to compatibility reasons. RSA key exchange is still widely deployed, so is DHE due to it being the only fallback for TLS 1.3. CBC mode is also widely a deployed fallback cipher. All of the above are known to be insecure a lot of times, but for me, **secure by default** means as secure *AND* practical as possible by default, so until RSA KX, DHE KX and CBC ciphers go away completely from the servers, I believe putting them on the `high` level is appropriate. More checks does not mean more inconvenience ----------------------------------------------------------------- NSM will only prompt you when a check fails *AND* these failed checks for a host have not been saved as exceptions. If you answer "session only" after the prompt, NSM will not prompt you again until you restart Emacs. If you answer "always", NSM will not prompt you again for those failed checks for that host as long as the exceptions are still saved on file. The ability of having a "chance to choose between the alternatives (convenience and safety) early enough that they won't beunsafe. The choice should come with an explanation of each option, first stating what situations it is recommended for, then what it does." is already implemented in master. Having said that, NSM currenly may prompt you many times if there is more than one security check failures, i.e. if your level is set to `high` and the server such as Google's is load balancing TLS connections with 2 or more certs with different fingerprints, and it's using SHA1 signatures, you will get 3 prompts. I have streamlined all of those in my branch so you only get prompted once for all the problems found. That's **more** convenience and "more" safety. You can have your cake and eat it too. Less knobs can also mean more convenience and security ------------------------------------------------------------------------------ The `paranoid` level is security theatre. All it does is ask if you'd like to connect to a server via TLS if you have never reached it before. Why is attempting to securely connect to a server by using a protocol that will authenticate it a cause for concern? Connecting to a server via TLS does not mean the user start transmitting confidential data immediately. That act comes when you sign up or log in. That's not TLS's job. For STARTTLS, if the server does not support TLS, you will have gotten a prompt for using a plain connection already, so why the extra prompt? Does it not give the user a false sense of more security? Will it mislead some innocent user to belive every host can be trusted under `high` level? If the answer to the last 2 questions were yes, I believe removing `paranoid` and its check is the right thing to do, even if only for the sake of giving the right expectation. Emacs is not (only) a browser, but that's a moot point ----------------------------------------------------------------------- Emacs' use base is diverse. People not only browse the Web with it, but read and reply to emails, browse newgroups, chat on IRC/Jabber/Slack, push code to Github etc., all of which require the network to be secured with TLS. While TLS is mostly used on the Web because of HTTPS, SSL/TLS has been mandatory for Gmail for many years now, Github also requires TLS for code push, and so do many chat servers. The way Emacs has deployed TLS either has a fault or it doesn't, it doesn't matter which protocol TLS is wrapping over. While I agree that blindly copying the security settings of the most widely deployed TLS clients that we call browsers may not necessarily be a good idea, it's also not a bad idea given Google and Mozilla's army of InfoSec people looking after them. In addition, I haven't copied them blindly. I have researched every single one of them by reading about a dozen RFCs and papers in the past few weeks, and only include them when applicable to Emacs' use of GnuTLS. See the docstrings for details. `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 ----------------------------------------------------------------------- Setting `gnutls-min-prime-bits` to `nil` lets GnuTLS negotiate the highest possible bit length based on its priority string, which means at least 1008-bit since 3.3.0. If my and other's positions on this issue have not been clear, let me reiterate this - it was *never* appripriate to default `gnutls-min-prime-bits` to 256. The list of reasons are the following: 1. If a user's email server demands 256 bits, it's not a sufficient reason to sacriface the **secury by default** goal for the vast majority of users by defaulting it to 256 just so everyone is on the lowest common denominator possible. 2. US export regulation controls export of crypto components using DH > 512 bit prime length to rogue states[2], that means NSA can break DH with prime bits < 512, that also means possibly other state actors as well. 256-bit default means **enabling mass-surveillance** for our users world-wide. 3. If you are afraid of upping to > 1024 will interrupt many people's workflow, don't. SSLLabs's Key Exchange Strength scan[3] shows there's only 2.9% servers found using < 512 bit key exchange. 1024+2048+3076 bit servers cover ~ 95% of TLS server deployments out there. It makes no sense to sacriface 95% for 2.9%. See 1). 4. Even if it regressed for some poor guy's connection to an email server configured in the 80s, that's a **good** thing. If he ever comes back to complaint about it, we can direct him to complaint to the server admin instead, so we can all be safer. See 1) again. 5. Even if he turns out to have legitimate reasons to set prime bits to 256 bits, it's not Emacs' problem. He just has to M-x customize-set-value RET gnutls-min-prime-bits RET 256 RET. There is absolutely no reason whatsoever to default `gnutls-min-prime-bits` to 256, not even in the 90s. [1]: https://ee.stanford.edu/~hellman/publications/28.pdf [2]: https://www.bis.doc.gov/index.php/forms-documents/encryption/335-supplement-no-1-to-part-774-category-5-part-ii-information-security/file [3]: https://www.ssllabs.com/ssl-pulse/ OpenSSL is nice, but getting much improved network security out the door ASAP is nicer ---------------------------------------------------------------------------------------------------------------------- While OpenSSL certainly has its advantages, it is also a much bigger target. When dealing with security issues, one has to consider the economics. When economics are factored, an attacker will often ask if it make sense to spend a month working on an attack to target a small user base such as GnuTLS'. The answer to that is likely to be false. But if we are on OpenSSL, any new attack targeted towards it will make Emacs a target as well. In addition, these days I try to live by a motto - Don't let the perfect be the enemy of the good. Replacing GnuTLS with OpenSSL is significantly harder than writing a couple C functions to get the most out of GnuTLS. Replacing it without major regressions even harder. Besides, most of Emacs' network security problems do not come from it use of GnuTLS, but deficiencies in NSM. I believe Emacs' network security can get much better faster if we focus our efforts on the current design. Documenting security changes ----------------------------------------- Currently, Emacs' network security settings are poorly documented and widely misunderstood. There's only one page on the entire Emacs manual that briefly describes the checks NSM has, but it doesn't mention what its relation is with GnuTLS. There is also no mention of NSM or GnuTLS in the Emacs Lisp Reference whatsoever. I aim to improve it, but given the amount of work involved to bring Emacs' network security up to date, I'd rather submit another patch when the dust has settled. (*cough* feature creep *cough*) Jimmy On Thu, Jul 5, 2018 at 11:44 PM, Richard Stallman <rms@gnu.org> wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > I don't know what this issue concretely involves, so I don't have > an opinion about what concretely we should do. But I'd like to suggest > a possible avenue for choosing a good response. > > The idea is that we make sure users see a chance to choose between the > alternatives (convenience and safety) early enough that they won't be > unsafe. The choice should come with an explanation of each option, > first stating what situations it is recommended for, then what it does. > > > > -- > Dr Richard Stallman > President, Free Software Foundation (https://gnu.org, https://fsf.org) > Internet Hall-of-Famer (https://internethalloffame.org) > > On Thu, Jul 5, 2018 at 11:44 PM, Richard Stallman <rms@gnu.org> wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > So far as I can tell and am aware, OpenSSL is fully free software. > > There are no unfree components. > > OpenSSL had, in the past, a license incompatible with the GNU GPL. > If its license is unchanged, using it with Emacs would require some > inconvenient work to install a license exception. > > That is assuming there is no non-FSF-copyrighted GPL-covered code > linked into Emacs. If there is some, that is not inconvenient but > impossible. > > > -- > Dr Richard Stallman > President, Free Software Foundation (https://gnu.org, https://fsf.org) > Internet Hall-of-Famer (https://internethalloffame.org) > > ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 6:42 ` Jimmy Yuen Ho Wong @ 2018-07-06 8:16 ` Eli Zaretskii 2018-07-06 9:28 ` Robert Pluim 2018-07-06 13:03 ` Jimmy Yuen Ho Wong 2018-07-08 14:06 ` Lars Ingebrigtsen 1 sibling, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 8:16 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: perry, larsi, eggert, rms, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Fri, 6 Jul 2018 07:42:22 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>, > Emacs-Devel devel <emacs-devel@gnu.org>, > "Perry E. Metzger" <perry@piermont.com> > > Whoa that's a lot of emails in one day! I understand that some of you > are concerned, I am too, that's why I raised this issue. Now, given > the volume, I don't want to respond individually, so please allow me > to summarize and address all of your concerns here. Thanks. > instead of arguing the issue on moral ground, I propose we look at > our common grounds and see what we've already agreed on. Agreed. I only responded "on moral grounds" because my views were challenged on those grounds. > Most of the checks are on `medium` level because of **secure by default** > --------------------------------------------------------------------------------------------------- > **Secure by default** is a mantra used by InfoSec professionals, in > Emacs' lingo it means reasonable default settings. The reason 13 out > of 17 checks in my branch are on `medium` level is *not* because I'm > trying to mold NSM to such a way that its **security levels** are > indistinguishable with **secury level**, but because most of those > checks are RFC 7525's recommendation's for securely using TLS on the > client. RFC 7525 is listed as BEST CURRENT PRACTICE by IETF in 2015. I > have added a couple more checks to `medium` because things have > evolved since 2015. The details for their inclusion are in the > docstrings. > > As to `high`, those 3 checks ideally should be included in `medium` I'm still questioning how can this be TRT. Please remember that 'medium' in Emacs really means 'minimum', because 'low' has no security checks at all. How can it make sense to have _all_ the checks on the _minimum_ level? (I say "all" because you clearly think 'high' and 'paranoid' should be removed, and their checks, those which make sense, moved into 'medium'.) Suppose I work in Emacs on an internal secure network that is physically disconnected from the Internet (many enterprises, including my daytime job, have such stand-alone networks as a matter of routine). Why would I need all the checks you propose on such a network? OTOH, I don't want to go to 'low' (i.e. 'none') on such networks, because who knows what viri and other calamities can be once in a blue moon present on some of the machines on that network. Same questions regarding a home network, separated from the outside world by a firewall. Why shouldn't Emacs cater to such use cases? On the other end, there are legitimate use cases where users might need to access sites and servers known in advance to be dangerous. Why shouldn't Emacs provide a 'paranoid' set of settings for such use cases? The RFCs you cite and the vulnerabilities they describe should IMO be carefully analyzed, in the context of typical Emacs jobs that require network connections, and then we should grade them by their importance, divide them into 3 or 4 meaningful classes (a.k.a. "levels"), and let users change their settings in meaningful ways by changing the level. Fine-grained settings should IMO also be provided, but they cannot be the only solution that we offer our users, precisely because not everyone has time to study each individual feature, but they normally will have time to read a description of 3 to 4 levels and decide which one is for them, especially if we describe them in terms that are related to the general environment rather than to specific vulnerabilities, similar to how many laptops ask you to select whether the new connection is for "home network", "enterprise", or "public network" -- that's something that every user can normally answer. > More checks does not mean more inconvenience > ----------------------------------------------------------------- > NSM will only prompt you when a check fails *AND* these failed checks > for a host have not been saved as exceptions. If you answer "session > only" after the prompt, NSM will not prompt you again until you > restart Emacs. If you answer "always", NSM will not prompt you again > for those failed checks for that host as long as the exceptions are > still saved on file. The ability of having a "chance to choose between > the alternatives (convenience and safety) early enough that they won't > beunsafe. The choice should come with an explanation of each option, > first stating what situations it is recommended for, then what it > does." is already implemented in master. > > Having said that, NSM currenly may prompt you many times if there is > more than one security check failures, i.e. if your level is set to > `high` and the server such as Google's is load balancing TLS > connections with 2 or more certs with different fingerprints, and it's > using SHA1 signatures, you will get 3 prompts. I have streamlined all > of those in my branch so you only get prompted once for all the > problems found. That's **more** convenience and "more" safety. You can > have your cake and eat it too. These improvements are good (provided that they indeed work in practice -- I will have to try them), but IMO they are not enough. You assume each one of us has only one Emacs installation, with only one HOME directory where settings are saved. But that is profoundly not true: people have Emacs installed on several machines, with HOME directories not necessarily shared. Emacs developers might very well have several HOME directories on the same machine, for testing purposes (I certainly have such setups and use them all the time). Last, but not least, "emacs -Q" will not save any settings nor use previously set ones. That is why IMO we must make the default level strike a reasonable balance between "more checks" and "convenience". It is IMO unreasonable to base such a balance on the assumption that a dedicated team of thugs with torture chambers are out there to get every one of us. I think these cases are a minority, which should be catered to by non-default security levels -- that's where 'high' and 'paranoid' should come into the play. > The `paranoid` level is security theatre. If the 'paranoid' level doesn't do a useful job, it should be modified to do a useful job. The decision whether we even need such a level should IMO be one we take _after_ classifying the vulnerabilities and their prevention measures, not before. It is quite possible we will decide that we don't need such a level, but the fact it is not useful today doesn't mean it cannot be useful. I would very much like the security experts we have in our ranks help us make these decisions by using their expertise to produce such an analysis of the issues. Then this whole discussion would be much more constructive, and I believe agreements could be reached much faster. > For STARTTLS, if the server does not support TLS, you will have gotten > a prompt for using a plain connection already, so why the extra > prompt? Does what you say cover Emacs built without TLS support, for example? > Emacs is not (only) a browser, but that's a moot point > ----------------------------------------------------------------------- > Emacs' use base is diverse. People not only browse the Web with it, > but read and reply to emails, browse newgroups, chat on > IRC/Jabber/Slack, push code to Github etc., all of which require the > network to be secured with TLS. While TLS is mostly used on the Web > because of HTTPS, SSL/TLS has been mandatory for Gmail for many years > now, Github also requires TLS for code push, and so do many chat > servers. The way Emacs has deployed TLS either has a fault or it > doesn't, it doesn't matter which protocol TLS is wrapping over. I don't see how your conclusion necessarily follows from the fact that most or all protocols we use are secured with TLS. Isn't it true that some of the vulnerabilities are only or mainly specific to some protocols or even some classes of servers? Is it really true that, say, fetching and sending email on the one side, browsing s Web page on the other, and chatting on the third, all bump into the same set of risks? This is the kind of analysis I'd like to see before we make up our minds what should be in 'medium'. (Btw, is Github relevant to the issue at hand? We access Git repositories by invoking Git, we don't access them from Emacs directly, AFAIK.) > `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 As I already said, this will delay the release of Emacs 26.2 by many moons. From my POV, doing so is not a good idea, as we already have quite a few non-trivial bugfixes on the emacs-26 branch, but if no one else is bothered, I'm fine with doing that. IOW, this is a project-management decision, not a security-related decision. > OpenSSL is nice, but getting much improved network security out the > door ASAP is nicer > ---------------------------------------------------------------------------------------------------------------------- > While OpenSSL certainly has its advantages, it is also a much bigger > target. When dealing with security issues, one has to consider the > economics. When economics are factored, an attacker will often ask if > it make sense to spend a month working on an attack to target a small > user base such as GnuTLS'. The answer to that is likely to be false. > But if we are on OpenSSL, any new attack targeted towards it will make > Emacs a target as well. > > In addition, these days I try to live by a motto - Don't let the > perfect be the enemy of the good. Replacing GnuTLS with OpenSSL is > significantly harder than writing a couple C functions to get the most > out of GnuTLS. Replacing it without major regressions even harder. > Besides, most of Emacs' network security problems do not come from it > use of GnuTLS, but deficiencies in NSM. I believe Emacs' network > security can get much better faster if we focus our efforts on the > current design. Agreed. > Documenting security changes > ----------------------------------------- > Currently, Emacs' network security settings are poorly documented and > widely misunderstood. There's only one page on the entire Emacs manual > that briefly describes the checks NSM has, but it doesn't mention what > its relation is with GnuTLS. There is also no mention of NSM or GnuTLS > in the Emacs Lisp Reference whatsoever. NSM documentation that exists was adequate when the number of features it provided was small, which is what we had until now. With a vastly larger number of checks and customization opportunities, the documentation we have is entirely inadequate, and we must extend it. > I aim to improve it, but given the amount of work involved to bring > Emacs' network security up to date, I'd rather submit another patch > when the dust has settled. (*cough* feature creep *cough*) IMO this is a mistake, and I urge you to reconsider. While there's no need to follow up each code change on a scratch branch with a suitable documentation change, I think we already have a lot of added turf to document, and having at least that well documented will go a long way towards the goal. It could even make this discussion more efficient and more rational, since we would all be on the same page wrt the issues being discussed, even though not all of us are experts on these matters. Thanks again for working on this. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 8:16 ` Eli Zaretskii @ 2018-07-06 9:28 ` Robert Pluim 2018-07-06 13:18 ` Eli Zaretskii 2018-07-06 18:06 ` Jimmy Yuen Ho Wong 2018-07-06 13:03 ` Jimmy Yuen Ho Wong 1 sibling, 2 replies; 221+ messages in thread From: Robert Pluim @ 2018-07-06 9:28 UTC (permalink / raw) To: Eli Zaretskii; +Cc: eggert, Jimmy Yuen Ho Wong, emacs-devel, larsi, perry, rms Eli Zaretskii <eliz@gnu.org> writes: >> As to `high`, those 3 checks ideally should be included in `medium` > > I'm still questioning how can this be TRT. Please remember that > 'medium' in Emacs really means 'minimum', because 'low' has no > security checks at all. How can it make sense to have _all_ the > checks on the _minimum_ level? (I say "all" because you clearly think > 'high' and 'paranoid' should be removed, and their checks, those which > make sense, moved into 'medium'.) > Thatʼs not quite my reading. Jimmy says: until RSA KX, DHE KX and CBC ciphers go away completely from the servers, I believe putting them on the `high` level is appropriate. so, it not a proposal to move them now. By the time that can be done, I suspect there will be other checks that can be added into 'high'. And most checks *should* be on 'medium', since many people will never change the defaults. > Suppose I work in Emacs on an internal secure network that is > physically disconnected from the Internet (many enterprises, including > my daytime job, have such stand-alone networks as a matter of > routine). Why would I need all the checks you propose on such a > network? OTOH, I don't want to go to 'low' (i.e. 'none') on such > networks, because who knows what viri and other calamities can be once > in a blue moon present on some of the machines on that network. Current security thinking no longer makes a distinction between 'internal' and 'external' networks, they're all assumed to be potentially dangerous, so 'low' would never be appropriate (except for honeypot type activities). > Same questions regarding a home network, separated from the outside > world by a firewall. I have such a network at home. I also have family members who are not necessarily as aware of security issues as I am, and who also possess network connections that are not secured by my firewall. > Why shouldn't Emacs cater to such use cases? > > On the other end, there are legitimate use cases where users might > need to access sites and servers known in advance to be dangerous. > Why shouldn't Emacs provide a 'paranoid' set of settings for such use > cases? That I agree with, and thatʼs why I use 'paranoid', limited as it currently is. > The RFCs you cite and the vulnerabilities they describe should IMO be > carefully analyzed, in the context of typical Emacs jobs that require > network connections, and then we should grade them by their > importance, divide them into 3 or 4 meaningful classes (a.k.a. > "levels"), and let users change their settings in meaningful ways by > changing the level. Fine-grained settings should IMO also be > provided, but they cannot be the only solution that we offer our > users, precisely because not everyone has time to study each > individual feature, but they normally will have time to read a > description of 3 to 4 levels and decide which one is for them, > especially if we describe them in terms that are related to the > general environment rather than to specific vulnerabilities, similar > to how many laptops ask you to select whether the new connection is > for "home network", "enterprise", or "public network" -- that's > something that every user can normally answer. I donʼt think this is the right approach: the defaults should be as secure as we can make it whilst remaining reasonably convenient. I see no real use case for 4 separate classes that could meaningfully be used by a typical user (as distinct from 'low', 'paranoid', and the fine-grained settings, all intended for experts). >> More checks does not mean more inconvenience >> ----------------------------------------------------------------- >> NSM will only prompt you when a check fails *AND* these failed checks >> for a host have not been saved as exceptions. If you answer "session >> only" after the prompt, NSM will not prompt you again until you >> restart Emacs. If you answer "always", NSM will not prompt you again >> for those failed checks for that host as long as the exceptions are >> still saved on file. The ability of having a "chance to choose between >> the alternatives (convenience and safety) early enough that they won't >> beunsafe. The choice should come with an explanation of each option, >> first stating what situations it is recommended for, then what it >> does." is already implemented in master. >> >> Having said that, NSM currenly may prompt you many times if there is >> more than one security check failures, i.e. if your level is set to >> `high` and the server such as Google's is load balancing TLS >> connections with 2 or more certs with different fingerprints, and it's >> using SHA1 signatures, you will get 3 prompts. I have streamlined all >> of those in my branch so you only get prompted once for all the >> problems found. That's **more** convenience and "more" safety. You can >> have your cake and eat it too. > > These improvements are good (provided that they indeed work in > practice -- I will have to try them), but IMO they are not enough. > You assume each one of us has only one Emacs installation, with only > one HOME directory where settings are saved. But that is profoundly > not true: people have Emacs installed on several machines, with HOME > directories not necessarily shared. Emacs developers might very well > have several HOME directories on the same machine, for testing > purposes (I certainly have such setups and use them all the time). > Last, but not least, "emacs -Q" will not save any settings nor use > previously set ones. Iʼm not sure what youʼre proposing here. These settings are per-HOME, as all emacs settings are. Did you want some method for sharing the NSM settings? > That is why IMO we must make the default level strike a reasonable > balance between "more checks" and "convenience". It is IMO > unreasonable to base such a balance on the assumption that a dedicated > team of thugs with torture chambers are out there to get every one of > us. I think these cases are a minority, which should be catered to by > non-default security levels -- that's where 'high' and 'paranoid' > should come into the play. Even people not in physical danger deserve to have their communications protected from interception and snooping, as part of the basic human right to privacy and freedom from unjustified governmental tracking of their online behaviour. >> The `paranoid` level is security theatre. > > If the 'paranoid' level doesn't do a useful job, it should be modified > to do a useful job. The decision whether we even need such a level > should IMO be one we take _after_ classifying the vulnerabilities and > their prevention measures, not before. It is quite possible we will > decide that we don't need such a level, but the fact it is not useful > today doesn't mean it cannot be useful. > > I would very much like the security experts we have in our ranks help > us make these decisions by using their expertise to produce such an > analysis of the issues. Then this whole discussion would be much more > constructive, and I believe agreements could be reached much faster. > >> For STARTTLS, if the server does not support TLS, you will have gotten >> a prompt for using a plain connection already, so why the extra >> prompt? > > Does what you say cover Emacs built without TLS support, for example? > Thatʼs an excellent question to which I donʼt have an answer, although the 'open-network-stream' doc-string has: `starttls' -- Begin with an ordinary connection, and try upgrading via STARTTLS. If that fails for any reason, drop the connection; in that case the returned object is a killed process. and :use-starttls-if-possible is a boolean that says to do opportunistic STARTTLS upgrades even if Emacs doesn't have built-in TLS functionality. So perhaps we should ensure that all uses of it in emacs use that one or both of those where reasonable (the docstring for that function is long and complex, and all the possible interactions of various tls options are not obvious to me). As an aside, we should really try to steer people away from both cleartext *and* STARTTLS connections towards using direct TLS connections, but Iʼm not sure what the right method is there. >> Emacs is not (only) a browser, but that's a moot point >> ----------------------------------------------------------------------- >> Emacs' use base is diverse. People not only browse the Web with it, >> but read and reply to emails, browse newgroups, chat on >> IRC/Jabber/Slack, push code to Github etc., all of which require the >> network to be secured with TLS. While TLS is mostly used on the Web >> because of HTTPS, SSL/TLS has been mandatory for Gmail for many years >> now, Github also requires TLS for code push, and so do many chat >> servers. The way Emacs has deployed TLS either has a fault or it >> doesn't, it doesn't matter which protocol TLS is wrapping over. > > I don't see how your conclusion necessarily follows from the fact that > most or all protocols we use are secured with TLS. Isn't it true that > some of the vulnerabilities are only or mainly specific to some > protocols or even some classes of servers? Is it really true that, > say, fetching and sending email on the one side, browsing s Web page > on the other, and chatting on the third, all bump into the same set of > risks? This is the kind of analysis I'd like to see before we make up > our minds what should be in 'medium'. > > (Btw, is Github relevant to the issue at hand? We access Git > repositories by invoking Git, we don't access them from Emacs > directly, AFAIK.) > >> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 That might be going a bit far, but I can certainly do that locally and see what happens. > As I already said, this will delay the release of Emacs 26.2 by many > moons. From my POV, doing so is not a good idea, as we already have > quite a few non-trivial bugfixes on the emacs-26 branch, but if no one > else is bothered, I'm fine with doing that. > > IOW, this is a project-management decision, not a security-related > decision. > 26.1 is out there. 26.2 has some fixes, but I see nothing that requires a quick 26.2 release (but my perspective is skewed by the fact that I build from git anyway). >> I aim to improve it, but given the amount of work involved to bring >> Emacs' network security up to date, I'd rather submit another patch >> when the dust has settled. (*cough* feature creep *cough*) > > IMO this is a mistake, and I urge you to reconsider. While there's no > need to follow up each code change on a scratch branch with a suitable > documentation change, I think we already have a lot of added turf to > document, and having at least that well documented will go a long way > towards the goal. It could even make this discussion more efficient > and more rational, since we would all be on the same page wrt the > issues being discussed, even though not all of us are experts on these > matters. > Documentation is good. Iʼll see if I can find some time to work on that. > Thanks again for working on this. Likewise. Regards Robert ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 9:28 ` Robert Pluim @ 2018-07-06 13:18 ` Eli Zaretskii 2018-07-06 18:06 ` Jimmy Yuen Ho Wong 1 sibling, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 13:18 UTC (permalink / raw) To: Robert Pluim; +Cc: emacs-devel > From: Robert Pluim <rpluim@gmail.com> > Cc: Jimmy Yuen Ho Wong <wyuenho@gmail.com>, perry@piermont.com, larsi@gnus.org, eggert@cs.ucla.edu, rms@gnu.org, emacs-devel@gnu.org > Date: Fri, 06 Jul 2018 11:28:24 +0200 > > Eli Zaretskii <eliz@gnu.org> writes: > > >> As to `high`, those 3 checks ideally should be included in `medium` > > > > I'm still questioning how can this be TRT. Please remember that > > 'medium' in Emacs really means 'minimum', because 'low' has no > > security checks at all. How can it make sense to have _all_ the > > checks on the _minimum_ level? (I say "all" because you clearly think > > 'high' and 'paranoid' should be removed, and their checks, those which > > make sense, moved into 'medium'.) > > > > Thatʼs not quite my reading. Jimmy says: > > until RSA KX, DHE KX and CBC > ciphers go away completely from the servers, I believe putting them on > the `high` level is appropriate. > > so, it not a proposal to move them now. Not now, indeed, but only for temporary practical reasons: > As to `high`, those 3 checks ideally should be included in `medium` I was referring to the general tendency, which is quite clear. > By the time that can be done, I suspect there will be other checks > that can be added into 'high'. And most checks *should* be on > 'medium', since many people will never change the defaults. I agree that the defaults should be reasonable for that reason. My problem is with the "most" part: I'm not yet convinced it is TRT. > Current security thinking no longer makes a distinction between > 'internal' and 'external' networks, they're all assumed to be > potentially dangerous I question the wisdom of such security thinking. The security officer on my daytime job clearly disagrees with that. (Cannot tell the details here, because there will be too many people I'll have to take out and shoot afterwards ;-) > so 'low' would never be appropriate (except for honeypot type > activities). In Emacs, 'low' is actually 'none'. Which is an other thing that makes little sense to me. I know of no other application whose default security level is one notch above no security at all, they all provide a "less secure" level. So yes, I agree that 'low' in Emacs is almost never appropriate, but I agree for entirely different reasons. > > Same questions regarding a home network, separated from the outside > > world by a firewall. > > I have such a network at home. I also have family members who are not > necessarily as aware of security issues as I am, and who also possess > network connections that are not secured by my firewall. So your network may be less secure than my home network, where only machines and devices to which I explicitly allow access can connect. It's legitimate to have home networks of different security standards. What I think is not optimal is that Emacs would not provide a security level that allows me to specify a trusted environment. As someone who may not understand all the intricacies of the individual security features we provide, and might have no time to read up on all of them, I might still be competent enough to set up my home network securely (or hire someone to do that), and be sure it is not as vulnerable as a public network or an Internet connection or the home network of the guy next door. > I donʼt think this is the right approach: the defaults should be as > secure as we can make it whilst remaining reasonably convenient. Once again, we agree with the principles, it's the details which matter. Isn't it true that any failed check will pop up some prompt or message? Isn't it true that each such prompt makes using Emacs less convenient? If the answer is YES to both questions, then we need to find the optimal set of features we turn on so that Emacs is "as secure as we can make it whilst remaining reasonably convenient". Right? > I see no real use case for 4 separate classes that could > meaningfully be used by a typical user How can you say that before we classify the risks into however many classes they present? Maybe I will agree with you once we have such a classification, but not in advance. > >> Having said that, NSM currenly may prompt you many times if there is > >> more than one security check failures, i.e. if your level is set to > >> `high` and the server such as Google's is load balancing TLS > >> connections with 2 or more certs with different fingerprints, and it's > >> using SHA1 signatures, you will get 3 prompts. I have streamlined all > >> of those in my branch so you only get prompted once for all the > >> problems found. That's **more** convenience and "more" safety. You can > >> have your cake and eat it too. > > > > These improvements are good (provided that they indeed work in > > practice -- I will have to try them), but IMO they are not enough. > > You assume each one of us has only one Emacs installation, with only > > one HOME directory where settings are saved. But that is profoundly > > not true: people have Emacs installed on several machines, with HOME > > directories not necessarily shared. Emacs developers might very well > > have several HOME directories on the same machine, for testing > > purposes (I certainly have such setups and use them all the time). > > Last, but not least, "emacs -Q" will not save any settings nor use > > previously set ones. > > Iʼm not sure what youʼre proposing here. I'm saying we cannot rely on the fact that NSM asks certain questions only once. We cannot see that feature as a solution for annoyance. > > That is why IMO we must make the default level strike a reasonable > > balance between "more checks" and "convenience". It is IMO > > unreasonable to base such a balance on the assumption that a dedicated > > team of thugs with torture chambers are out there to get every one of > > us. I think these cases are a minority, which should be catered to by > > non-default security levels -- that's where 'high' and 'paranoid' > > should come into the play. > > Even people not in physical danger deserve to have their > communications protected from interception and snooping, as part of > the basic human right to privacy and freedom from unjustified > governmental tracking of their online behaviour. But people in physical danger need more protection, don't you agree? And for those people in danger, additional inconvenience is justified, right? But that additional inconvenience is net necessarily justified for people who are NOT in physical danger, for them it's just an annoyance. Same thing for when the probability of someone snooping on you is lower than for someone else. For these reasons, I find the "one level fits all" idea sub-optimal. > As an aside, we should really try to steer people away from both > cleartext *and* STARTTLS connections towards using direct TLS > connections I agree, but my point was that perhaps 'paranoid' should fail any non-TLS connections, whereas other levels should not automatically fail them. Or something like that. > > As I already said, this will delay the release of Emacs 26.2 by many > > moons. From my POV, doing so is not a good idea, as we already have > > quite a few non-trivial bugfixes on the emacs-26 branch, but if no one > > else is bothered, I'm fine with doing that. > > > > IOW, this is a project-management decision, not a security-related > > decision. > > > > 26.1 is out there. 26.2 has some fixes, but I see nothing that > requires a quick 26.2 release (but my perspective is skewed by the > fact that I build from git anyway). Yes, I think your perspective is different from mine. I see quite a few bugfixes that are important to get out ASAP. Just look at "git log" past the release, and I believe you will agree. > Documentation is good. Iʼll see if I can find some time to work on > that. Thank you very much. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 9:28 ` Robert Pluim 2018-07-06 13:18 ` Eli Zaretskii @ 2018-07-06 18:06 ` Jimmy Yuen Ho Wong 2018-07-06 18:48 ` Perry E. Metzger ` (2 more replies) 1 sibling, 3 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-06 18:06 UTC (permalink / raw) To: Emacs-Devel devel Cc: Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms, Perry E. Metzger > >> Same questions regarding a home network, separated from the outside >> world by a firewall. > > I have such a network at home. I also have family members who are not > necessarily as aware of security issues as I am, and who also possess > network connections that are not secured by my firewall. > >> Why shouldn't Emacs cater to such use cases? >> >> On the other end, there are legitimate use cases where users might >> need to access sites and servers known in advance to be dangerous. >> Why shouldn't Emacs provide a 'paranoid' set of settings for such use >> cases? > > That I agree with, and thatʼs why I use 'paranoid', limited as it > currently is. > I disagree that prompting for pretty much every TLS connection is a good idea. In security circles these days, there's such a thing known as "security fatigue". Overly troublesome security measure that don't take human psychology into account will lead to numbness. A side effect of that is users will simply start ignoring security warnings like they skip reading iTunes's EULA. This is an adverse unintended consequence that achieves the opposite of what we want to do here. >>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 > > That might be going a bit far, but I can certainly do that locally and > see what happens. > As I've said, setting `gnutls-min-prime-bits` to nil simply means GnuTLS will negotiate the right number of DH bits on the user's behalf, starting from 1008 bits since 3.3.0. > > Documentation is good. Iʼll see if I can find some time to work on > that. > Thanks for helping out :) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 18:06 ` Jimmy Yuen Ho Wong @ 2018-07-06 18:48 ` Perry E. Metzger 2018-07-07 7:02 ` Eli Zaretskii 2018-07-07 9:36 ` Robert Pluim 2 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-06 18:48 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms, Emacs-Devel devel On Fri, 6 Jul 2018 19:06:29 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > I disagree that prompting for pretty much every TLS connection is a > good idea. In security circles these days, there's such a thing > known as "security fatigue". Overly troublesome security measure > that don't take human psychology into account will lead to > numbness. A side effect of that is users will simply start ignoring > security warnings like they skip reading iTunes's EULA. This is an > adverse unintended consequence that achieves the opposite of what > we want to do here. This is an incredibly important point. Users cannot meaningfully make decision after decision after decision without burning out and ceasing to have any real sense of what they're doing. The published studies say people start clicking through regardless of the warnings after a while. This is one of the reasons that browsers like Firefox now no longer provide so many decision points for users. There's nothing wrong with letting users customize policies in their .emacs file, but constantly prompting people to make decisions based on little information is not really workable. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 18:06 ` Jimmy Yuen Ho Wong 2018-07-06 18:48 ` Perry E. Metzger @ 2018-07-07 7:02 ` Eli Zaretskii 2018-07-07 9:36 ` Robert Pluim 2 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 7:02 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, larsi, perry, rms, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Fri, 6 Jul 2018 19:06:29 +0100 > Cc: Eli Zaretskii <eliz@gnu.org>, "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org > > In security circles these days, there's such a thing known as > "security fatigue". Overly troublesome security measure that don't > take human psychology into account will lead to numbness. A side > effect of that is users will simply start ignoring security warnings > like they skip reading iTunes's EULA. Exactly my concerns wrt putting too many checks into 'medium'. Is there any way to know in advance the percentage of connections (by protocol, if possible) that will trigger any of those checks? If so, we could have some quantitative measure of when the "fatigue" might strike, and decide accordingly. Failing that, I guess the only way would be to let users complain... ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 18:06 ` Jimmy Yuen Ho Wong 2018-07-06 18:48 ` Perry E. Metzger 2018-07-07 7:02 ` Eli Zaretskii @ 2018-07-07 9:36 ` Robert Pluim 2018-07-07 9:59 ` Jimmy Yuen Ho Wong 2 siblings, 1 reply; 221+ messages in thread From: Robert Pluim @ 2018-07-07 9:36 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Paul Eggert, rms, Perry E. Metzger, Eli Zaretskii, Emacs-Devel devel, Lars Ingebrigtsen Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > I disagree that prompting for pretty much every TLS connection is a > good idea. In security circles these days, there's such a thing known > as "security fatigue". Overly troublesome security measure that don't > take human psychology into account will lead to numbness. A side > effect of that is users will simply start ignoring security warnings > like they skip reading iTunes's EULA. This is an adverse unintended > consequence that achieves the opposite of what we want to do here. For normal usage, we should absolutely not prompt too much [1]. Iʼm not recommending 'paranoid' to anyone, but in my specific circumstances itʼs the right thing to do. >>>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 >> >> That might be going a bit far, but I can certainly do that locally and >> see what happens. >> > > As I've said, setting `gnutls-min-prime-bits` to nil simply means > GnuTLS will negotiate the right number of DH bits on the user's > behalf, starting from 1008 bits since 3.3.0. > >> >> Documentation is good. Iʼll see if I can find some time to work on >> that. >> > > Thanks for helping out :) Is your work on a git branch somewhere? Regards Robert Footnotes: [1] If you fix the double-prompting caused by google's certificate load-balancing, that would reduce it a lot for me :-) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 9:36 ` Robert Pluim @ 2018-07-07 9:59 ` Jimmy Yuen Ho Wong 2018-07-07 10:01 ` Jimmy Yuen Ho Wong ` (2 more replies) 0 siblings, 3 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 9:59 UTC (permalink / raw) To: Emacs-Devel devel Cc: Perry E. Metzger, Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms On Sat, Jul 7, 2018 at 10:36 AM, Robert Pluim <rpluim@gmail.com> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > >> I disagree that prompting for pretty much every TLS connection is a >> good idea. In security circles these days, there's such a thing known >> as "security fatigue". Overly troublesome security measure that don't >> take human psychology into account will lead to numbness. A side >> effect of that is users will simply start ignoring security warnings >> like they skip reading iTunes's EULA. This is an adverse unintended >> consequence that achieves the opposite of what we want to do here. > > For normal usage, we should absolutely not prompt too much [1]. Iʼm not > recommending 'paranoid' to anyone, but in my specific circumstances > itʼs the right thing to do. > I still fail to see what those circumstances are that warrant prompting the user whenever he visits a URL with TLS that he hasn't visited before. >>>>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 >>> >>> That might be going a bit far, but I can certainly do that locally and >>> see what happens. >>> >> >> As I've said, setting `gnutls-min-prime-bits` to nil simply means >> GnuTLS will negotiate the right number of DH bits on the user's >> behalf, starting from 1008 bits since 3.3.0. >> >>> >>> Documentation is good. Iʼll see if I can find some time to work on >>> that. >>> >> >> Thanks for helping out :) > > Is your work on a git branch somewhere? It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks Diff to master: https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks You can just fork my fork and send over a PR. There's still a couple of things I need to do: 1. Implement `nsm-trust-local-network` 2. Remove that change in src/gnutls.h not needed for bug#31946 (this is from my OCSP stash still sitting on my machine) 3. Write some ert tests, but this should affect the doc effort 4. I might throw in a few more checks to detech DHE-DSS key exchange and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do browsers, but I haven't been able to find much information about them other than they are not used. There's a claim made that DSS key exchange is just as bad as static RSA, but DHE-DSS is not that same as DSS... Thanks again! > > Regards > > Robert > > Footnotes: > [1] If you fix the double-prompting caused by google's certificate > load-balancing, that would reduce it a lot for me :-) > ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 9:59 ` Jimmy Yuen Ho Wong @ 2018-07-07 10:01 ` Jimmy Yuen Ho Wong 2018-07-07 21:44 ` Ted Zlatanov 2018-07-09 13:09 ` Robert Pluim 2 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 10:01 UTC (permalink / raw) To: Emacs-Devel devel Cc: Perry E. Metzger, Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms > Write some ert tests, but this should affect the doc effort I mean it shouldn't... I can't type On Sat, Jul 7, 2018 at 10:59 AM, Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > On Sat, Jul 7, 2018 at 10:36 AM, Robert Pluim <rpluim@gmail.com> wrote: >> Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: >> >>> I disagree that prompting for pretty much every TLS connection is a >>> good idea. In security circles these days, there's such a thing known >>> as "security fatigue". Overly troublesome security measure that don't >>> take human psychology into account will lead to numbness. A side >>> effect of that is users will simply start ignoring security warnings >>> like they skip reading iTunes's EULA. This is an adverse unintended >>> consequence that achieves the opposite of what we want to do here. >> >> For normal usage, we should absolutely not prompt too much [1]. Iʼm not >> recommending 'paranoid' to anyone, but in my specific circumstances >> itʼs the right thing to do. >> > > I still fail to see what those circumstances are that warrant > prompting the user whenever he visits a URL with TLS that he hasn't > visited before. > >>>>>> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 >>>> >>>> That might be going a bit far, but I can certainly do that locally and >>>> see what happens. >>>> >>> >>> As I've said, setting `gnutls-min-prime-bits` to nil simply means >>> GnuTLS will negotiate the right number of DH bits on the user's >>> behalf, starting from 1008 bits since 3.3.0. >>> >>>> >>>> Documentation is good. Iʼll see if I can find some time to work on >>>> that. >>>> >>> >>> Thanks for helping out :) >> >> Is your work on a git branch somewhere? > > It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks > > Diff to master: > https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks > > You can just fork my fork and send over a PR. > > There's still a couple of things I need to do: > > 1. Implement `nsm-trust-local-network` > 2. Remove that change in src/gnutls.h not needed for bug#31946 (this > is from my OCSP stash still sitting on my machine) > 3. Write some ert tests, but this should affect the doc effort > 4. I might throw in a few more checks to detech DHE-DSS key exchange > and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do > browsers, but I haven't been able to find much information about them > other than they are not used. There's a claim made that DSS key > exchange is just as bad as static RSA, but DHE-DSS is not that same as > DSS... > > Thanks again! > >> >> Regards >> >> Robert >> >> Footnotes: >> [1] If you fix the double-prompting caused by google's certificate >> load-balancing, that would reduce it a lot for me :-) >> ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 9:59 ` Jimmy Yuen Ho Wong 2018-07-07 10:01 ` Jimmy Yuen Ho Wong @ 2018-07-07 21:44 ` Ted Zlatanov 2018-07-07 21:59 ` Paul Eggert 2018-07-07 22:13 ` Jimmy Yuen Ho Wong 2018-07-09 13:09 ` Robert Pluim 2 siblings, 2 replies; 221+ messages in thread From: Ted Zlatanov @ 2018-07-07 21:44 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Paul Eggert, rms, Perry E. Metzger, Eli Zaretskii, Emacs-Devel devel, Lars Ingebrigtsen On Sat, 7 Jul 2018 10:59:42 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: JYHW> On Sat, Jul 7, 2018 at 10:36 AM, Robert Pluim <rpluim@gmail.com> wrote: >> Is your work on a git branch somewhere? JYHW> It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks JYHW> Diff to master: JYHW> https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks JYHW> You can just fork my fork and send over a PR. Hi Jimmy, I think your work is terrific. Sorry if this has been discussed before but I couldn't find the answer to a key question: have you signed the contributor papers? If yes, I'd like to put your code in an emacs.git branch e.g. feature/wyuenho/additional-nsm-checks so people can start testing it without requiring Github access. JYHW> There's still a couple of things I need to do: [omitted] Are any of those blockers for pushing the code into that branch? Thanks Ted ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 21:44 ` Ted Zlatanov @ 2018-07-07 21:59 ` Paul Eggert 2018-07-07 22:11 ` Jimmy Yuen Ho Wong 2018-07-07 22:13 ` Jimmy Yuen Ho Wong 1 sibling, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-07-07 21:59 UTC (permalink / raw) To: Ted Zlatanov, Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Perry E. Metzger, Lars Ingebrigtsen, rms, Emacs-Devel devel Ted Zlatanov wrote: > I couldn't find the answer to a key question: have you signed the > contributor papers? He's not listed by the FSF copyright clerk as having done so. Jimmy, have you started the ball rolling on the paperwork for that? If not, I can email you the appropriate forms. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 21:59 ` Paul Eggert @ 2018-07-07 22:11 ` Jimmy Yuen Ho Wong 2018-07-09 23:09 ` Ted Zlatanov 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 22:11 UTC (permalink / raw) To: Paul Eggert Cc: rms, tzz, Perry E. Metzger, Lars Ingebrigtsen, Emacs-Devel devel, Eli Zaretskii > > Ted Zlatanov wrote: > > I couldn't find the answer to a key question: have you signed the > > contributor papers? > > He's not listed by the FSF copyright clerk as having done so. Jimmy, have you > started the ball rolling on the paperwork for that? If not, I can email you the > appropriate forms. I have signed and emailed it back 2 weeks ago. I'll ping the clerk again. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 22:11 ` Jimmy Yuen Ho Wong @ 2018-07-09 23:09 ` Ted Zlatanov 2018-07-10 18:20 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Ted Zlatanov @ 2018-07-09 23:09 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Paul Eggert, rms, Emacs-Devel devel, Eli Zaretskii, Perry E. Metzger, Lars Ingebrigtsen On Sat, 7 Jul 2018 23:11:50 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: >> Ted Zlatanov wrote: >> > I couldn't find the answer to a key question: have you signed the >> > contributor papers? >> >> He's not listed by the FSF copyright clerk as having done so. Jimmy, have you >> started the ball rolling on the paperwork for that? If not, I can email you the >> appropriate forms. JYHW> I have signed and emailed it back 2 weeks ago. I'll ping the clerk again. OK. You should probably be able to commit to emacs.git as well. Ted ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 23:09 ` Ted Zlatanov @ 2018-07-10 18:20 ` Jimmy Yuen Ho Wong 2018-07-10 18:36 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-10 18:20 UTC (permalink / raw) To: Ted Zlatanov Cc: Paul Eggert, rms, Emacs-Devel devel, Eli Zaretskii, Perry E. Metzger, Lars Ingebrigtsen > OK. You should probably be able to commit to emacs.git as well. > > Ted Wooot! Thanks! How do I push my branch to Savannah tho? I just created an account after seeing this email. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-10 18:20 ` Jimmy Yuen Ho Wong @ 2018-07-10 18:36 ` Eli Zaretskii 2018-07-10 18:40 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-10 18:36 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, rms, tzz, emacs-devel, larsi, perry > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Tue, 10 Jul 2018 19:20:28 +0100 > Cc: Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, > "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > Emacs-Devel devel <emacs-devel@gnu.org>, Eli Zaretskii <eliz@gnu.org> > > > OK. You should probably be able to commit to emacs.git as well. > > > > Ted > > Wooot! Thanks! How do I push my branch to Savannah tho? You need to get write access, and for that we need to wait till your legal paperwork is completed (it isn't as of now, AFAICT). Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-10 18:36 ` Eli Zaretskii @ 2018-07-10 18:40 ` Jimmy Yuen Ho Wong 2018-07-10 18:58 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-10 18:40 UTC (permalink / raw) To: Eli Zaretskii Cc: Paul Eggert, rms, Ted Zlatanov, Emacs-Devel devel, Lars Ingebrigtsen, Perry E. Metzger On Tue, Jul 10, 2018 at 7:37 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Tue, 10 Jul 2018 19:20:28 +0100 > > Cc: Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, > > "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > > Emacs-Devel devel <emacs-devel@gnu.org>, Eli Zaretskii <eliz@gnu.org> > > > > > OK. You should probably be able to commit to emacs.git as well. > > > > > > Ted > > > > Wooot! Thanks! How do I push my branch to Savannah tho? > > You need to get write access, and for that we need to wait till your > legal paperwork is completed (it isn't as of now, AFAICT). > > Thanks. Do you know what's holding the clerk up? It's been more than a few weeks already and I've pinged the clerk a few days ago. She still hasn't replied. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-10 18:40 ` Jimmy Yuen Ho Wong @ 2018-07-10 18:58 ` Eli Zaretskii 2018-07-13 20:50 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-10 18:58 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, rms, tzz, emacs-devel, larsi, perry > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Tue, 10 Jul 2018 19:40:22 +0100 > Cc: Ted Zlatanov <tzz@lifelogs.com>, Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, > "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > Emacs-Devel devel <emacs-devel@gnu.org> > > Do you know what's holding the clerk up? It's been more than a few > weeks already and I've pinged the clerk a few days ago. She still > hasn't replied. Summer vacations, I guess. Just keep pinging until you get a reply. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-10 18:58 ` Eli Zaretskii @ 2018-07-13 20:50 ` Jimmy Yuen Ho Wong 2018-07-14 6:37 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-13 20:50 UTC (permalink / raw) To: Eli Zaretskii Cc: Paul Eggert, rms, Ted Zlatanov, Emacs-Devel devel, Lars Ingebrigtsen, Perry E. Metzger On Tue, Jul 10, 2018 at 7:59 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Tue, 10 Jul 2018 19:40:22 +0100 > > Cc: Ted Zlatanov <tzz@lifelogs.com>, Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, > > "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > > Emacs-Devel devel <emacs-devel@gnu.org> > > > > Do you know what's holding the clerk up? It's been more than a few > > weeks already and I've pinged the clerk a few days ago. She still > > hasn't replied. > > Summer vacations, I guess. Just keep pinging until you get a reply. Just got confirmation that my paperwork had been signed by all parties. Set me up? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-13 20:50 ` Jimmy Yuen Ho Wong @ 2018-07-14 6:37 ` Eli Zaretskii 2018-07-14 17:18 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-14 6:37 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, rms, tzz, emacs-devel, larsi, perry > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Fri, 13 Jul 2018 21:50:41 +0100 > Cc: Ted Zlatanov <tzz@lifelogs.com>, Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, > "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > Emacs-Devel devel <emacs-devel@gnu.org> > > Just got confirmation that my paperwork had been signed by all > parties. Set me up? Yes, your name i now on file. But I see you didn't request membership in the emacs project, or maybe I don't recognize your user name among those who did. You need to request membership, and then I can approve you, which gives you write access to the repository. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-14 6:37 ` Eli Zaretskii @ 2018-07-14 17:18 ` Jimmy Yuen Ho Wong 2018-07-14 18:25 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-14 17:18 UTC (permalink / raw) To: Eli Zaretskii Cc: Paul Eggert, rms, Ted Zlatanov, Perry E. Metzger, Lars Ingebrigtsen, Emacs-Devel devel Hi All, I've just pushed a "netsec" branch to Savannah. Here's a summary of the changes: * Ability to specify a bunch of CRL PEM files on your system for GnuTLS to verify against * Set the standard value of `gnutls-min-prime-bits` to nil so GnuTLS can do its thing using its own default * Completely revamped NSM checks - many new checks and bug fixes, please see the commit diff for details * New `nsm-trust-local-network` option to bypass implicitly trusted NSM checks on local networks * Revamped NSM prompt - full certificate chain details now available, summary is also more useful now Planned TODOs: * OCSP * Update NEWS and the manual Please help me test the **** of out this branch with all kinds of networks, OSes and servers. Thank you so much! On Sat, Jul 14, 2018 at 7:37 AM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Fri, 13 Jul 2018 21:50:41 +0100 > > Cc: Ted Zlatanov <tzz@lifelogs.com>, Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, > > "Perry E. Metzger" <perry@piermont.com>, Lars Ingebrigtsen <larsi@gnus.org>, > > Emacs-Devel devel <emacs-devel@gnu.org> > > > > Just got confirmation that my paperwork had been signed by all > > parties. Set me up? > > Yes, your name i now on file. But I see you didn't request membership > in the emacs project, or maybe I don't recognize your user name among > those who did. You need to request membership, and then I can approve > you, which gives you write access to the repository. > ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-14 17:18 ` Jimmy Yuen Ho Wong @ 2018-07-14 18:25 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-14 18:25 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, rms, tzz, perry, larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sat, 14 Jul 2018 18:18:52 +0100 > Cc: Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org, Ted Zlatanov <tzz@lifelogs.com>, > Emacs-Devel devel <emacs-devel@gnu.org>, Lars Ingebrigtsen <larsi@gnus.org>, > "Perry E. Metzger" <perry@piermont.com> > > I've just pushed a "netsec" branch to Savannah. Thanks! ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 21:44 ` Ted Zlatanov 2018-07-07 21:59 ` Paul Eggert @ 2018-07-07 22:13 ` Jimmy Yuen Ho Wong 1 sibling, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-07 22:13 UTC (permalink / raw) To: tzz Cc: Paul Eggert, rms, Perry E. Metzger, Eli Zaretskii, Emacs-Devel devel, Lars Ingebrigtsen > > I think your work is terrific. Sorry if this has been discussed before > but I couldn't find the answer to a key question: have you signed the > contributor papers? > > If yes, I'd like to put your code in an emacs.git branch e.g. > feature/wyuenho/additional-nsm-checks so people can start testing it > without requiring Github access. > That'll be nice thanks! > > Are any of those blockers for pushing the code into that branch? > Nope. It works at least on my machine. Would be nice if people can test it on theirs :) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-07 9:59 ` Jimmy Yuen Ho Wong 2018-07-07 10:01 ` Jimmy Yuen Ho Wong 2018-07-07 21:44 ` Ted Zlatanov @ 2018-07-09 13:09 ` Robert Pluim 2018-07-09 13:33 ` Jimmy Yuen Ho Wong 2 siblings, 1 reply; 221+ messages in thread From: Robert Pluim @ 2018-07-09 13:09 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Paul Eggert, rms, Perry E. Metzger, Eli Zaretskii, Emacs-Devel devel, Lars Ingebrigtsen Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: >> Is your work on a git branch somewhere? > > It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks > > Diff to master: > https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks > > You can just fork my fork and send over a PR. > > There's still a couple of things I need to do: > > 1. Implement `nsm-trust-local-network` > 2. Remove that change in src/gnutls.h not needed for bug#31946 (this > is from my OCSP stash still sitting on my machine) It needs either removing or making it work with earlier versions of GnuTLS: gnutls.c: In function ‘Fgnutls_peer_status’: gnutls.c:1353:22: error: ‘GNUTLS_CERT_MISSING_OCSP_STATUS’ undeclared (first use in this function) I have: pkg-config --modversion gnutls 3.4.10 I think the OCSP stuff is 3.6.something. > 3. Write some ert tests, but this should affect the doc effort > 4. I might throw in a few more checks to detech DHE-DSS key exchange > and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do > browsers, but I haven't been able to find much information about them > other than they are not used. There's a claim made that DSS key > exchange is just as bad as static RSA, but DHE-DSS is not that same as > DSS... I see youʼre checking for TLS < 1.1. TLS 1.1 has its fair share of reported issues as well, perhaps we should check for < 1.2 (or we could put that on 'high). Regards Robert ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 13:09 ` Robert Pluim @ 2018-07-09 13:33 ` Jimmy Yuen Ho Wong 2018-07-09 13:43 ` Lars Ingebrigtsen 2018-07-10 0:02 ` Perry E. Metzger 0 siblings, 2 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 13:33 UTC (permalink / raw) To: Emacs-Devel devel Cc: Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms, Perry E. Metzger On Mon, Jul 9, 2018 at 2:09 PM Robert Pluim <rpluim@gmail.com> wrote: > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > >> Is your work on a git branch somewhere? > > > > It's on Github: https://github.com/wyuenho/emacs/tree/additional-nsm-checks > > > > Diff to master: > > https://github.com/emacs-mirror/emacs/compare/master...wyuenho:additional-nsm-checks > > > > You can just fork my fork and send over a PR. > > > > There's still a couple of things I need to do: > > > > 1. Implement `nsm-trust-local-network` > > 2. Remove that change in src/gnutls.h not needed for bug#31946 (this > > is from my OCSP stash still sitting on my machine) > > It needs either removing or making it work with earlier versions of GnuTLS: > > gnutls.c: In function ‘Fgnutls_peer_status’: > gnutls.c:1353:22: error: ‘GNUTLS_CERT_MISSING_OCSP_STATUS’ undeclared (first use in this function) > > I have: > > pkg-config --modversion gnutls > 3.4.10 > > I think the OCSP stuff is 3.6.something. > Ah! Thank you! It's >= 3.5.1. I just pushed a change to fix this. > > 3. Write some ert tests, but this should affect the doc effort > > 4. I might throw in a few more checks to detech DHE-DSS key exchange > > and DSA signature. IETF TLSWG has removed it from TLS 1.3, so do > > browsers, but I haven't been able to find much information about them > > other than they are not used. There's a claim made that DSS key > > exchange is just as bad as static RSA, but DHE-DSS is not that same as > > DSS... > > I see youʼre checking for TLS < 1.1. TLS 1.1 has its fair share of > reported issues as well, perhaps we should check for < 1.2 (or we > could put that on 'high). > I thought about this, but there's no standard that bans TLS 1.1, nor TLS client implementations that disabled it by default. Besides, all the problems TLS 1.1 has is already checked by the other checks. This reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the problems it has is already checked by other checks too. So maybe even checking for 1.0 is already too strict, but PCI DSS does ban it, so... ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 13:33 ` Jimmy Yuen Ho Wong @ 2018-07-09 13:43 ` Lars Ingebrigtsen 2018-07-09 13:49 ` Jimmy Yuen Ho Wong ` (2 more replies) 2018-07-10 0:02 ` Perry E. Metzger 1 sibling, 3 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-09 13:43 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Paul Eggert, Eli Zaretskii, Perry E. Metzger, rms, Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > I thought about this, but there's no standard that bans TLS 1.1, nor > TLS client implementations that disabled it by default. Besides, all > the problems TLS 1.1 has is already checked by the other checks. This > reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the > problems it has is already checked by other checks too. So maybe even > checking for 1.0 is already too strict, but PCI DSS does ban it, so... For those who don't understand security acronym soup, the latter means "Payment Card Industry Data Security Standard". And I don't think that's the level we should be considering for Emacs, even at the "high" level, because it's pretty... excessive. Last time I checked. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 13:43 ` Lars Ingebrigtsen @ 2018-07-09 13:49 ` Jimmy Yuen Ho Wong 2018-07-09 17:15 ` Eli Zaretskii 2018-07-10 0:03 ` Perry E. Metzger 2 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 13:49 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Paul Eggert, Eli Zaretskii, Perry E. Metzger, rms, Emacs-Devel devel On Mon, Jul 9, 2018 at 2:44 PM Lars Ingebrigtsen <larsi@gnus.org> wrote: > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > I thought about this, but there's no standard that bans TLS 1.1, nor > > TLS client implementations that disabled it by default. Besides, all > > the problems TLS 1.1 has is already checked by the other checks. This > > reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the > > problems it has is already checked by other checks too. So maybe even > > checking for 1.0 is already too strict, but PCI DSS does ban it, so... > > For those who don't understand security acronym soup, the latter means > "Payment Card Industry Data Security Standard". > > And I don't think that's the level we should be considering for Emacs, > even at the "high" level, because it's pretty... excessive. Last time > I checked. > The only TLS requirement in PCI DSS is to use TLS 1.1 and above. There's no other requirement that I'm aware of. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 13:43 ` Lars Ingebrigtsen 2018-07-09 13:49 ` Jimmy Yuen Ho Wong @ 2018-07-09 17:15 ` Eli Zaretskii 2018-07-09 17:24 ` Jimmy Yuen Ho Wong 2018-07-10 0:03 ` Perry E. Metzger 2 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-09 17:15 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: eggert, perry, wyuenho, rms, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: Emacs-Devel devel <emacs-devel@gnu.org>, "Perry E. Metzger" <perry@piermont.com>, Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org > Date: Mon, 09 Jul 2018 15:43:43 +0200 > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > I thought about this, but there's no standard that bans TLS 1.1, nor > > TLS client implementations that disabled it by default. Besides, all > > the problems TLS 1.1 has is already checked by the other checks. This > > reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the > > problems it has is already checked by other checks too. So maybe even > > checking for 1.0 is already too strict, but PCI DSS does ban it, so... > > For those who don't understand security acronym soup, the latter means > "Payment Card Industry Data Security Standard". > > And I don't think that's the level we should be considering for Emacs, > even at the "high" level, because it's pretty... excessive. Last time > I checked. So maybe for 'paranoid'? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 17:15 ` Eli Zaretskii @ 2018-07-09 17:24 ` Jimmy Yuen Ho Wong 2018-07-10 0:06 ` Perry E. Metzger 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 17:24 UTC (permalink / raw) To: Eli Zaretskii Cc: Paul Eggert, Lars Ingebrigtsen, Perry E. Metzger, rms, Emacs-Devel devel On Mon, Jul 9, 2018 at 6:15 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Lars Ingebrigtsen <larsi@gnus.org> > > Cc: Emacs-Devel devel <emacs-devel@gnu.org>, "Perry E. Metzger" <perry@piermont.com>, Eli Zaretskii <eliz@gnu.org>, Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org > > Date: Mon, 09 Jul 2018 15:43:43 +0200 > > > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > > > I thought about this, but there's no standard that bans TLS 1.1, nor > > > TLS client implementations that disabled it by default. Besides, all > > > the problems TLS 1.1 has is already checked by the other checks. This > > > reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the > > > problems it has is already checked by other checks too. So maybe even > > > checking for 1.0 is already too strict, but PCI DSS does ban it, so... > > > > For those who don't understand security acronym soup, the latter means > > "Payment Card Industry Data Security Standard". > > > > And I don't think that's the level we should be considering for Emacs, > > even at the "high" level, because it's pretty... excessive. Last time > > I checked. > > So maybe for 'paranoid'? Nooooooo...... enough with this 'paranoid business already :( As I've replied to Robert and a few others already, the checks I have done is already multi-layered. Under normal circumtances, warning for TLS 1.0 should already takes care of checking of CBC mode ciphers/encrypt-then-MAC (if the server was configured correctly when TLS 1.0 was in vogue), but I check both regardless. The checks are already plenty paranoid without being crying-wolf under a vast majority normal usage. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 17:24 ` Jimmy Yuen Ho Wong @ 2018-07-10 0:06 ` Perry E. Metzger 0 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-10 0:06 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms, Emacs-Devel devel On Mon, 9 Jul 2018 18:24:03 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > On Mon, Jul 9, 2018 at 6:15 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > > > From: Lars Ingebrigtsen <larsi@gnus.org> > > > Cc: Emacs-Devel devel <emacs-devel@gnu.org>, "Perry E. > > > Metzger" <perry@piermont.com>, Eli Zaretskii <eliz@gnu.org>, > > > Paul Eggert <eggert@cs.ucla.edu>, rms@gnu.org Date: Mon, 09 > > > Jul 2018 15:43:43 +0200 > > > > > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > > > > > I thought about this, but there's no standard that bans TLS > > > > 1.1, nor TLS client implementations that disabled it by > > > > default. Besides, all the problems TLS 1.1 has is already > > > > checked by the other checks. This reason I'm checking for TLS > > > > 1.0 is somewhat arbitrary, as all the problems it has is > > > > already checked by other checks too. So maybe even checking > > > > for 1.0 is already too strict, but PCI DSS does ban it, > > > > so... > > > > > > For those who don't understand security acronym soup, the > > > latter means "Payment Card Industry Data Security Standard". > > > > > > And I don't think that's the level we should be considering for > > > Emacs, even at the "high" level, because it's pretty... > > > excessive. Last time I checked. > > > > So maybe for 'paranoid'? > > Nooooooo...... enough with this 'paranoid business already :( > > As I've replied to Robert and a few others already, the checks I > have done is already multi-layered. Under normal circumtances, > warning for TLS 1.0 should already takes care of checking of CBC > mode ciphers/encrypt-then-MAC (if the server was configured > correctly when TLS 1.0 was in vogue), but I check both regardless. > The checks are already plenty paranoid without being crying-wolf > under a vast majority normal usage. I strongly agree. PCI compliance is an industry base/minimum. It's not paranoid. It's not even what I'd prefer -- it isn't nearly good enough on TLS standards, but it's fine. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 13:43 ` Lars Ingebrigtsen 2018-07-09 13:49 ` Jimmy Yuen Ho Wong 2018-07-09 17:15 ` Eli Zaretskii @ 2018-07-10 0:03 ` Perry E. Metzger 2 siblings, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-10 0:03 UTC (permalink / raw) To: Lars Ingebrigtsen Cc: Eli Zaretskii, Paul Eggert, Jimmy Yuen Ho Wong, rms, Emacs-Devel devel On Mon, 09 Jul 2018 15:43:43 +0200 Lars Ingebrigtsen <larsi@gnus.org> wrote: > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > I thought about this, but there's no standard that bans TLS 1.1, > > nor TLS client implementations that disabled it by default. > > Besides, all the problems TLS 1.1 has is already checked by the > > other checks. This reason I'm checking for TLS 1.0 is somewhat > > arbitrary, as all the problems it has is already checked by other > > checks too. So maybe even checking for 1.0 is already too strict, > > but PCI DSS does ban it, so... > > For those who don't understand security acronym soup, the latter > means "Payment Card Industry Data Security Standard". > > And I don't think that's the level we should be considering for > Emacs, even at the "high" level, because it's pretty... > excessive. Last time I checked. I deal with PCI compliance a lot. It's not excessive. It's in fact insufficient, but it's a nice minimum. More to the point, though, it's less than what many of the browser vendors are doing. -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 13:33 ` Jimmy Yuen Ho Wong 2018-07-09 13:43 ` Lars Ingebrigtsen @ 2018-07-10 0:02 ` Perry E. Metzger 1 sibling, 0 replies; 221+ messages in thread From: Perry E. Metzger @ 2018-07-10 0:02 UTC (permalink / raw) To: Jimmy Yuen Ho Wong Cc: Eli Zaretskii, Paul Eggert, Lars Ingebrigtsen, rms, Emacs-Devel devel On Mon, 9 Jul 2018 14:33:17 +0100 Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > > I see youʼre checking for TLS < 1.1. TLS 1.1 has its fair share of > > reported issues as well, perhaps we should check for < 1.2 (or we > > could put that on 'high). > > > > I thought about this, but there's no standard that bans TLS 1.1, nor > TLS client implementations that disabled it by default. Besides, all > the problems TLS 1.1 has is already checked by the other checks. > This reason I'm checking for TLS 1.0 is somewhat arbitrary, as all > the problems it has is already checked by other checks too. So > maybe even checking for 1.0 is already too strict, but PCI DSS does > ban it, so... Yes, this is the correct choice. 1.1 is too widely deployed. Not allowing 1.0 is quite reasonable, and it would be _nice_ to stop 1.1, but it would be too disruptive. We should do that only after the major browsers do the same. Perry -- Perry E. Metzger perry@piermont.com ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 8:16 ` Eli Zaretskii 2018-07-06 9:28 ` Robert Pluim @ 2018-07-06 13:03 ` Jimmy Yuen Ho Wong 2018-07-06 14:06 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-06 13:03 UTC (permalink / raw) To: Eli Zaretskii Cc: Paul Eggert, rms, Robert Pluim, Perry E. Metzger, Lars Ingebrigtsen, Emacs-Devel devel > >> Most of the checks are on `medium` level because of **secure by default** >> --------------------------------------------------------------------------------------------------- >> **Secure by default** is a mantra used by InfoSec professionals, in >> Emacs' lingo it means reasonable default settings. The reason 13 out >> of 17 checks in my branch are on `medium` level is *not* because I'm >> trying to mold NSM to such a way that its **security levels** are >> indistinguishable with **secury level**, but because most of those >> checks are RFC 7525's recommendation's for securely using TLS on the >> client. RFC 7525 is listed as BEST CURRENT PRACTICE by IETF in 2015. I >> have added a couple more checks to `medium` because things have >> evolved since 2015. The details for their inclusion are in the >> docstrings. >> >> As to `high`, those 3 checks ideally should be included in `medium` > > I'm still questioning how can this be TRT. Please remember that > 'medium' in Emacs really means 'minimum', because 'low' has no > security checks at all. How can it make sense to have _all_ the > checks on the _minimum_ level? (I say "all" because you clearly think > 'high' and 'paranoid' should be removed, and their checks, those which > make sense, moved into 'medium'.) > No, `low` verifies the certificate. That's always been the case, its just on master, they are separate from the protocol checks. In my branch, I have broken up the giant and separate `nsm-check-certificate` function and reimplemented it as 2 check functions in `nsm-tls-checks`. There's no distinction between certificate checks and protocol checks anymore, whatever that means originally. A check for a TLS connection is just that, a TLS check. As such, `medium` is not minimum, `medium` means default, i.e. verifies the cert + checking for unsafe TLS extensions and cipher suites. `high` is `low` + `medium` + checking for more unsafe cipher suites that are still widely deployed but warning you under most circumstances may produce excessive nagging (It's getting very rare these days tho, due to Google and Mozilla flexing their muscles, so to speak). > Suppose I work in Emacs on an internal secure network that is > physically disconnected from the Internet (many enterprises, including > my daytime job, have such stand-alone networks as a matter of > routine). Why would I need all the checks you propose on such a > network? OTOH, I don't want to go to 'low' (i.e. 'none') on such > networks, because who knows what viri and other calamities can be once > in a blue moon present on some of the machines on that network. > The answer to this question very much depends on how this intranet is setup to mirror the most current best practices for the wider internet. If they are close, as they should be, all you have to do is give your org's CA PEM file to `gnutls-trustfiles` and you are all set. If your org only relies on a physical separation, and does not deploy TLS internally, your connections either go through `nsm-check-plain-connection` in the case of SMTP/POP/IMAP, which does nothing unless a previous connection to your internal email server was done in a TLS connection, or not go through NSM at all. For anything between these 2 extremes, you can easily adjust the checks in the new defcustom that is `nsm-tls-checks`, which allows you to insert and delete individual cons' in the alist in Customize. Expanding the network security section in the manual to cover what these checks are and how to adjust them should help users in these orgs figure out what to do. > Same questions regarding a home network, separated from the outside > world by a firewall. > > Why shouldn't Emacs cater to such use cases? > Do you run your own CA and TLS servers at home? Do you use Google at home? If you answer no and yes, then the list of checks in my branch is designed specifically for you. > On the other end, there are legitimate use cases where users might > need to access sites and servers known in advance to be dangerous. > Why shouldn't Emacs provide a 'paranoid' set of settings for such use > cases? > If they know a site might be dangerous a priori and still decide to visit it, may be The Emacs Way is to treat them like adults? > The RFCs you cite and the vulnerabilities they describe should IMO be > carefully analyzed, in the context of typical Emacs jobs that require > network connections, and then we should grade them by their > importance, divide them into 3 or 4 meaningful classes (a.k.a. > "levels"), and let users change their settings in meaningful ways by > changing the level. Fine-grained settings should IMO also be > provided, but they cannot be the only solution that we offer our > users, precisely because not everyone has time to study each > individual feature, but they normally will have time to read a > description of 3 to 4 levels and decide which one is for them, > especially if we describe them in terms that are related to the > general environment rather than to specific vulnerabilities, similar > to how many laptops ask you to select whether the new connection is > for "home network", "enterprise", or "public network" -- that's > something that every user can normally answer. > I think it's good that you are trying to be thorough, but I think you are over-complicating the situation here. The answer to these situations can be found by doing what I call "The Google Test" - Do you use Google on this network? If yes, you need the checks in my branch. If no, adjust the checks in `nsm-tls-check` as you see fit. Read the manual to find out how. For weird enterprise networks, if you get a prompt, you can whitelist the intranet site by typing a for always, and you don't get a prompt the next time. I think this is a good balance between convenience and safety. Lars' good ideas hold up very well here. If a user wants more convenience, he can write a check function that distinguishes these network types you speak of. Let the thousand flowers bloom in the package ecosystem for these things. Emacs only needs to provide some hooks and a nice interface for them, which is NSM. >> Having said that, NSM currenly may prompt you many times if there is >> more than one security check failures, i.e. if your level is set to >> `high` and the server such as Google's is load balancing TLS >> connections with 2 or more certs with different fingerprints, and it's >> using SHA1 signatures, you will get 3 prompts. I have streamlined all >> of those in my branch so you only get prompted once for all the >> problems found. That's **more** convenience and "more" safety. You can >> have your cake and eat it too. > > These improvements are good (provided that they indeed work in > practice -- I will have to try them), but IMO they are not enough. > You assume each one of us has only one Emacs installation, with only > one HOME directory where settings are saved. But that is profoundly > not true: people have Emacs installed on several machines, with HOME > directories not necessarily shared. Emacs developers might very well > have several HOME directories on the same machine, for testing > purposes (I certainly have such setups and use them all the time). Tons of people already put their init files or the entire `user-directory` in a git repo and share them across installations. `nsm-settings-file` by default goes into your `user-directory`, they can very well put it into a git repo. > Last, but not least, "emacs -Q" will not save any settings nor use > previously set ones. > Not true. The settings NSM saves do not go into your init file or custom-file. They are by default saved in user-directory/network-settings.data, and NSM will use the settings saved there even during emacs -Q. > > If the 'paranoid' level doesn't do a useful job, it should be modified > to do a useful job. The decision whether we even need such a level > should IMO be one we take _after_ classifying the vulnerabilities and > their prevention measures, not before. It is quite possible we will > decide that we don't need such a level, but the fact it is not useful > today doesn't mean it cannot be useful. > TBH, while `low` may be useful once in a blue moon for testing purposes, I can't think of anything that can justify a `paranoid` level that is not better served by unplugging your network card. But do let me know if you can think of some. >> For STARTTLS, if the server does not support TLS, you will have gotten >> a prompt for using a plain connection already, so why the extra >> prompt? > > Does what you say cover Emacs built without TLS support, for example? > If I understand the code in `network-stream-open-starttls` correctly, you won't even be able to establish a connection if neither GnuTLS is linked into Emacs nor a `starttls-command` is available. >> Emacs is not (only) a browser, but that's a moot point >> ----------------------------------------------------------------------- >> Emacs' use base is diverse. People not only browse the Web with it, >> but read and reply to emails, browse newgroups, chat on >> IRC/Jabber/Slack, push code to Github etc., all of which require the >> network to be secured with TLS. While TLS is mostly used on the Web >> because of HTTPS, SSL/TLS has been mandatory for Gmail for many years >> now, Github also requires TLS for code push, and so do many chat >> servers. The way Emacs has deployed TLS either has a fault or it >> doesn't, it doesn't matter which protocol TLS is wrapping over. > > I don't see how your conclusion necessarily follows from the fact that > most or all protocols we use are secured with TLS. TLS is protocol agnostic protocol. If the way Emacs implements TLS has a vuln, the vuln will show up for all connections for all protocols when a user opens a network stream that requires TLS or STARTTLS. > Isn't it true that > some of the vulnerabilities are only or mainly specific to some > protocols or even some classes of servers? For the protocols TLS is wrapping, no. For servers, maybe. I'm quite certain that a lot of schools have woefully outdated TLS settings for SMTP/POP3/IMAP. For those types of servers, you may get a prompt from NSM per the default settings. But then again, you can easily whitelist the cert after visually verifying it. It's fire-and-forget, done once over the lifetime of the network-settings.data file type of deal. After that, NSM will protect you if you are served a different cert identified by its public key ID when connecting to a host previously visited. In such circumstances, you might be under an active MITM attack, hence the warning prompt again. All of the checks in `nsm-tls-checks` is there to prevent MITM, so if you are connecting to a server that NSM considers unsafe due to outdated TLS settings, giving you a warning is exactly the right thing to do as opposed to silently ignoring the problem by relaxing the constraints. > Is it really true that, > say, fetching and sending email on the one side, browsing s Web page > on the other, and chatting on the third, all bump into the same set of > risks? This is the kind of analysis I'd like to see before we make up > our minds what should be in 'medium'. Different application protocols contain different kinds of attack vectors, that's true. But those application-specific security measures are not the job of TLS. TLS stands for Transport Layer Security, it's primary jobs are verifying the identity of the server you are connecting to, ensuring the traffic to that server has not been tempered and keeping the traffic confidential, that is to say, only the client and the server can read the messages. TLS' primary function is to prevent MITM attacks, which contains passive attacks such as eave-dropping, or active attacks such as phising. Deploying TLS it's only one of the many security measures for an application. In addition to TLS, browser have Single-Origin-Policy, Content-Security-Policy, HTTP-Strict-Transport-Security and a whole host of other techniques to achieve defence-in-depth. Email clients typically employ spam-filters, heuristics to detect phising emails, blocking Javascripts and loading of tracking images. With that said, if we cannot secure the communication channel, all hopes are lost as a lot of things the attackers want by launching these application specific attacks are easily obtainable by intercepting your connection. > > (Btw, is Github relevant to the issue at hand? We access Git > repositories by invoking Git, we don't access them from Emacs > directly, AFAIK.) There are all kinds of github integration packages on Melpa. I think they tend to clone repos using HTTPS because it's permeable to firewalls. > >> `gnutls-min-prime-bits` should be `nil` on Emacs 26.2 > > As I already said, this will delay the release of Emacs 26.2 by many > moons. From my POV, doing so is not a good idea, as we already have > quite a few non-trivial bugfixes on the emacs-26 branch, but if no one > else is bothered, I'm fine with doing that. > > IOW, this is a project-management decision, not a security-related > decision. > This only requires deleting 2 lines of comments and s/256/nil, and perhaps say a few words in the docstring to let users know under what circumstances should they be adjusting `gnutls-min-prime-bits`. All of which takes 5 mins maximum. I guarantee you this will cause no problem whatsoever. If a user has customized `gnutls-min-prime-bits`, changing the default will have no visible effect to them. For those who haven't, it's a small step towards having Emacs's network security catching up to 2015. This is a super-low-hanging fruit. Users will applaud you if you do this for Emacs 26.2. > > IMO this is a mistake, and I urge you to reconsider. While there's no > need to follow up each code change on a scratch branch with a suitable > documentation change, I think we already have a lot of added turf to > document, and having at least that well documented will go a long way > towards the goal. It could even make this discussion more efficient > and more rational, since we would all be on the same page wrt the > issues being discussed, even though not all of us are experts on these > matters. > I'm beginning to think this is probably a good idea. > Thanks again for working on this. Thank you for your thoughtful responses! ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 13:03 ` Jimmy Yuen Ho Wong @ 2018-07-06 14:06 ` Eli Zaretskii 2018-07-06 21:24 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-06 14:06 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, rms, rpluim, perry, larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Fri, 6 Jul 2018 14:03:51 +0100 > Cc: rms@gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>, > Emacs-Devel devel <emacs-devel@gnu.org>, "Perry E. Metzger" <perry@piermont.com>, > Robert Pluim <rpluim@gmail.com> > > No, `low` verifies the certificate. Thanks. I was looking at nsm.el, so I guess I missed that. Still, I'm asking whether it is appropriate to check only the certificate. Aren't there any other checks that would fit 'low'? > > Suppose I work in Emacs on an internal secure network that is > > physically disconnected from the Internet (many enterprises, including > > my daytime job, have such stand-alone networks as a matter of > > routine). Why would I need all the checks you propose on such a > > network? OTOH, I don't want to go to 'low' (i.e. 'none') on such > > networks, because who knows what viri and other calamities can be once > > in a blue moon present on some of the machines on that network. > > > > The answer to this question very much depends on how this intranet is > setup to mirror the most current best practices for the wider > internet. If they are close, as they should be, all you have to do is > give your org's CA PEM file to `gnutls-trustfiles` and you are all > set. I'm saying that it would be good to have a single setting in Emacs, ideally one of the security levels, that I could use in such environments, without being bothered about the details. > > Same questions regarding a home network, separated from the outside > > world by a firewall. > > > > Why shouldn't Emacs cater to such use cases? > > Do you run your own CA and TLS servers at home? Do you use Google at > home? If you answer no and yes, then the list of checks in my branch > is designed specifically for you. Sorry, I don't understand what that means in practice. Are you saying that on your branch Emacs doesn't by default distinguish between such home networks and public connections to Internet? If so, I don't think it's TRT. > > On the other end, there are legitimate use cases where users might > > need to access sites and servers known in advance to be dangerous. > > Why shouldn't Emacs provide a 'paranoid' set of settings for such use > > cases? > > If they know a site might be dangerous a priori and still decide to > visit it, may be The Emacs Way is to treat them like adults? There could be legitimate use cases for that. For example, testing nsm.el ;-) > I think it's good that you are trying to be thorough, but I think you > are over-complicating the situation here. I might agree with you, but not before we see the details of some of these "complications". > The answer to these > situations can be found by doing what I call "The Google Test" - > > Do you use Google on this network? If yes, you need the checks in my > branch. Can you explain how a single site can be used to decide on what checks are appropriate? > For weird enterprise networks, if you get a prompt, you can whitelist > the intranet site by typing a for always, and you don't get a prompt > the next time. See, I'm getting these prompts from Firefox too frequently, and I'd hate Emacs to do the same. Even if these prompts are shown only once for every such site. > If a user wants more convenience, he can write a check function that > distinguishes these network types you speak of. Let the thousand > flowers bloom in the package ecosystem for these things. Emacs only > needs to provide some hooks and a nice interface for them, which is > NSM. We are talking about the defaults, so let's not start about fancy customizations. Selecting a non-default security level should be the only customization pertinent to this discussion. > > Last, but not least, "emacs -Q" will not save any settings nor use > > previously set ones. > > Not true. The settings NSM saves do not go into your init file or > custom-file. They are by default saved in > user-directory/network-settings.data, and NSM will use the settings > saved there even during emacs -Q. Hmm... I would consider this a bug, as it means "emacs -Q" behaves differently on different systems and with different users. > TBH, while `low` may be useful once in a blue moon for testing > purposes, I can't think of anything that can justify a `paranoid` > level that is not better served by unplugging your network card. But > do let me know if you can think of some. Robert just did, see his post. > >> For STARTTLS, if the server does not support TLS, you will have gotten > >> a prompt for using a plain connection already, so why the extra > >> prompt? > > > > Does what you say cover Emacs built without TLS support, for example? > > > > If I understand the code in `network-stream-open-starttls` correctly, > you won't even be able to establish a connection if neither GnuTLS is > linked into Emacs nor a `starttls-command` is available. So we prompt for a plain connection when TLS is available, but unconditionally fail it when TLS isn't available? Does that make sense? > > I don't see how your conclusion necessarily follows from the fact that > > most or all protocols we use are secured with TLS. > > TLS is protocol agnostic protocol. If the way Emacs implements TLS has > a vuln, the vuln will show up for all connections for all protocols > when a user opens a network stream that requires TLS or STARTTLS. TLS is protocol agnostic, but vulnerabilities aren't, right? I mean, some of the vulnerabilities are more likely (or even only) met when using TLS with some protocols and not with others, right? > > Isn't it true that > > some of the vulnerabilities are only or mainly specific to some > > protocols or even some classes of servers? > > For the protocols TLS is wrapping, no. For servers, maybe. I'm quite > certain that a lot of schools have woefully outdated TLS settings for > SMTP/POP3/IMAP. For those types of servers, you may get a prompt from > NSM per the default settings. But then again, you can easily whitelist > the cert after visually verifying it. It's fire-and-forget, done once > over the lifetime of the network-settings.data file type of deal. > After that, NSM will protect you if you are served a different cert > identified by its public key ID when connecting to a host previously > visited. That might be "good enough", but I'm still not convinced that we cannot do better by default. > In such circumstances, you might be under an active MITM attack, > hence the warning prompt again. Yes, I might, but is it reasonable to have the defaults assume _everyone_ is _always_ under such an attack? I don't think so. > > Is it really true that, > > say, fetching and sending email on the one side, browsing s Web page > > on the other, and chatting on the third, all bump into the same set of > > risks? This is the kind of analysis I'd like to see before we make up > > our minds what should be in 'medium'. > > Different application protocols contain different kinds of attack > vectors, that's true. But those application-specific security measures > are not the job of TLS. The NSM is not only about TLS, it's about any network connection Emacs establishes. The security levels should not be only about TLS. > > (Btw, is Github relevant to the issue at hand? We access Git > > repositories by invoking Git, we don't access them from Emacs > > directly, AFAIK.) > > There are all kinds of github integration packages on Melpa. I think > they tend to clone repos using HTTPS because it's permeable to > firewalls. I'd be surprised if any of those packages used HTTPS to access Git repositories. They'd have to reinvent Git. > > As I already said, this will delay the release of Emacs 26.2 by many > > moons. From my POV, doing so is not a good idea, as we already have > > quite a few non-trivial bugfixes on the emacs-26 branch, but if no one > > else is bothered, I'm fine with doing that. > > > > IOW, this is a project-management decision, not a security-related > > decision. > > This only requires deleting 2 lines of comments and s/256/nil, and > perhaps say a few words in the docstring to let users know under what > circumstances should they be adjusting `gnutls-min-prime-bits`. I didn't say the change is complex. What bothers me is entirely different effects this change could have. > I guarantee you this will cause no problem whatsoever. Sorry, I cannot accept such guarantees. I have too much gray hair. > Users will applaud you if you do this for Emacs 26.2. Been there, done that, can show the scars. > > IMO this is a mistake, and I urge you to reconsider. While there's no > > need to follow up each code change on a scratch branch with a suitable > > documentation change, I think we already have a lot of added turf to > > document, and having at least that well documented will go a long way > > towards the goal. It could even make this discussion more efficient > > and more rational, since we would all be on the same page wrt the > > issues being discussed, even though not all of us are experts on these > > matters. > > > > I'm beginning to think this is probably a good idea. Thanks in advance. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 14:06 ` Eli Zaretskii @ 2018-07-06 21:24 ` Jimmy Yuen Ho Wong 2018-07-07 7:55 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-06 21:24 UTC (permalink / raw) To: Eli Zaretskii Cc: Paul Eggert, rms, Robert Pluim, Perry E. Metzger, Lars Ingebrigtsen, Emacs-Devel devel > > Still, I'm asking whether it is appropriate to check only the > certificate. Aren't there any other checks that would fit 'low'? > Been waiting for you to say that :) In https://github.com/wyuenho/emacs/commit/35d720eceef5c9b1dc0553b7d2235bbb079b0036 , I've used Snowden as an epoch, and separated the checks known to be necessary before Snowden, the response post-Snowden, and preparations standard bodies and browser vendors do to prepare for TLS 1.3. The count is now 10 lows, 13 mediums (10 low + 3), and 17 highs (13 mediums + 4). >> > Suppose I work in Emacs on an internal secure network that is >> > physically disconnected from the Internet (many enterprises, including >> > my daytime job, have such stand-alone networks as a matter of >> > routine). Why would I need all the checks you propose on such a >> > network? OTOH, I don't want to go to 'low' (i.e. 'none') on such >> > networks, because who knows what viri and other calamities can be once >> > in a blue moon present on some of the machines on that network. >> > >> >> The answer to this question very much depends on how this intranet is >> setup to mirror the most current best practices for the wider >> internet. If they are close, as they should be, all you have to do is >> give your org's CA PEM file to `gnutls-trustfiles` and you are all >> set. > > I'm saying that it would be good to have a single setting in Emacs, > ideally one of the security levels, that I could use in such > environments, without being bothered about the details. > >> > Same questions regarding a home network, separated from the outside >> > world by a firewall. >> > >> > Why shouldn't Emacs cater to such use cases? >> >> Do you run your own CA and TLS servers at home? Do you use Google at >> home? If you answer no and yes, then the list of checks in my branch >> is designed specifically for you. > > Sorry, I don't understand what that means in practice. Are you saying > that on your branch Emacs doesn't by default distinguish between such > home networks and public connections to Internet? If so, I don't > think it's TRT. > Alright... I cave. I see what you want now, you want an escape hatch for implicitly trusted network hosts. I'll make you a deal, if you can give me cross-platform C DEFUNs of getifaddr(3), getaddrinfo(3) and getnameinfo(3), I'll give you a `nsm-trust-local-network` boolean. If `nsm-trust-local-network` is non-nil, or a function that returns non-nil when `nsm-trust-local-network` is read, connecting to such hosts via TLS will be whitelisted automatically in memory. The docstring should say use this at your own risk. This should smooth out your home network situations, and like-wise for corporate intranets. >> If I understand the code in `network-stream-open-starttls` correctly, >> you won't even be able to establish a connection if neither GnuTLS is >> linked into Emacs nor a `starttls-command` is available. > > So we prompt for a plain connection when TLS is available, but > unconditionally fail it when TLS isn't available? Does that make > sense? > You only land on the `network-stream-open-starttls` code path when you request :type 'starttls, I think this makes sense. This also is the approach recommended by RFC 2595, 3207 and 7425. The only protocols in Emacs that request STARTTLS, AFAIK, is IMAP, SMTP, POP3 and NNIP. I'm not sure if there are defcustoms in these packages that decides whether to terminate the connection if STARTTLS is not possible. Regardless, RFC 8314, fresh out of the oven in Jan this year demands Email related protocols to require TLS implicitly. STARTTLS will soon be obsolete anyway. > TLS is protocol agnostic, but vulnerabilities aren't, right? I mean, > some of the vulnerabilities are more likely (or even only) met when > using TLS with some protocols and not with others, right? > Most of the CAPITAL LETTER cute name vulns you can Google are targeted towards TLS, but demostrated with HTTP, but that doesn't mean their effects only are only limited to HTTPS. They are simply demostrated with HTTP so people can get a better sense of their severity as it's the most well-known protocol out there. The only instance of a cross protocol attack that only targets a specific application protocol that I'm aware of is an instance of CRIME called BREACH, of which there's no known effective countermeasure. There are however, plenty of implementation-specific vulns that do not apply to Emacs and GnuTLS. You may have heard of them. (*cough* Heartbleed *cough* gotofail *cough*) None of the checks I've thrown in are mitigations for OpenSSL implementation faults of targeted towards specific application protocols. They apply to ALL TLS connections. > >> In such circumstances, you might be under an active MITM attack, >> hence the warning prompt again. > > Yes, I might, but is it reasonable to have the defaults assume > _everyone_ is _always_ under such an attack? I don't think so. > I said you *might be*, and that's what the warning is about. Emacs can't decide for the user under such circumstances. No one ever said anything about assuming everyone is always under attack, we are saying user are exposed to these attacks, if you don't have these checks. These attacks may or may not be happening when you connect to a server, but you can certainly detect them or prevent them by using a combination of automated checks and human intervention. > > The NSM is not only about TLS, it's about any network connection Emacs > establishes. The security levels should not be only about TLS. > But it is only about TLS. Do you really want Emacs to prompt you when you are browsing http://www.some-random-guy.com/blog ? Browsers can do with a green padlock, the best Emacs can do is bleep out a message in the echo area or put a Unicode padlock in the mode line. But this is too application specific, it's best done in EWW or whatever. > > I'd be surprised if any of those packages used HTTPS to access Git > repositories. They'd have to reinvent Git. > They use Github's RESTful API to login, and clone the repo with `shell-command`. You can file issues and submit PRs on Github using Emacs too. > > I didn't say the change is complex. What bothers me is entirely > different effects this change could have. > >> I guarantee you this will cause no problem whatsoever. > > Sorry, I cannot accept such guarantees. I have too much gray hair. > >> Users will applaud you if you do this for Emacs 26.2. > > Been there, done that, can show the scars. > Oh ye faithful disciple of the religion of Murphy's Law, may your hair show youthful color again by changing Emacs' release process to a Continuous Integration and Delivery process. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 21:24 ` Jimmy Yuen Ho Wong @ 2018-07-07 7:55 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-07 7:55 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: eggert, rms, rpluim, perry, larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Fri, 6 Jul 2018 22:24:51 +0100 > Cc: rms@gnu.org, Lars Ingebrigtsen <larsi@gnus.org>, Paul Eggert <eggert@cs.ucla.edu>, > Emacs-Devel devel <emacs-devel@gnu.org>, "Perry E. Metzger" <perry@piermont.com>, > Robert Pluim <rpluim@gmail.com> > > > Still, I'm asking whether it is appropriate to check only the > > certificate. Aren't there any other checks that would fit 'low'? > > > > Been waiting for you to say that :) > > In https://github.com/wyuenho/emacs/commit/35d720eceef5c9b1dc0553b7d2235bbb079b0036 > , I've used Snowden as an epoch, and separated the checks known to be > necessary before Snowden, the response post-Snowden, and preparations > standard bodies and browser vendors do to prepare for TLS 1.3. The > count is now 10 lows, 13 mediums (10 low + 3), and 17 highs (13 > mediums + 4). Thanks, I think this is a good change. > Alright... I cave. I see what you want now, you want an escape hatch > for implicitly trusted network hosts. I'll make you a deal, if you can > give me cross-platform C DEFUNs of getifaddr(3), getaddrinfo(3) and > getnameinfo(3), I'll give you a `nsm-trust-local-network` boolean. If > `nsm-trust-local-network` is non-nil, or a function that returns > non-nil when `nsm-trust-local-network` is read, connecting to such > hosts via TLS will be whitelisted automatically in memory. The > docstring should say use this at your own risk. This should smooth out > your home network situations, and like-wise for corporate intranets. Do network-interface-list and/or network-interface-info fit the bill? If not, what's missing? Thanks for the other points, I will have to dwell on them before I make up my mind. > Oh ye faithful disciple of the religion of Murphy's Law, may your hair > show youthful color again by changing Emacs' release process to a > Continuous Integration and Delivery process. Hear, hear! ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 6:42 ` Jimmy Yuen Ho Wong 2018-07-06 8:16 ` Eli Zaretskii @ 2018-07-08 14:06 ` Lars Ingebrigtsen 2018-07-08 14:54 ` Jimmy Yuen Ho Wong 2018-07-08 14:55 ` Eli Zaretskii 1 sibling, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 14:06 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Emacs-Devel devel Geez! So many emails in this thread all of a sudden... I think it sounds like Jimmy is very much on the right track, so that's great. (I haven't actually looked at the code yet.) Batching up the warnings so you don't get double-prompting sounds very nice, for instance, and handling the certificate things and the encryption primitives warnings in "one batch" sounds good. But here's some comments after reading all the 5000 messages in this thread: 1) I don't think the `paranoid' setting is security theatre. It's not a useful setting for general browsing, but if your use case is that you only use Emacs for, say, talking with your IMAP server, and that's it, and you're worried that you may somehow end up talking with the wrong server, and you're, er, paranoid (perhaps with good reason), then that's the setting for you. But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS connections. The question is "what", though, because there's no fingerprint (beyond the host/port number) that we can use to verify that a non-TLS connection is to a previously seen host. 2) The `gnutls-min-prime-bits' documentation is unclear: --- This function sets the number of bits, for use in a Diffie-Hellman key exchange. This is used both in DH ephemeral and DH anonymous cipher suites. This will set the minimum size of the prime that will be used for the handshake. In the client side it sets the minimum accepted number of bits. --- I thought that it set the minimum number of bits (like it says in the last sentence), but it would use however many bits the server allows. The first sentence seems to contradict this, and that this sets an upper as well as lower bound on the number of bits, which is pretty horrific, if that's the case... But I don't think it is, because I get ":diffie-hellman-prime-bits 2047" when connecting to a DH host. So there's no need to worry about the `gnutls-min-prime-bits' setting. The NSM handles the problem. 3) emacs -Q should ignore the NSM settings (and not save anything) Other than that, I'm just waiting for Jimmy's code to show up in an Emacs branch, and I'll probably have more comments. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:06 ` Lars Ingebrigtsen @ 2018-07-08 14:54 ` Jimmy Yuen Ho Wong 2018-07-08 15:13 ` Lars Ingebrigtsen 2018-07-08 14:55 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 14:54 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Emacs-Devel devel > > 1) I don't think the `paranoid' setting is security theatre. It's not a > useful setting for general browsing, but if your use case is that you > only use Emacs for, say, talking with your IMAP server, and that's it, > and you're worried that you may somehow end up talking with the wrong > server, and you're, er, paranoid (perhaps with good reason), then > that's the setting for you. > I still haven't heard of a "good reason" yet. If the checks are complete on the 'high level (i.e. checks for all known problems, including checking your cert for revocations with OCSP+CT+CRL, use of interceptable static RSA key exchange...), it would require some sort of zero-day to forge a cert. Honestly if you are in that kind of hostile environment, using Emacs to check your email directly without connecting to a VPN first is an absolutely horrible idea. If you are in that kind of environment, you would know it. > But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS > connections. The question is "what", though, because there's no > fingerprint (beyond the host/port number) that we can use to verify > that a non-TLS connection is to a previously seen host. > Exactly. NSM can only warn you if you are establishing a cleartext connection, nothing else can be done. > > I thought that it set the minimum number of bits (like it says in the > last sentence), but it would use however many bits the server allows. > The first sentence seems to contradict this, and that this sets an > upper as well as lower bound on the number of bits, which is pretty > horrific, if that's the case... But I don't think it is, because > I get ":diffie-hellman-prime-bits 2047" when connecting to a DH host. > That's true, but there's still no reason to default `gnutls-min-prime-bits` to 256. If that's the default, presumably checking for DH prime bits > 1024 is a bug as NSM should let 256-bit DH prime go through. BTW, this bahavior pretty much we can default `gnutls-min-prime-bits` to nil with no problem at all as we haven't seen any bug complaining about NSM checking for DH prime bits > 1024 being too strict. I would suggest we move the defcustom groups of all GnuTLS options to NSM again to avoid further confusion. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:54 ` Jimmy Yuen Ho Wong @ 2018-07-08 15:13 ` Lars Ingebrigtsen 2018-07-08 16:56 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 15:13 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > I still haven't heard of a "good reason" yet. It's been stated in this thread that somebody uses it and finds it useful, and I think that's sufficient. >> But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS >> connections. The question is "what", though, because there's no >> fingerprint (beyond the host/port number) that we can use to verify >> that a non-TLS connection is to a previously seen host. > > Exactly. NSM can only warn you if you are establishing a cleartext > connection, nothing else can be done. Well... It could just do the host/port number thing and say "you've never connected to this host before". It's not much (considering how easy it is to spoof DNS), but it's not nothing either. > That's true, but there's still no reason to default > `gnutls-min-prime-bits` to 256. If that's the default, presumably > checking for DH prime bits > 1024 is a bug as NSM should let 256-bit > DH prime go through. No? We let gnutls always establish the connection, no matter how sucky, and then we ask the user about it. That's the whole idea behind the NSM. And setting gnutls-min-prime-bits to 256 has no adverse effects, since (contrary to what you've said several times in this thread), the TLS connection will use as many prime bits that the server offers, apparently. > BTW, this bahavior pretty much we can default `gnutls-min-prime-bits` > to nil with no problem at all as we haven't seen any bug complaining > about NSM checking for DH prime bits > 1024 being too strict. I don't think we would get a bug report for that. People deal with "broken" web site TLS all the time, and there'll be an abundance of them over the next years. That's what the NSM is for, and that's not something users will complain about. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 15:13 ` Lars Ingebrigtsen @ 2018-07-08 16:56 ` Jimmy Yuen Ho Wong 2018-07-08 17:06 ` Paul Eggert ` (2 more replies) 0 siblings, 3 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 16:56 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Emacs-Devel devel On Sun, Jul 8, 2018 at 4:13 PM Lars Ingebrigtsen <larsi@gnus.org> wrote: > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > I still haven't heard of a "good reason" yet. > > It's been stated in this thread that somebody uses it and finds it > useful, and I think that's sufficient. > Anybody will find anything useful, that's not a sufficient reason to throw everything into Emacs, especially when it comes to security. Finding it "useful" without any reason it's like saying oh this theatrics makes me feel safer. But are you really? I would remind you about "security fatigue" again. Also, for people who are not well-education in security matters, `paranoid gives them a false sense of security, where in fact it does nothing more than checking if you've visiting a site before. Why would having visited a site before make me safer? Allow me to quote myself: "Why is attempting to securely connect to a server by using a protocol that will authenticate it a cause for concern? Connecting to a server via TLS does not mean the user start transmitting confidential data immediately. That act comes when you sign up or log in. That's not TLS's job. For STARTTLS, if the server does not support TLS, you will have gotten a prompt for using a plain connection already, so why the extra prompt? Does it not give the user a false sense of more security? Will it mislead some innocent user to belive every host can be trusted under `paranoid` level? If the answer to the last 2 questions were yes, I believe removing `paranoid` and its check is the right thing to do, even if only for the sake of giving the right expectation." Offering an extra paranoid level cause more misunderstanding than anything else. Bad UI is also a major cause of insecurity. You can take it from a guy who used to work on the front-end at Cloudflare. > > That's true, but there's still no reason to default > > `gnutls-min-prime-bits` to 256. If that's the default, presumably > > checking for DH prime bits > 1024 is a bug as NSM should let 256-bit > > DH prime go through. > > No? We let gnutls always establish the connection, no matter how sucky, > and then we ask the user about it. That's the whole idea behind the > NSM. > No we don't let GnuTLS always establish the connection. We don't set the priority string to the lowest level possible, i.e. "LEGACY". Are you suggesting you want to do that? The precedence has been set that we don't allow every GnuTLS connection to go through, therefore, your ideal with letting NSM handle all kinds of network security issues in Emacs is invalid. > And setting gnutls-min-prime-bits to 256 has no adverse effects, since > (contrary to what you've said several times in this thread), the TLS > connection will use as many prime bits that the server offers, > apparently. > The adverse effect is, there is no way to explain this clearly to a user WTF is going on without confusing the hack out of people. The choice option with a "Default" :tag in the defcustom already says nil is the default, just the standard value isn't. This is already a contradiction. Think about this: If I'm connecting to a server that will only offer 256-bit prime, and I've set `gnutls-min-prime-bits` to 256, min means lower bound, what exactly do I mean? Setting `gnutls-min-prime-bits` to 256 as the standard value suggests to me that Emacs' network security level is so relaxed that a TLS connection with a DH prime 256-bits should go through, but in reality NSM still warns. This yet again contradicts the intention of the standard value. If the intention is to warn about prime-bit < 1024 bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should not warn. Just switch it back to `nil` and let GnuTLS do the right thing according to the priority string for crying out loud. This also has no adverse effect. I don't know why I have to keep arguing this issue. The right decision is clear as day. There is absolutely no reason to set it to 256 by default in 2018. According to SSLLab's SSLPulse report, there's exactly 0 server demanding DH < 512 bits. If you absolutely need DH < 512 bits due to some weird corporate network setup, there will be a new knob called `nsm-trust-local-network`. Otherwise you can set it to 256 manually. Defaulting it to 256 was never a good idea. If you are thinking about renaming the "Default" tag in `gnutls-min-prime-bits` 's defcustom, don't. I will start doubting whether you are doing this under good faith. Please do not make figuring out how to tune Emacs' network security setting more confusing than it is already. > > I don't think we would get a bug report for that. People deal with > "broken" web site TLS all the time, and there'll be an abundance of them > over the next years. That's what the NSM is for, and that's not > something users will complain about. > Assuming people understand what the hell NSM is doing. Given the Reddit thread and this thread, do you think people understand? One of the goals when designing NSM should be to warning only when it's appropriate to avoid security fatigue. No more, no less. That doesn't sound like what you have in mind. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 16:56 ` Jimmy Yuen Ho Wong @ 2018-07-08 17:06 ` Paul Eggert 2018-07-08 17:25 ` Jimmy Yuen Ho Wong 2018-07-08 22:56 ` Richard Stallman 2018-07-08 17:47 ` Lars Ingebrigtsen 2018-07-08 17:53 ` Eli Zaretskii 2 siblings, 2 replies; 221+ messages in thread From: Paul Eggert @ 2018-07-08 17:06 UTC (permalink / raw) To: Jimmy Yuen Ho Wong, Lars Ingebrigtsen; +Cc: Emacs-Devel devel Jimmy Yuen Ho Wong wrote: > If you are thinking about renaming the "Default" tag in > `gnutls-min-prime-bits` 's defcustom, don't. I will start doubting > whether you are doing this under good faith There's no need to be using ad hominem language like that. Assume that we are miscommunicating, as this is the obvious and most likely explanation for the behavior you're observing. Indulging in attacks will make your efforts less likely to succeed. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:06 ` Paul Eggert @ 2018-07-08 17:25 ` Jimmy Yuen Ho Wong 2018-07-08 17:53 ` Lars Ingebrigtsen 2018-07-08 22:56 ` Richard Stallman 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 17:25 UTC (permalink / raw) To: Paul Eggert; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Sun, Jul 8, 2018 at 6:06 PM Paul Eggert <eggert@cs.ucla.edu> wrote: > > Jimmy Yuen Ho Wong wrote: > > If you are thinking about renaming the "Default" tag in > > `gnutls-min-prime-bits` 's defcustom, don't. I will start doubting > > whether you are doing this under good faith > > There's no need to be using ad hominem language like that. Assume that we are > miscommunicating, as this is the obvious and most likely explanation for the > behavior you're observing. Indulging in attacks will make your efforts less > likely to succeed. I have been quite lenient to everyone as I'm trying to figure a lot of things myself. But sometimes, when there's clearly no good reason to do a something, but still insisting on doing it, especially when it comes to security matters, you have to resolve to the last resort, which is start doubting whether you are dealing with a friend or an adversary. I would urge a little less stubborness in changing some of the defaults. If I've given the impression that setting `gnutls-min-prime-bits` to 256 will make the connection to use a 256 bit prime, I apologize. I don't think I have done that since the very beginning of this thread, but I haven't clarified myself enough, here's my sincere apology. I only believe this is a UI issue, which may have some security consequences. The last thing I would suggest to Lars is, `gnutls-verify-error` will effectively bypass NSM, so please don't pretend NSM is the be-all and end-all layer for all matters related to Emacs' network security. It's not, not until you consent to removing or changing some of the standard values of the defcustoms in the 'gnutls group, or better yet. Merge NSM and GnuTLS together, and rename some of the `gnutls group's options. i.e. (define-obsolete-variable-alias 'gnutls-verify-error 'nsm-bypass' "27.1"). Better UI/UX/DX design is almost always more preferrable than documentation. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:25 ` Jimmy Yuen Ho Wong @ 2018-07-08 17:53 ` Lars Ingebrigtsen 2018-07-08 18:54 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 17:53 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Paul Eggert, Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > The last thing I would suggest to Lars is, `gnutls-verify-error` will > effectively bypass NSM, so please don't pretend NSM is the be-all and > end-all layer for all matters related to Emacs' network security. It's > not, not until you consent to removing or changing some of the > standard values of the defcustoms in the 'gnutls group, or better yet. > Merge NSM and GnuTLS together, and rename some of the `gnutls group's > options. i.e. (define-obsolete-variable-alias 'gnutls-verify-error > 'nsm-bypass' "27.1"). Better UI/UX/DX design is almost always more > preferrable than documentation. Some people want these checks on the TLS level, and that's why those checks exist. It's perfectly reasonable for a user with a specific need (for instance, to talk to a particularly ornery old private SSL 0.9 server) to use the gnutls functions and variables directly when implementing their solution. That's why these things are layered. gnutls is a low-level library that allows tweaking certain things about the connections it provides. The NSM is a high-level user facing library. Merging the two doesn't seem to make much sense. Both here and in other places in this thread you seem to fixate on the particular use cases you're interested in to the extent that you say that other use cases are wrong, somehow. People have different needs and different approaches, and Emacs should empower them to get their work done, and not pressure them into doing it the way we think they should do it. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:53 ` Lars Ingebrigtsen @ 2018-07-08 18:54 ` Jimmy Yuen Ho Wong 2018-07-08 19:30 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 18:54 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Paul Eggert, Emacs-Devel devel > > Some people want these checks on the TLS level, and that's why those > checks exist. It's perfectly reasonable for a user with a specific need > (for instance, to talk to a particularly ornery old private SSL 0.9 > server) to use the gnutls functions and variables directly when > implementing their solution. > It's not about what they want, but about what to give them so they can accomplish what they want to do without getting confused by the contradictary docs, and reading the source code. The pretense of NSM taking care of all network security matters does not match the reality. And from the sense I get, there's no intention to turn that ideal into reality either. Nobody is talking about taking away functionality here. You can remove/replace/rename/change things and still provide equivalent functionality. > That's why these things are layered. gnutls is a low-level library that > allows tweaking certain things about the connections it provides. > > The NSM is a high-level user facing library. Merging the two doesn't > seem to make much sense. > > Both here and in other places in this thread you seem to fixate on the > particular use cases you're interested in to the extent that you say > that other use cases are wrong, somehow. People have different needs > and different approaches, and Emacs should empower them to get their > work done, and not pressure them into doing it the way we think they > should do it. > We are talking about what should be the defaults here, as I've said in that giant email a couple of days ago, you can have both reasonable OTTB settings and freedom. If you haven't read it, I urge you to. How about this, I'll be satisfied if we append :group 'nsm on the gnutls defcustoms, so they show up on both the gnutls customize group **and** nsm, and document in the docstrings the effects to NSM checks if you mess with these GnuTLS settings? This doesn't sound too drastic and saves users from having to dig around 2 different places or resolve to trial and error to figure out there interactions. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:54 ` Jimmy Yuen Ho Wong @ 2018-07-08 19:30 ` Lars Ingebrigtsen 2018-07-08 19:32 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 19:30 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Paul Eggert, Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > How about this, I'll be satisfied if we append :group 'nsm on the > gnutls defcustoms, so they show up on both the gnutls customize group > **and** nsm, and document in the docstrings the effects to NSM checks > if you mess with these GnuTLS settings? All the doc strings of the gnutls variables mention the NSM now. (After I remembered to push the changes to the emacs-26 branch that I wrote a couple of weeks ago. :-)) -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 19:30 ` Lars Ingebrigtsen @ 2018-07-08 19:32 ` Jimmy Yuen Ho Wong 0 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 19:32 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Paul Eggert, Emacs-Devel devel On Sun, Jul 8, 2018 at 8:30 PM Lars Ingebrigtsen <larsi@gnus.org> wrote: > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > How about this, I'll be satisfied if we append :group 'nsm on the > > gnutls defcustoms, so they show up on both the gnutls customize group > > **and** nsm, and document in the docstrings the effects to NSM checks > > if you mess with these GnuTLS settings? > > All the doc strings of the gnutls variables mention the NSM now. (After > I remembered to push the changes to the emacs-26 branch that I wrote a > couple of weeks ago. :-)) > Nope, you are mistaken. Check again :) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:06 ` Paul Eggert 2018-07-08 17:25 ` Jimmy Yuen Ho Wong @ 2018-07-08 22:56 ` Richard Stallman 1 sibling, 0 replies; 221+ messages in thread From: Richard Stallman @ 2018-07-08 22:56 UTC (permalink / raw) To: Paul Eggert; +Cc: larsi, wyuenho, emacs-devel [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > There's no need to be using ad hominem language like that. Assume that we are > miscommunicating, as this is the obvious and most likely explanation for the > behavior you're observing. Indulging in attacks will make your efforts less > likely to succeed. Thank you for reminding us of this. I am sure everyone in this discussion sincerely wants Emacs to do the best thing for users. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 16:56 ` Jimmy Yuen Ho Wong 2018-07-08 17:06 ` Paul Eggert @ 2018-07-08 17:47 ` Lars Ingebrigtsen 2018-07-08 18:10 ` Eli Zaretskii 2018-07-08 18:31 ` Jimmy Yuen Ho Wong 2018-07-08 17:53 ` Eli Zaretskii 2 siblings, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 17:47 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > No we don't let GnuTLS always establish the connection. We don't set > the priority string to the lowest level possible, i.e. "LEGACY". Are > you suggesting you want to do that? That's my preference, but others don't agree. And it's basically a moot point, since there are virtually no (legitimate real-world) connections that fall between the nil and "LEGACY" settings of `gnutls-algorithm-priority'. > Setting `gnutls-min-prime-bits` to 256 as the standard value suggests > to me that Emacs' network security level is so relaxed that a TLS > connection with a DH prime 256-bits should go through, but in reality > NSM still warns. This yet again contradicts the intention of the > standard value. If the intention is to warn about prime-bit < 1024 > bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should > not warn. > > Just switch it back to `nil` and let GnuTLS do the right thing > according to the priority string for crying out loud. This also has no > adverse effect. I don't understand what you're saying here. We've chosen 256 since that's the way to say "don't stop any connections on the gnutls level because of this stuff". nil currently means 1008 bits, if I read the docs right. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:47 ` Lars Ingebrigtsen @ 2018-07-08 18:10 ` Eli Zaretskii 2018-07-08 18:12 ` Jimmy Yuen Ho Wong 2018-07-08 18:31 ` Jimmy Yuen Ho Wong 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 18:10 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Date: Sun, 08 Jul 2018 19:47:35 +0200 > Cc: Emacs-Devel devel <emacs-devel@gnu.org> > > nil currently means 1008 bits, if I read the docs right. Can you tell where in the docs you see this? Also, isn't this GnuTLS version-dependent? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:10 ` Eli Zaretskii @ 2018-07-08 18:12 ` Jimmy Yuen Ho Wong 2018-07-08 18:26 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 18:12 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel It is version dependent, it's buried deep in the NEW files. https://gitlab.com/gnutls/gnutls/blob/master/NEWS On Sun, Jul 8, 2018 at 7:11 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Lars Ingebrigtsen <larsi@gnus.org> > > Date: Sun, 08 Jul 2018 19:47:35 +0200 > > Cc: Emacs-Devel devel <emacs-devel@gnu.org> > > > > nil currently means 1008 bits, if I read the docs right. > > Can you tell where in the docs you see this? > > Also, isn't this GnuTLS version-dependent? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:12 ` Jimmy Yuen Ho Wong @ 2018-07-08 18:26 ` Eli Zaretskii 2018-07-08 18:39 ` Lars Ingebrigtsen 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 18:26 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 8 Jul 2018 19:12:21 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > It is version dependent, it's buried deep in the NEW files. > > https://gitlab.com/gnutls/gnutls/blob/master/NEWS Thanks. According to that, it's 1008 since GnuTLS 3.3.0. Perhaps we should tell that in the doc string of gnutls-min-prime-bits, or at least in a comment there. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:26 ` Eli Zaretskii @ 2018-07-08 18:39 ` Lars Ingebrigtsen 2018-07-08 18:53 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 18:39 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Jimmy Yuen Ho Wong, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: > Thanks. According to that, it's 1008 since GnuTLS 3.3.0. Perhaps we > should tell that in the doc string of gnutls-min-prime-bits, or at > least in a comment there. Yeah, but since it varies from GnuTLS release to release, we'd have to keep updating it. And not everybody is uses the same release, anyway, so I think it's better just to not say anything. Or just "what nil means depends on the GnuTLS version". Users aren't supposed to care about that variable, anyway, since the NSM warns about less than 1024 bits... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:39 ` Lars Ingebrigtsen @ 2018-07-08 18:53 ` Eli Zaretskii 2018-07-08 19:22 ` Jimmy Yuen Ho Wong ` (2 more replies) 0 siblings, 3 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 18:53 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: Jimmy Yuen Ho Wong <wyuenho@gmail.com>, emacs-devel@gnu.org > Date: Sun, 08 Jul 2018 20:39:30 +0200 > > Eli Zaretskii <eliz@gnu.org> writes: > > > Thanks. According to that, it's 1008 since GnuTLS 3.3.0. Perhaps we > > should tell that in the doc string of gnutls-min-prime-bits, or at > > least in a comment there. > > Yeah, but since it varies from GnuTLS release to release, we'd have to > keep updating it. Yes, that's unfortunate. But if the value doesn't change too frequently (as it seems, since 3.3.0 was what? 4 years ago?), maybe it isn't a catastrophe. > so I think it's better just to not say anything. Or just "what nil > means depends on the GnuTLS version". Problem is, I cannot find this number in the GnuTLS documentation, either. Maybe I'm blind; but if not, it means our users have no reasonable way of knowing how many bits they are using, and that is not good, IMO. > Users aren't supposed to care about that variable, anyway, since the NSM > warns about less than 1024 bits... Yes, but what if GnuTLS bumps the default to more than that? And even if not, I think I might like to know how far below 1024 I'm going to be if I allow the connection. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:53 ` Eli Zaretskii @ 2018-07-08 19:22 ` Jimmy Yuen Ho Wong 2018-07-09 16:57 ` Eli Zaretskii 2018-07-08 19:28 ` Lars Ingebrigtsen 2018-07-09 15:29 ` Jimmy Yuen Ho Wong 2 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 19:22 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel > > so I think it's better just to not say anything. Or just "what nil > > means depends on the GnuTLS version". > > Problem is, I cannot find this number in the GnuTLS documentation, > either. Maybe I'm blind; but if not, it means our users have no > reasonable way of knowing how many bits they are using, and that is > not good, IMO. > It's not in the documentation, it's in the src/gnutls.c line 1834-1835. It's also in the docstring of `gnutls-min-prime-bits`. > > Users aren't supposed to care about that variable, anyway, since the NSM > > warns about less than 1024 bits... > > Yes, but what if GnuTLS bumps the default to more than that? And even > if not, I think I might like to know how far below 1024 I'm going to > be if I allow the connection. See my other email for a way out of this. Once you've caught GNUTLS_E_DH_PRIME_UNACCEPTABLE, you can still call gnutls_dh_get_prime_bits to get the prime bits the server sends back out. I think this is already done, we just need to catch GNUTLS_E_DH_PRIME_UNACCEPTABLE so gnutls_verify_boot doesn't immediately return. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 19:22 ` Jimmy Yuen Ho Wong @ 2018-07-09 16:57 ` Eli Zaretskii 2018-07-09 17:17 ` Jimmy Yuen Ho Wong 2018-07-09 17:36 ` Jimmy Yuen Ho Wong 0 siblings, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-09 16:57 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 8 Jul 2018 20:22:54 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > Problem is, I cannot find this number in the GnuTLS documentation, > > either. Maybe I'm blind; but if not, it means our users have no > > reasonable way of knowing how many bits they are using, and that is > > not good, IMO. > > It's not in the documentation, it's in the src/gnutls.c line > 1834-1835. It's also in the docstring of `gnutls-min-prime-bits`. Are you talking about the master branch of the Emacs repository? If so, I must be blind, because I don't see 1008 anywhere around those places. > > > Users aren't supposed to care about that variable, anyway, since the NSM > > > warns about less than 1024 bits... > > > > Yes, but what if GnuTLS bumps the default to more than that? And even > > if not, I think I might like to know how far below 1024 I'm going to > > be if I allow the connection. > > See my other email for a way out of this. Once you've caught > GNUTLS_E_DH_PRIME_UNACCEPTABLE, you can still call > gnutls_dh_get_prime_bits to get the prime bits the server sends back > out. I think this is already done, we just need to catch > GNUTLS_E_DH_PRIME_UNACCEPTABLE so gnutls_verify_boot doesn't > immediately return. That's a separate issue, regarding your argument with Lars whether to let NSM handle the too low bits or leave it to GnuTLS. The issue I raised was how can users know what is the GnuTLS default. Because the doc string of gnutls-min-prime-bits says: (defcustom gnutls-min-prime-bits 256 ;; Several mail servers send fewer bits than the GnuTLS default. ;; Currently, 256 appears to be a reasonable choice (Bug#11267). "Minimum number of prime bits accepted by GnuTLS for key exchange. During a Diffie-Hellman handshake, if the server sends a prime number with fewer than this number of bits, the handshake is rejected. \(The smaller the prime number, the less secure the key exchange is against man-in-the-middle attacks.) A value of nil says to use the default GnuTLS value." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Which of course immediately begs the question "what is my GnuTLS's default value?" ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 16:57 ` Eli Zaretskii @ 2018-07-09 17:17 ` Jimmy Yuen Ho Wong 2018-07-09 17:36 ` Jimmy Yuen Ho Wong 1 sibling, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 17:17 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel > > A value of nil says to use the default GnuTLS value." > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Which of course immediately begs the question "what is my GnuTLS's > default value?" That's what I've been saying all along. There are a couple of issues we are discussing regarding setting the standard value of `gnutls-min-prime-bits` to 256. 1. The standard value does not match the default value, when you say it it's a default but not really OOTB, what exactly is the default? 2. Default nil doesn't tell the user what exactly is the GnuTLS default either, that seems to be what you are wondering. 3. I've been trying to find a way where you don't need to care about what the default is. My first attempt at surfacing the DH prime from a failed handshake seems to have failed. The only other way I can think of is set gnutls-min-prime-bits to 256 on the C side, and leave it to nil in Lisp. This way its behavior is consistent with how we already handles gnutls-algorithm-priority - we just hardcode a NORMAL in the C side when unspecified. This way you don't have to explain anything. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 16:57 ` Eli Zaretskii 2018-07-09 17:17 ` Jimmy Yuen Ho Wong @ 2018-07-09 17:36 ` Jimmy Yuen Ho Wong 2018-07-09 17:38 ` Jimmy Yuen Ho Wong 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 17:36 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Mon, Jul 9, 2018 at 5:58 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Sun, 8 Jul 2018 20:22:54 +0100 > > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > > Problem is, I cannot find this number in the GnuTLS documentation, > > > either. Maybe I'm blind; but if not, it means our users have no > > > reasonable way of knowing how many bits they are using, and that is > > > not good, IMO. > > > > It's not in the documentation, it's in the src/gnutls.c line > > 1834-1835. It's also in the docstring of `gnutls-min-prime-bits`. > > Are you talking about the master branch of the Emacs repository? If > so, I must be blind, because I don't see 1008 anywhere around those > places. > No I was merely talking about what (setq gnutls-algorithm-priority nil) means. https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1835 The default is here: https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1606 > > > > Users aren't supposed to care about that variable, anyway, since the NSM > > > > warns about less than 1024 bits... > > > > > > Yes, but what if GnuTLS bumps the default to more than that? And even > > > if not, I think I might like to know how far below 1024 I'm going to > > > be if I allow the connection. > > > > See my other email for a way out of this. Once you've caught > > GNUTLS_E_DH_PRIME_UNACCEPTABLE, you can still call > > gnutls_dh_get_prime_bits to get the prime bits the server sends back > > out. I think this is already done, we just need to catch > > GNUTLS_E_DH_PRIME_UNACCEPTABLE so gnutls_verify_boot doesn't > > immediately return. > > That's a separate issue, regarding your argument with Lars whether to > let NSM handle the too low bits or leave it to GnuTLS. The issue I > raised was how can users know what is the GnuTLS default. Because the > doc string of gnutls-min-prime-bits says: > > (defcustom gnutls-min-prime-bits 256 > ;; Several mail servers send fewer bits than the GnuTLS default. > ;; Currently, 256 appears to be a reasonable choice (Bug#11267). > "Minimum number of prime bits accepted by GnuTLS for key exchange. > During a Diffie-Hellman handshake, if the server sends a prime > number with fewer than this number of bits, the handshake is > rejected. \(The smaller the prime number, the less secure the > key exchange is against man-in-the-middle attacks.) > > A value of nil says to use the default GnuTLS value." > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Which of course immediately begs the question "what is my GnuTLS's > default value?" ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 17:36 ` Jimmy Yuen Ho Wong @ 2018-07-09 17:38 ` Jimmy Yuen Ho Wong 2018-07-09 18:04 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 17:38 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Mon, Jul 9, 2018 at 6:36 PM Jimmy Yuen Ho Wong <wyuenho@gmail.com> wrote: > > On Mon, Jul 9, 2018 at 5:58 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > > Date: Sun, 8 Jul 2018 20:22:54 +0100 > > > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > > > Problem is, I cannot find this number in the GnuTLS documentation, > > > > either. Maybe I'm blind; but if not, it means our users have no > > > > reasonable way of knowing how many bits they are using, and that is > > > > not good, IMO. > > > > > > It's not in the documentation, it's in the src/gnutls.c line > > > 1834-1835. It's also in the docstring of `gnutls-min-prime-bits`. > > > > Are you talking about the master branch of the Emacs repository? If > > so, I must be blind, because I don't see 1008 anywhere around those > > places. > > > > No I was merely talking about what (setq gnutls-algorithm-priority nil) means. > > https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1835 > > The default is here: > > https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1606 > Ahhh the lines moved: This is what (setq gnutls-min-prime-bits nil) means: https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1854 > > > > > Users aren't supposed to care about that variable, anyway, since the NSM > > > > > warns about less than 1024 bits... > > > > > > > > Yes, but what if GnuTLS bumps the default to more than that? And even > > > > if not, I think I might like to know how far below 1024 I'm going to > > > > be if I allow the connection. > > > > > > See my other email for a way out of this. Once you've caught > > > GNUTLS_E_DH_PRIME_UNACCEPTABLE, you can still call > > > gnutls_dh_get_prime_bits to get the prime bits the server sends back > > > out. I think this is already done, we just need to catch > > > GNUTLS_E_DH_PRIME_UNACCEPTABLE so gnutls_verify_boot doesn't > > > immediately return. > > > > That's a separate issue, regarding your argument with Lars whether to > > let NSM handle the too low bits or leave it to GnuTLS. The issue I > > raised was how can users know what is the GnuTLS default. Because the > > doc string of gnutls-min-prime-bits says: > > > > (defcustom gnutls-min-prime-bits 256 > > ;; Several mail servers send fewer bits than the GnuTLS default. > > ;; Currently, 256 appears to be a reasonable choice (Bug#11267). > > "Minimum number of prime bits accepted by GnuTLS for key exchange. > > During a Diffie-Hellman handshake, if the server sends a prime > > number with fewer than this number of bits, the handshake is > > rejected. \(The smaller the prime number, the less secure the > > key exchange is against man-in-the-middle attacks.) > > > > A value of nil says to use the default GnuTLS value." > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > Which of course immediately begs the question "what is my GnuTLS's > > default value?" ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 17:38 ` Jimmy Yuen Ho Wong @ 2018-07-09 18:04 ` Eli Zaretskii 2018-07-09 18:10 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-09 18:04 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Mon, 9 Jul 2018 18:38:14 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > This is what (setq gnutls-min-prime-bits nil) means: > > https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1854 This still doesn't tell me what nil means: prime_bits = Fplist_get (proplist, QCmin_prime_bits); [...] if (INTEGERP (prime_bits)) gnutls_dh_set_prime_bits (state, XUINT (prime_bits)); If prime_bits is nil, we do nothing with it. We only use it if it is an integer. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 18:04 ` Eli Zaretskii @ 2018-07-09 18:10 ` Jimmy Yuen Ho Wong 2018-07-09 18:33 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 18:10 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Mon, Jul 9, 2018 at 7:05 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Mon, 9 Jul 2018 18:38:14 +0100 > > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > This is what (setq gnutls-min-prime-bits nil) means: > > > > https://github.com/emacs-mirror/emacs/blob/master/src/gnutls.c#L1854 > > This still doesn't tell me what nil means: > > prime_bits = Fplist_get (proplist, QCmin_prime_bits); > [...] > if (INTEGERP (prime_bits)) > gnutls_dh_set_prime_bits (state, XUINT (prime_bits)); > > If prime_bits is nil, we do nothing with it. We only use it if it is > an integer. Yep. By not setting it from the Emacs's side, it means the DH prime bits is controlled by the priority string, and GnuTLS will do the right thing accordingly. It also means the min prime bit is GnuTLS version dependent. "Note that since 3.1.7 this function is deprecated. The minimum number of bits is set by the priority string level. Also this function must be called after gnutls_priority_set_direct() or the set value may be overridden by the selected priority options." https://www.gnutls.org/reference/gnutls-gnutls.html#gnutls-dh-set-prime-bits ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 18:10 ` Jimmy Yuen Ho Wong @ 2018-07-09 18:33 ` Eli Zaretskii 2018-07-09 18:47 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-09 18:33 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Mon, 9 Jul 2018 19:10:09 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > "Note that since 3.1.7 this function is deprecated. The minimum number > of bits is set by the priority string level. Also this function must > be called after gnutls_priority_set_direct() or the set value may be > overridden by the selected priority options." Granted, I saw that. I have GnuTLS installed with its Info manual. But the above still doesn't tell what is the default number of bits, even if I go hunting for the description of the priority string. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 18:33 ` Eli Zaretskii @ 2018-07-09 18:47 ` Jimmy Yuen Ho Wong 2018-07-10 16:10 ` Eli Zaretskii 0 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 18:47 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Mon, Jul 9, 2018 at 7:33 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Mon, 9 Jul 2018 19:10:09 +0100 > > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > > > "Note that since 3.1.7 this function is deprecated. The minimum number > > of bits is set by the priority string level. Also this function must > > be called after gnutls_priority_set_direct() or the set value may be > > overridden by the selected priority options." > > Granted, I saw that. I have GnuTLS installed with its Info manual. > But the above still doesn't tell what is the default number of bits, > even if I go hunting for the description of the priority string. I'm not sure of the significance of what you are trying to do, but if you are trying to confirm the actual min prime bit, the file is here: https://gitlab.com/gnutls/gnutls/blob/master/lib/algorithms/secparams.c The second number is the DH min prime bits. Don't ask me which row is the actual default... I don't want to know... ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 18:47 ` Jimmy Yuen Ho Wong @ 2018-07-10 16:10 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-10 16:10 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Mon, 9 Jul 2018 19:47:23 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > > "Note that since 3.1.7 this function is deprecated. The minimum number > > > of bits is set by the priority string level. Also this function must > > > be called after gnutls_priority_set_direct() or the set value may be > > > overridden by the selected priority options." > > > > Granted, I saw that. I have GnuTLS installed with its Info manual. > > But the above still doesn't tell what is the default number of bits, > > even if I go hunting for the description of the priority string. > > I'm not sure of the significance of what you are trying to do I'm trying to find some evidence to the number of bits GnuTLS will use by default. > but if you are trying to confirm the actual min prime bit, the file > is here: > > https://gitlab.com/gnutls/gnutls/blob/master/lib/algorithms/secparams.c > > The second number is the DH min prime bits. Don't ask me which row is > the actual default... I don't want to know... What you asked not to ask is, of course, what I'm after. I guess the answer is in gnutls_ui.c: void gnutls_dh_set_prime_bits(gnutls_session_t session, unsigned int bits) { if (bits < gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_WEAK) && bits != 0) _gnutls_audit_log(session, "Note that the security level of the Diffie-Hellman key exchange has been lowered to %u bits and this may allow decryption of the session data\n", bits); session->internals.priorities.dh_prime_bits = bits; } This tells us that the default is GNUTLS_SEC_PARAM_WEAK, i.e. this: {"Weak", GNUTLS_SEC_PARAM_WEAK, 72, 1008, 1008, 160, 160} IOW, indeed 1008 bits. Thanks for pointing me in the right direction. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:53 ` Eli Zaretskii 2018-07-08 19:22 ` Jimmy Yuen Ho Wong @ 2018-07-08 19:28 ` Lars Ingebrigtsen 2018-07-08 19:31 ` Jimmy Yuen Ho Wong 2018-07-09 17:02 ` Eli Zaretskii 2018-07-09 15:29 ` Jimmy Yuen Ho Wong 2 siblings, 2 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 19:28 UTC (permalink / raw) To: Eli Zaretskii; +Cc: wyuenho, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: >> Users aren't supposed to care about that variable, anyway, since the NSM >> warns about less than 1024 bits... > > Yes, but what if GnuTLS bumps the default to more than that? And even > if not, I think I might like to know how far below 1024 I'm going to > be if I allow the connection. The NSM will say explicitly how many bits the DH exchange is using. Try this one with `M-x eww' https://dh480.badssl.com/ and you should get the warning. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 19:28 ` Lars Ingebrigtsen @ 2018-07-08 19:31 ` Jimmy Yuen Ho Wong 2018-07-09 17:04 ` Eli Zaretskii 2018-07-09 17:02 ` Eli Zaretskii 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 19:31 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Eli Zaretskii, Emacs-Devel devel On Sun, Jul 8, 2018 at 8:28 PM Lars Ingebrigtsen <larsi@gnus.org> wrote: > > Eli Zaretskii <eliz@gnu.org> writes: > > >> Users aren't supposed to care about that variable, anyway, since the NSM > >> warns about less than 1024 bits... > > > > Yes, but what if GnuTLS bumps the default to more than that? And even > > if not, I think I might like to know how far below 1024 I'm going to > > be if I allow the connection. > > The NSM will say explicitly how many bits the DH exchange is using. Try > this one with `M-x eww' > > https://dh480.badssl.com/ > > and you should get the warning. > That's only because 480 > 256. I think Eli wants to know the bit length if we leave gnutls-min-prime-bits to nil. In my other emails I've pointed out a way to do that. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 19:31 ` Jimmy Yuen Ho Wong @ 2018-07-09 17:04 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-09 17:04 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 8 Jul 2018 20:31:09 +0100 > Cc: Eli Zaretskii <eliz@gnu.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > I think Eli wants to know the bit length if we leave > gnutls-min-prime-bits to nil. Yes. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 19:28 ` Lars Ingebrigtsen 2018-07-08 19:31 ` Jimmy Yuen Ho Wong @ 2018-07-09 17:02 ` Eli Zaretskii 2018-07-09 17:09 ` Jimmy Yuen Ho Wong 1 sibling, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-09 17:02 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Cc: wyuenho@gmail.com, emacs-devel@gnu.org > Date: Sun, 08 Jul 2018 21:28:20 +0200 > > Eli Zaretskii <eliz@gnu.org> writes: > > >> Users aren't supposed to care about that variable, anyway, since the NSM > >> warns about less than 1024 bits... > > > > Yes, but what if GnuTLS bumps the default to more than that? And even > > if not, I think I might like to know how far below 1024 I'm going to > > be if I allow the connection. > > The NSM will say explicitly how many bits the DH exchange is using. Try > this one with `M-x eww' > > https://dh480.badssl.com/ > > and you should get the warning. The warning says The Diffie-Hellman prime bits (480) used for this connection to dh480.badssl.com:443 is less than what is considered safe (1024) So it doesn't show the 1008 value. What did I miss? ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 17:02 ` Eli Zaretskii @ 2018-07-09 17:09 ` Jimmy Yuen Ho Wong 0 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 17:09 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Mon, Jul 9, 2018 at 6:02 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Lars Ingebrigtsen <larsi@gnus.org> > > Cc: wyuenho@gmail.com, emacs-devel@gnu.org > > Date: Sun, 08 Jul 2018 21:28:20 +0200 > > > > Eli Zaretskii <eliz@gnu.org> writes: > > > > >> Users aren't supposed to care about that variable, anyway, since the NSM > > >> warns about less than 1024 bits... > > > > > > Yes, but what if GnuTLS bumps the default to more than that? And even > > > if not, I think I might like to know how far below 1024 I'm going to > > > be if I allow the connection. > > > > The NSM will say explicitly how many bits the DH exchange is using. Try > > this one with `M-x eww' > > > > https://dh480.badssl.com/ > > > > and you should get the warning. > > The warning says > > The Diffie-Hellman prime bits (480) used for this connection to > dh480.badssl.com:443 is less than what is considered safe (1024) > > So it doesn't show the 1008 value. What did I miss? Nothing. The server you are connecting will only give you a 480-bit prime. Since your Emacs is still using 256 `gnutls-min-prime-bit`, GnuTLS lowered the lower bound from 1008 to 256, and then negotiate a bit length as high as the server can go. What you see is expected. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:53 ` Eli Zaretskii 2018-07-08 19:22 ` Jimmy Yuen Ho Wong 2018-07-08 19:28 ` Lars Ingebrigtsen @ 2018-07-09 15:29 ` Jimmy Yuen Ho Wong 2018-07-09 16:35 ` Robert Pluim 2 siblings, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-09 15:29 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel > > > Users aren't supposed to care about that variable, anyway, since the NSM > > warns about less than 1024 bits... > > Yes, but what if GnuTLS bumps the default to more than that? And even > if not, I think I might like to know how far below 1024 I'm going to > be if I allow the connection. I've surfaced the DH_PRIME_UNACCEPTABLE error from the handshake to the Lisp side here. https://github.com/wyuenho/emacs/commit/6c00758175b227338005533b27999435b33528d5 I'm don't like this change to much. It's full of exceptions in the C code, and you still can't get the prime bits the server sent over, because gnutls_dh_get_prime_bits() only returns a prime bit if an actual DH key exchange was done. Since the handshake failed early as soon as the client found out the prime bits are too low, ciphers, mac and all the rest were not negotiated, so they are all NULL. You do at least get a warning that lets you know the prime bit is too low tho, and you can still proceed with this connection tho, but it wouldn't be very useful. Since the handshake failed, the result will be a plain HTTP request to an HTTPS port, of which the server will typically return with an HTTP 400. Perhaps it's simply better to let the user know that they can (setq gnutls-log-level 1) to log out the actual GnuTLS error message (which is still just prime bits too low without specifying a number) ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-09 15:29 ` Jimmy Yuen Ho Wong @ 2018-07-09 16:35 ` Robert Pluim 0 siblings, 0 replies; 221+ messages in thread From: Robert Pluim @ 2018-07-09 16:35 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Eli Zaretskii, Lars Ingebrigtsen, Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: >> >> > Users aren't supposed to care about that variable, anyway, since the NSM >> > warns about less than 1024 bits... >> >> Yes, but what if GnuTLS bumps the default to more than that? And even >> if not, I think I might like to know how far below 1024 I'm going to >> be if I allow the connection. > > I've surfaced the DH_PRIME_UNACCEPTABLE error from the handshake to > the Lisp side here. > https://github.com/wyuenho/emacs/commit/6c00758175b227338005533b27999435b33528d5 > > I'm don't like this change to much. It's full of exceptions in the C > code, and you still can't get the prime bits the server sent over, > because gnutls_dh_get_prime_bits() only returns a prime bit if an > actual DH key exchange was done. Since the handshake failed early as > soon as the client found out the prime bits are too low, ciphers, mac > and all the rest were not negotiated, so they are all NULL. You do at > least get a warning that lets you know the prime bit is too low tho, > and you can still proceed with this connection tho, but it wouldn't be > very useful. Since the handshake failed, the result will be a plain > HTTP request to an HTTPS port, of which the server will typically > return with an HTTP 400. Iʼd much rather we hard fail the connection here than proceed without TLS. > Perhaps it's simply better to let the user know that they can (setq > gnutls-log-level 1) to log out the actual GnuTLS error message (which > is still just prime bits too low without specifying a number) Yes, that sounds like a good idea. Robert ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:47 ` Lars Ingebrigtsen 2018-07-08 18:10 ` Eli Zaretskii @ 2018-07-08 18:31 ` Jimmy Yuen Ho Wong 2018-07-08 18:42 ` Lars Ingebrigtsen 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 18:31 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Emacs-Devel devel On Sun, Jul 8, 2018 at 6:47 PM Lars Ingebrigtsen <larsi@gnus.org> wrote: > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > No we don't let GnuTLS always establish the connection. We don't set > > the priority string to the lowest level possible, i.e. "LEGACY". Are > > you suggesting you want to do that? > > That's my preference, but others don't agree. And it's basically a moot > point, since there are virtually no (legitimate real-world) connections > that fall between the nil and "LEGACY" settings of > `gnutls-algorithm-priority'. > There is also no legitimate real-world connection that fall between min-prime-bit 0 and 512-bits. In fact, exactly 0 top Alexa 150k site demands 256 bit. https://www.ssllabs.com/ssl-pulse/. I'll reply to the problem with setting gnutls-algorithm-priority to LEGACY in other email. > > Setting `gnutls-min-prime-bits` to 256 as the standard value suggests > > to me that Emacs' network security level is so relaxed that a TLS > > connection with a DH prime 256-bits should go through, but in reality > > NSM still warns. This yet again contradicts the intention of the > > standard value. If the intention is to warn about prime-bit < 1024 > > bits, `gnutls-min-prime-bits` should not be 256, otherwise NSM should > > not warn. > > > > Just switch it back to `nil` and let GnuTLS do the right thing > > according to the priority string for crying out loud. This also has no > > adverse effect. > > I don't understand what you're saying here. We've chosen 256 since > that's the way to say "don't stop any connections on the gnutls level > because of this stuff". nil currently means 1008 bits, if I read the > docs right. > That is correct, for consistency's sake. Since we'e decided on a default NORMAL:%DUMB_FW priority string, which means let the GnuTLS version you've built Emacs with to decide what cipher suites to allow, it follows that we should also default `gnutls-min-prime-bits` to nil, which also lets GnuTLS decide. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:31 ` Jimmy Yuen Ho Wong @ 2018-07-08 18:42 ` Lars Ingebrigtsen 2018-07-08 19:28 ` Jimmy Yuen Ho Wong 0 siblings, 1 reply; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 18:42 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: Emacs-Devel devel Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > I'll reply to the problem with setting gnutls-algorithm-priority to > LEGACY in other email. Well, I'm not really advocating that. It's a bit too much hubris. :-) Nobody's perfect, and the default NORMAL gnutls-algorithm-priority is fine by me, even if it means a less-than-perfect UI and user experience. > That is correct, for consistency's sake. Since we'e decided on a > default NORMAL:%DUMB_FW priority string, which means let the GnuTLS > version you've built Emacs with to decide what cipher suites to allow, > it follows that we should also default `gnutls-min-prime-bits` to nil, > which also lets GnuTLS decide. We could, but we know that we handle that bit well on our own in the NSM, so I don't see the point. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 18:42 ` Lars Ingebrigtsen @ 2018-07-08 19:28 ` Jimmy Yuen Ho Wong 0 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 19:28 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: Emacs-Devel devel On Sun, Jul 8, 2018 at 7:42 PM Lars Ingebrigtsen <larsi@gnus.org> wrote: > > Jimmy Yuen Ho Wong <wyuenho@gmail.com> writes: > > > I'll reply to the problem with setting gnutls-algorithm-priority to > > LEGACY in other email. > > Well, I'm not really advocating that. It's a bit too much hubris. :-) > Nobody's perfect, and the default NORMAL gnutls-algorithm-priority is > fine by me, even if it means a less-than-perfect UI and user experience. > But you could advocate that, I don't object to that :). You can just copy this bit of code[1] and do a few adjustments in the checks to avoid too much nagging if the user specifically listed he wants RC4 to be enabled. https://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string > > That is correct, for consistency's sake. Since we'e decided on a > > default NORMAL:%DUMB_FW priority string, which means let the GnuTLS > > version you've built Emacs with to decide what cipher suites to allow, > > it follows that we should also default `gnutls-min-prime-bits` to nil, > > which also lets GnuTLS decide. > > We could, but we know that we handle that bit well on our own in the > NSM, so I don't see the point. > As I said, it's a UI issue. You are confusing people when what they specify do not match expectation. When I specify a lower bound, that's me saying I don't want NSM to nag me about it. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 16:56 ` Jimmy Yuen Ho Wong 2018-07-08 17:06 ` Paul Eggert 2018-07-08 17:47 ` Lars Ingebrigtsen @ 2018-07-08 17:53 ` Eli Zaretskii 2018-07-08 19:16 ` Jimmy Yuen Ho Wong 2 siblings, 1 reply; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 17:53 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 8 Jul 2018 17:56:03 +0100 > Cc: Emacs-Devel devel <emacs-devel@gnu.org> > > > > That's true, but there's still no reason to default > > > `gnutls-min-prime-bits` to 256. If that's the default, presumably > > > checking for DH prime bits > 1024 is a bug as NSM should let 256-bit > > > DH prime go through. > > > > No? We let gnutls always establish the connection, no matter how sucky, > > and then we ask the user about it. That's the whole idea behind the > > NSM. > > No we don't let GnuTLS always establish the connection. We don't set > the priority string to the lowest level possible, i.e. "LEGACY". Are > you suggesting you want to do that? > The precedence has been set that we don't allow every GnuTLS > connection to go through, therefore, your ideal with letting NSM > handle all kinds of network security issues in Emacs is invalid. > > > And setting gnutls-min-prime-bits to 256 has no adverse effects, since > > (contrary to what you've said several times in this thread), the TLS > > connection will use as many prime bits that the server offers, > > apparently. > > > > The adverse effect is, there is no way to explain this clearly to a > user WTF is going on without confusing the hack out of people. The > choice option with a "Default" :tag in the defcustom already says nil > is the default, just the standard value isn't. This is already a > contradiction. But if we set the prime bits to a higher number, isn't it true that a TLS connection will fail with little or no explanations? Whereas the NSM does provide a sensible description of the problem when it asks me whether to go ahead with the insecure connection, so I could consider how much I trust the server and/or the connection. I don't know if I'm talking about the same situation, but I sometimes get from Firefox a cryptic "secure connection failed" with some error code mnemonics I don't understand; when that happens, it annoys me quite a bit, because I have no easy way of figuring out whether the problem is with the server, with my box, or with some fascist firewall in the middle. If this is what will happen when we bump the number of bits (or with any other security setting), then I'd rather have NSM catch that and talk to me in a language I can understand better. At least as an option, if not by default (and no, that option shouldn't be gnutls-min-prime-bits, as that's too technical for most users; I'm thinking about some non-default security level, perhaps). Does that make sense? > Just switch it back to `nil` and let GnuTLS do the right thing > according to the priority string for crying out loud. If you mean that people should customize the priority string, then I think this is again too technical and shouldn't be the primary solution we provide users for controlling their security level. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 17:53 ` Eli Zaretskii @ 2018-07-08 19:16 ` Jimmy Yuen Ho Wong 0 siblings, 0 replies; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 19:16 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Sun, Jul 8, 2018 at 6:53 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > > Date: Sun, 8 Jul 2018 17:56:03 +0100 > > Cc: Emacs-Devel devel <emacs-devel@gnu.org> > > > > > > That's true, but there's still no reason to default > > > > `gnutls-min-prime-bits` to 256. If that's the default, presumably > > > > checking for DH prime bits > 1024 is a bug as NSM should let 256-bit > > > > DH prime go through. > > > > > > No? We let gnutls always establish the connection, no matter how sucky, > > > and then we ask the user about it. That's the whole idea behind the > > > NSM. > > > > No we don't let GnuTLS always establish the connection. We don't set > > the priority string to the lowest level possible, i.e. "LEGACY". Are > > you suggesting you want to do that? > > The precedence has been set that we don't allow every GnuTLS > > connection to go through, therefore, your ideal with letting NSM > > handle all kinds of network security issues in Emacs is invalid. > > > > > And setting gnutls-min-prime-bits to 256 has no adverse effects, since > > > (contrary to what you've said several times in this thread), the TLS > > > connection will use as many prime bits that the server offers, > > > apparently. > > > > > > > The adverse effect is, there is no way to explain this clearly to a > > user WTF is going on without confusing the hack out of people. The > > choice option with a "Default" :tag in the defcustom already says nil > > is the default, just the standard value isn't. This is already a > > contradiction. > > But if we set the prime bits to a higher number, isn't it true that a > TLS connection will fail with little or no explanations? Whereas the > NSM does provide a sensible description of the problem when it asks me > whether to go ahead with the insecure connection, so I could consider > how much I trust the server and/or the connection. > > I don't know if I'm talking about the same situation, but I sometimes > get from Firefox a cryptic "secure connection failed" with some error > code mnemonics I don't understand; when that happens, it annoys me > quite a bit, because I have no easy way of figuring out whether the > problem is with the server, with my box, or with some fascist > firewall in the middle. > > If this is what will happen when we bump the number of bits (or with > any other security setting), then I'd rather have NSM catch that and > talk to me in a language I can understand better. At least as an > option, if not by default (and no, that option shouldn't be > gnutls-min-prime-bits, as that's too technical for most users; I'm > thinking about some non-default security level, perhaps). > > Does that make sense? > > > Just switch it back to `nil` and let GnuTLS do the right thing > > according to the priority string for crying out loud. > > If you mean that people should customize the priority string, then I > think this is again too technical and shouldn't be the primary > solution we provide users for controlling their security level. No, I'm saying don't override GnuTLS's defaults by default (geeez that's a lot of defaults, hope that makes sense). If people want to enable certain things the GnuTLS doesn't allow by default, they can still do it by adjusting GnuTLS's priority string. The priority string is GnuTLS's primary means for adjusting its feature set. "The GnuTLS priority strings specify the TLS session’s handshake algorithms and options in a compact, easy-to-use format. Thee strings are intended as a user-specified override of the library defaults. That is, we recommend applications using the default settings (c.f. gnutls_set_default_priority), and provide the user with access to priority strings for overriding the default behavior, on configuration files, or other UI. Following such a principle, makes the GnuTLS library as the default settings provider. That is necessary and a good practice, because TLS protocol hardening and phasing out of legacy algorithms, is easier to co-ordinate when happens in a single library. "[1] The way we use `gnutls-min-prime-bits` is also problematic, as the docs suggests that it's been deprecated since 3.1.7. [2] In order to throw the error back out to LISP to NSM to check when the server presents a prime bit that's too low, we can catch the GNUTLS_E_DH_PRIME_UNACCEPTABLE error. This is trivial judging from the C code. [1]: https://www.gnutls.org/manual/gnutls.html#Priority-Strings [2]: https://www.gnutls.org/manual/gnutls.html#gnutls_005fdh_005fset_005fprime_005fbits ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:06 ` Lars Ingebrigtsen 2018-07-08 14:54 ` Jimmy Yuen Ho Wong @ 2018-07-08 14:55 ` Eli Zaretskii 2018-07-08 14:58 ` Jimmy Yuen Ho Wong 2018-07-08 15:16 ` Lars Ingebrigtsen 1 sibling, 2 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 14:55 UTC (permalink / raw) To: Lars Ingebrigtsen; +Cc: wyuenho, emacs-devel > From: Lars Ingebrigtsen <larsi@gnus.org> > Date: Sun, 08 Jul 2018 16:06:39 +0200 > Cc: Emacs-Devel devel <emacs-devel@gnu.org> > > But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS > connections. The question is "what", though, because there's no > fingerprint (beyond the host/port number) that we can use to verify > that a non-TLS connection is to a previously seen host. We could look at the browsers for inspiration, perhaps? > 3) emacs -Q should ignore the NSM settings (and not save anything) Agreed. > Other than that, I'm just waiting for Jimmy's code to show up in an > Emacs branch, and I'll probably have more comments. Thanks. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:55 ` Eli Zaretskii @ 2018-07-08 14:58 ` Jimmy Yuen Ho Wong 2018-07-08 15:18 ` Eli Zaretskii 2018-07-08 15:16 ` Lars Ingebrigtsen 1 sibling, 1 reply; 221+ messages in thread From: Jimmy Yuen Ho Wong @ 2018-07-08 14:58 UTC (permalink / raw) To: Eli Zaretskii; +Cc: Lars Ingebrigtsen, Emacs-Devel devel On Sun, Jul 8, 2018 at 3:55 PM Eli Zaretskii <eliz@gnu.org> wrote: > > > From: Lars Ingebrigtsen <larsi@gnus.org> > > Date: Sun, 08 Jul 2018 16:06:39 +0200 > > Cc: Emacs-Devel devel <emacs-devel@gnu.org> > > > > But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS > > connections. The question is "what", though, because there's no > > fingerprint (beyond the host/port number) that we can use to verify > > that a non-TLS connection is to a previously seen host. > > We could look at the browsers for inspiration, perhaps? > Browsers have only 1 security level, and shows a green padlock on the address bar for HTTPS, and no padlock for cleartext connection. There's no warning whatsoever. If you want to do the padlock think, you might want to do it in EWW and all those Email/Newsgroup packages instead of NSM. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:58 ` Jimmy Yuen Ho Wong @ 2018-07-08 15:18 ` Eli Zaretskii 0 siblings, 0 replies; 221+ messages in thread From: Eli Zaretskii @ 2018-07-08 15:18 UTC (permalink / raw) To: Jimmy Yuen Ho Wong; +Cc: larsi, emacs-devel > From: Jimmy Yuen Ho Wong <wyuenho@gmail.com> > Date: Sun, 8 Jul 2018 15:58:45 +0100 > Cc: Lars Ingebrigtsen <larsi@gnus.org>, Emacs-Devel devel <emacs-devel@gnu.org> > > > But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS > > > connections. The question is "what", though, because there's no > > > fingerprint (beyond the host/port number) that we can use to verify > > > that a non-TLS connection is to a previously seen host. > > > > We could look at the browsers for inspiration, perhaps? > > Browsers have only 1 security level I meant for inspiration about what non-TLS checks can be relevant. Whether they should be on 'paranoid' or lower is a separate question. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-08 14:55 ` Eli Zaretskii 2018-07-08 14:58 ` Jimmy Yuen Ho Wong @ 2018-07-08 15:16 ` Lars Ingebrigtsen 1 sibling, 0 replies; 221+ messages in thread From: Lars Ingebrigtsen @ 2018-07-08 15:16 UTC (permalink / raw) To: Eli Zaretskii; +Cc: wyuenho, emacs-devel Eli Zaretskii <eliz@gnu.org> writes: >> But, yes, as Eli says, `paranoid' should perhaps do more for non-TLS >> connections. The question is "what", though, because there's no >> fingerprint (beyond the host/port number) that we can use to verify >> that a non-TLS connection is to a previously seen host. > > We could look at the browsers for inspiration, perhaps? Hm... I don't think I've seen any browsers offering anything like the `paranoid' level, but I've only used the mainstream ones. Perhaps somebody else has experience with the high security forks of Firefox? Or do I misremember? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-05 22:44 ` Richard Stallman 2018-07-06 6:42 ` Jimmy Yuen Ho Wong @ 2018-07-06 16:53 ` Paul Eggert 2018-07-06 23:11 ` Richard Stallman 1 sibling, 1 reply; 221+ messages in thread From: Paul Eggert @ 2018-07-06 16:53 UTC (permalink / raw) To: rms, Perry E. Metzger; +Cc: eliz, emacs-devel, larsi, wyuenho Richard Stallman wrote: > OpenSSL had, in the past, a license incompatible with the GNU GPL. > If its license is unchanged, using it with Emacs would require some > inconvenient work to install a license exception. The OpenSSL project announced in 2015 its intent to switch to the Apache 2.0 license, which is compatible with the GPL v3 that Emacs uses. Switching involves contacting hundreds of contributors and getting their permission, and removing code contributed by the few who disagree. At last report in March <https://www.openssl.org/blog/blog/2018/03/01/last-license/> this process had covered 99.8% of commits to OpenSSL, and the intent was to make the license change in the next release, which has not happened yet. So although we're still not quite there yet as far as Emacs using OpenSSL on Debian goes, the licensing issue looks like it will be resolved in the not-too-distant future. ^ permalink raw reply [flat|nested] 221+ messages in thread
* Re: A couple of questions and concerns about Emacs network security 2018-07-06 16:53 ` Paul Eggert @ 2018-07-06 23:11 ` Richard Stallman 0 siblings, 0 replies; 221+ messages in thread From: Richard Stallman @ 2018-07-06 23:11 UTC (permalink / raw) To: Paul Eggert; +Cc: eliz, wyuenho, emacs-devel, larsi, perry [[[ To any NSA and FBI agents reading my email: please consider ]]] [[[ whether defending the US Constitution against all enemies, ]]] [[[ foreign or domestic, requires you to follow Snowden's example. ]]] We should wait for OpenSSL to actually change its license before we start using it, but it looks like that won't be long. -- Dr Richard Stallman President, Free Software Foundation (https://gnu.org, https://fsf.org) Internet Hall-of-Famer (https://internethalloffame.org) ^ permalink raw reply [flat|nested] 221+ messages in thread
end of thread, other threads:[~2018-07-14 18:25 UTC | newest] Thread overview: 221+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-06-22 22:00 A couple of questions and concerns about Emacs network security Jimmy Yuen Ho Wong 2018-06-22 22:43 ` Paul Eggert 2018-06-22 23:21 ` Lars Ingebrigtsen 2018-06-22 23:33 ` Lars Ingebrigtsen 2018-06-23 1:35 ` Jimmy Yuen Ho Wong 2018-06-23 10:23 ` Lars Ingebrigtsen 2018-06-23 10:34 ` Lars Ingebrigtsen 2018-06-23 10:48 ` Jimmy Yuen Ho Wong 2018-06-23 11:32 ` Lars Ingebrigtsen 2018-06-23 11:55 ` Jimmy Yuen Ho Wong 2018-06-23 12:05 ` Lars Ingebrigtsen 2018-06-23 12:13 ` Eli Zaretskii 2018-06-23 12:15 ` Lars Ingebrigtsen 2018-06-23 12:26 ` Eli Zaretskii 2018-07-07 9:57 ` Eli Zaretskii 2018-07-08 14:01 ` Lars Ingebrigtsen 2018-07-08 14:53 ` Eli Zaretskii 2018-07-08 15:06 ` Lars Ingebrigtsen 2018-07-08 15:23 ` Eli Zaretskii 2018-06-23 12:45 ` Jimmy Yuen Ho Wong 2018-06-24 12:53 ` Lars Ingebrigtsen 2018-07-05 13:33 ` Perry E. Metzger 2018-07-05 13:49 ` Eli Zaretskii 2018-07-05 15:29 ` Perry E. Metzger 2018-07-05 18:55 ` Eli Zaretskii 2018-07-05 19:26 ` Paul Eggert 2018-07-05 19:35 ` Eli Zaretskii 2018-07-05 20:01 ` Eli Zaretskii 2018-07-06 17:03 ` Paul Eggert 2018-07-06 17:36 ` Eli Zaretskii 2018-07-06 18:15 ` Paul Eggert 2018-07-07 7:04 ` Eli Zaretskii 2018-07-07 10:30 ` Jimmy Yuen Ho Wong 2018-07-07 11:35 ` Eli Zaretskii 2018-07-05 20:46 ` Perry E. Metzger 2018-07-05 20:45 ` Perry E. Metzger 2018-07-06 6:29 ` Eli Zaretskii 2018-07-06 23:08 ` Richard Stallman 2018-07-07 12:18 ` Perry E. Metzger 2018-07-07 13:19 ` Eli Zaretskii 2018-07-07 13:46 ` Perry E. Metzger 2018-07-07 14:17 ` Eli Zaretskii 2018-07-07 15:25 ` Perry E. Metzger 2018-07-07 16:08 ` Eli Zaretskii 2018-07-07 23:46 ` Richard Stallman 2018-07-08 0:25 ` Perry E. Metzger 2018-07-08 2:44 ` Eli Zaretskii 2018-07-08 22:55 ` Richard Stallman 2018-07-07 14:32 ` Jimmy Yuen Ho Wong 2018-07-07 15:15 ` Perry E. Metzger 2018-07-07 15:39 ` Jimmy Yuen Ho Wong 2018-07-07 18:16 ` Paul Eggert 2018-07-07 23:03 ` Jimmy Yuen Ho Wong 2018-07-07 15:57 ` Eli Zaretskii 2018-07-07 23:45 ` Richard Stallman 2018-07-05 13:50 ` Jimmy Yuen Ho Wong 2018-07-05 15:30 ` Perry E. Metzger 2018-07-05 15:36 ` Stefan Monnier 2018-07-05 16:05 ` Perry E. Metzger 2018-07-05 22:44 ` Richard Stallman 2018-07-06 6:01 ` Eli Zaretskii 2018-06-23 0:00 ` Paul Eggert 2018-06-23 0:10 ` Stefan Monnier 2018-06-23 9:57 ` Lars Ingebrigtsen 2018-06-23 2:17 ` Noam Postavsky 2018-06-23 6:40 ` Eli Zaretskii 2018-06-23 10:21 ` Jimmy Yuen Ho Wong 2018-06-23 11:26 ` Eli Zaretskii 2018-06-23 22:28 ` Noam Postavsky 2018-06-24 14:23 ` Eli Zaretskii 2018-06-24 14:34 ` Lars Ingebrigtsen 2018-06-24 14:48 ` Noam Postavsky 2018-06-24 15:30 ` Eli Zaretskii 2018-06-24 16:57 ` Lars Ingebrigtsen 2018-06-24 17:10 ` Jimmy Yuen Ho Wong 2018-06-24 17:39 ` Lars Ingebrigtsen 2018-06-24 18:29 ` Jimmy Yuen Ho Wong 2018-06-24 18:51 ` Eli Zaretskii 2018-06-24 21:30 ` Jimmy Yuen Ho Wong 2018-06-25 1:25 ` Van L 2018-06-25 2:28 ` Jimmy Yuen Ho Wong 2018-06-25 2:38 ` Jimmy Yuen Ho Wong 2018-06-25 17:16 ` Eli Zaretskii 2018-06-25 17:25 ` Jimmy Yuen Ho Wong 2018-06-25 18:06 ` Jimmy Yuen Ho Wong 2018-06-24 20:58 ` Lars Ingebrigtsen 2018-06-24 21:07 ` Lars Ingebrigtsen 2018-06-24 22:47 ` Jimmy Yuen Ho Wong 2018-06-25 0:04 ` Lars Ingebrigtsen 2018-06-25 0:33 ` Noam Postavsky 2018-06-25 0:36 ` Lars Ingebrigtsen 2018-06-24 21:28 ` Noam Postavsky 2018-06-24 21:57 ` Lars Ingebrigtsen 2018-06-25 16:06 ` Eli Zaretskii 2018-06-25 16:29 ` Jimmy Yuen Ho Wong 2018-06-25 16:58 ` Lars Ingebrigtsen 2018-06-25 17:08 ` Jimmy Yuen Ho Wong 2018-06-25 17:18 ` Eli Zaretskii 2018-06-30 17:40 ` Jimmy Yuen Ho Wong 2018-06-30 18:04 ` Eli Zaretskii 2018-06-25 17:09 ` Eli Zaretskii 2018-06-25 17:17 ` Eli Zaretskii 2018-06-25 16:55 ` Lars Ingebrigtsen 2018-06-25 17:06 ` Eli Zaretskii 2018-06-25 17:20 ` Jimmy Yuen Ho Wong 2018-06-25 17:33 ` Lars Ingebrigtsen 2018-07-05 15:52 ` Perry E. Metzger 2018-07-05 15:58 ` Jimmy Yuen Ho Wong 2018-07-05 16:36 ` Perry E. Metzger 2018-07-05 16:51 ` Jimmy Yuen Ho Wong 2018-07-05 18:25 ` Perry E. Metzger 2018-07-05 18:32 ` Eli Zaretskii 2018-07-05 18:43 ` Noam Postavsky 2018-07-05 20:31 ` Perry E. Metzger 2018-07-08 11:43 ` Lars Ingebrigtsen 2018-07-08 14:48 ` Eli Zaretskii 2018-07-06 9:01 ` Eli Zaretskii 2018-07-05 15:33 ` Perry E. Metzger 2018-07-05 18:58 ` Eli Zaretskii 2018-07-06 8:36 ` Robert Pluim 2018-07-06 8:49 ` Eli Zaretskii 2018-07-06 9:35 ` Robert Pluim 2018-07-06 12:32 ` Eli Zaretskii 2018-07-06 12:52 ` Robert Pluim 2018-07-06 13:31 ` Eli Zaretskii 2018-07-06 9:45 ` Stephen Berman 2018-07-06 12:41 ` Eli Zaretskii 2018-07-06 13:50 ` Stephen Berman 2018-07-07 7:15 ` martin rudalics 2018-07-07 12:22 ` Stephen Berman 2018-07-07 13:22 ` Eli Zaretskii 2018-07-07 13:47 ` Stephen Berman 2018-07-08 8:11 ` martin rudalics 2018-07-05 15:10 ` Perry E. Metzger 2018-06-23 6:45 ` Eli Zaretskii 2018-06-23 10:34 ` Jimmy Yuen Ho Wong 2018-07-05 15:58 ` Perry E. Metzger 2018-07-05 19:20 ` Paul Eggert 2018-07-05 20:46 ` Perry E. Metzger 2018-07-05 22:44 ` Richard Stallman 2018-07-06 6:42 ` Jimmy Yuen Ho Wong 2018-07-06 8:16 ` Eli Zaretskii 2018-07-06 9:28 ` Robert Pluim 2018-07-06 13:18 ` Eli Zaretskii 2018-07-06 18:06 ` Jimmy Yuen Ho Wong 2018-07-06 18:48 ` Perry E. Metzger 2018-07-07 7:02 ` Eli Zaretskii 2018-07-07 9:36 ` Robert Pluim 2018-07-07 9:59 ` Jimmy Yuen Ho Wong 2018-07-07 10:01 ` Jimmy Yuen Ho Wong 2018-07-07 21:44 ` Ted Zlatanov 2018-07-07 21:59 ` Paul Eggert 2018-07-07 22:11 ` Jimmy Yuen Ho Wong 2018-07-09 23:09 ` Ted Zlatanov 2018-07-10 18:20 ` Jimmy Yuen Ho Wong 2018-07-10 18:36 ` Eli Zaretskii 2018-07-10 18:40 ` Jimmy Yuen Ho Wong 2018-07-10 18:58 ` Eli Zaretskii 2018-07-13 20:50 ` Jimmy Yuen Ho Wong 2018-07-14 6:37 ` Eli Zaretskii 2018-07-14 17:18 ` Jimmy Yuen Ho Wong 2018-07-14 18:25 ` Eli Zaretskii 2018-07-07 22:13 ` Jimmy Yuen Ho Wong 2018-07-09 13:09 ` Robert Pluim 2018-07-09 13:33 ` Jimmy Yuen Ho Wong 2018-07-09 13:43 ` Lars Ingebrigtsen 2018-07-09 13:49 ` Jimmy Yuen Ho Wong 2018-07-09 17:15 ` Eli Zaretskii 2018-07-09 17:24 ` Jimmy Yuen Ho Wong 2018-07-10 0:06 ` Perry E. Metzger 2018-07-10 0:03 ` Perry E. Metzger 2018-07-10 0:02 ` Perry E. Metzger 2018-07-06 13:03 ` Jimmy Yuen Ho Wong 2018-07-06 14:06 ` Eli Zaretskii 2018-07-06 21:24 ` Jimmy Yuen Ho Wong 2018-07-07 7:55 ` Eli Zaretskii 2018-07-08 14:06 ` Lars Ingebrigtsen 2018-07-08 14:54 ` Jimmy Yuen Ho Wong 2018-07-08 15:13 ` Lars Ingebrigtsen 2018-07-08 16:56 ` Jimmy Yuen Ho Wong 2018-07-08 17:06 ` Paul Eggert 2018-07-08 17:25 ` Jimmy Yuen Ho Wong 2018-07-08 17:53 ` Lars Ingebrigtsen 2018-07-08 18:54 ` Jimmy Yuen Ho Wong 2018-07-08 19:30 ` Lars Ingebrigtsen 2018-07-08 19:32 ` Jimmy Yuen Ho Wong 2018-07-08 22:56 ` Richard Stallman 2018-07-08 17:47 ` Lars Ingebrigtsen 2018-07-08 18:10 ` Eli Zaretskii 2018-07-08 18:12 ` Jimmy Yuen Ho Wong 2018-07-08 18:26 ` Eli Zaretskii 2018-07-08 18:39 ` Lars Ingebrigtsen 2018-07-08 18:53 ` Eli Zaretskii 2018-07-08 19:22 ` Jimmy Yuen Ho Wong 2018-07-09 16:57 ` Eli Zaretskii 2018-07-09 17:17 ` Jimmy Yuen Ho Wong 2018-07-09 17:36 ` Jimmy Yuen Ho Wong 2018-07-09 17:38 ` Jimmy Yuen Ho Wong 2018-07-09 18:04 ` Eli Zaretskii 2018-07-09 18:10 ` Jimmy Yuen Ho Wong 2018-07-09 18:33 ` Eli Zaretskii 2018-07-09 18:47 ` Jimmy Yuen Ho Wong 2018-07-10 16:10 ` Eli Zaretskii 2018-07-08 19:28 ` Lars Ingebrigtsen 2018-07-08 19:31 ` Jimmy Yuen Ho Wong 2018-07-09 17:04 ` Eli Zaretskii 2018-07-09 17:02 ` Eli Zaretskii 2018-07-09 17:09 ` Jimmy Yuen Ho Wong 2018-07-09 15:29 ` Jimmy Yuen Ho Wong 2018-07-09 16:35 ` Robert Pluim 2018-07-08 18:31 ` Jimmy Yuen Ho Wong 2018-07-08 18:42 ` Lars Ingebrigtsen 2018-07-08 19:28 ` Jimmy Yuen Ho Wong 2018-07-08 17:53 ` Eli Zaretskii 2018-07-08 19:16 ` Jimmy Yuen Ho Wong 2018-07-08 14:55 ` Eli Zaretskii 2018-07-08 14:58 ` Jimmy Yuen Ho Wong 2018-07-08 15:18 ` Eli Zaretskii 2018-07-08 15:16 ` Lars Ingebrigtsen 2018-07-06 16:53 ` Paul Eggert 2018-07-06 23:11 ` Richard Stallman
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.