From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Lars Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: Deprecate TLS1.0 support in emacs Date: Wed, 12 Jul 2017 16:44:20 +0200 Message-ID: <87tw2hvhob.fsf@mouse> References: <87o9sp7qok.fsf@gmail.com> <87zic9vk98.fsf@mouse> <87fue17mo5.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1499870753 29894 195.159.176.226 (12 Jul 2017 14:45:53 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 12 Jul 2017 14:45:53 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.50 (gnu/linux) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Jul 12 16:45:47 2017 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dVItZ-0007ET-CI for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 16:45:41 +0200 Original-Received: from localhost ([::1]:53874 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVIte-000749-S4 for ged-emacs-devel@m.gmane.org; Wed, 12 Jul 2017 10:45:46 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:34745) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dVIsP-0006k2-TG for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:44:30 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dVIsL-0007mL-RR for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:44:29 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:43819) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dVIsL-0007kU-K6 for emacs-devel@gnu.org; Wed, 12 Jul 2017 10:44:25 -0400 Original-Received: from cm-84.209.243.26.getinternet.no ([84.209.243.26] helo=mouse) by hermes.netfonds.no with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1dVIsG-0003pU-EM for emacs-devel@gnu.org; Wed, 12 Jul 2017 16:44:22 +0200 In-Reply-To: <87fue17mo5.fsf@gmail.com> (Robert Pluim's message of "Wed, 12 Jul 2017 16:30:18 +0200") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:216541 Archived-At: Robert Pluim writes: > TLS1.0 is a seriously insecure protocol. I refrained from doing what I > actually wanted to do, which is deprecate TLS1.1 as well. I think it's > a disservice to allow TLS1.0 to continue to be used. It's no more "insecure" to read lists.gnu.org via HTTPS than it is via HTTP, which is also an option. Denying the former while allowing the latter is rather nonsensical. And if it had been available only via HTTPS, then refusing Emacs users to access it would also have a security impact: Refusing access to information is not "security", but the opposite. > That could be done with nsm, but only if you'll accept setting the > default network-security-level to 'high, or adding a specific check > for protocol version at 'medium. Option 1 looks something like this: No, `high' should be reserved for people that want higher than normal network security. It might make sense to warn for TLS1.0 on `medium', though, but I'd have to check what other web browsers do here. I think, for instance, that Firefox still supports TLS1.0, and gives no warning, either. So unless I've misunderstood the Firefox situation, I don't think we should do anything here. More long-term, I think it may make sense to just treat these "insecure" protocols as if they were unencrypted, user interface wise, but that would be up to each individual application (eww, package-list, etc) and not further down in the network stack? Perhaps? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no