From: Jimmy Yuen Ho Wong <wyuenho@gmail.com>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Lars Ingebrigtsen <larsi@gnus.org>, Eli Zaretskii <eliz@gnu.org>,
Paul Eggert <eggert@cs.ucla.edu>,
rms@gnu.org, Emacs-Devel devel <emacs-devel@gnu.org>
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Sat, 7 Jul 2018 15:32:19 +0100 [thread overview]
Message-ID: <CAKDRQS63FZKdU1HdC=M5UU58e1aVUXqzZTz24jRvArTF32RpCw@mail.gmail.com> (raw)
In-Reply-To: <20180707094622.6eff25bf@jabberwock.cb.piermont.com>
>>
>> I don't see how this is relevant, since we are talking about just
>> one piece of software: Emacs. For the purposes of this discussion,
>> whether they use the same browsers or different ones, because we are
>> not discussing those browsers.
>
> You may not see the relevance, but others do.
>
The relevance is what browsers do is a very good heuristics for
someone like me who wants a starting point to find out what problems
to look out for. Another piece of information these browsers give me
is being able to predict the future. These browsers hold enormous
power in shaping the internet. Just Google deprecating SHA1 certs
alone is enough to make them drop to exactly 0 within a month[1]. I
don't see any other relevance beyond these two.
I know Perry you probably want to copy what browsers do - basically
removing unsafe ciphers and only offer one security levels, and
perhaps drop support for GnuTLS version other than the most recent
stable version. I can tell you now that in practical terms, they make
very little difference. For Gmail, 85% outbound and 91% inbound emails
are secured with TLS[2]. For HTTP, most of the checks I've implemented
is already supported by a vast majority of servers out there, and
given that the time people spend on the web vs the websites' Alexa
rankings follows the Pareto distribution, most of the time you won't
even get a warning. No warning, no decision to make.
For the 20% of time you are not spending on Alexa top 20k, we can
infer from SSLLabs' SSLPulse data to get a sense of how dangerous they
are. SSLPulse tracks the Alexa top 150K websites, with the exception
of protocol downgrade defense, no other problems that I check for
exceed 5% on this list of servers. 5% of 20% is 1%. If you only
consider cipher suites independently, given that browsers have removed
a shit ton of unsafe cipher suites already, the chance of getting an
unsafe cipher suite from a handshake is very very very small.
The whole reason I'm working on fixing Emacs' network security is I
believe Emacs' esoteric user base is probably extreme outliers, and
Emacs' TLS defence is next to useless. I'm not working on this for
normal people here.
[1]: "Certificate Signature Algorithms" Jan 2017 - Feb 2017.
https://www.ssllabs.com/ssl-pulse/
[2]: https://transparencyreport.google.com/safer-email/overview
next prev parent reply other threads:[~2018-07-07 14:32 UTC|newest]
Thread overview: 221+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-22 22:00 A couple of questions and concerns about Emacs network security Jimmy Yuen Ho Wong
2018-06-22 22:43 ` Paul Eggert
2018-06-22 23:21 ` Lars Ingebrigtsen
2018-06-22 23:33 ` Lars Ingebrigtsen
2018-06-23 1:35 ` Jimmy Yuen Ho Wong
2018-06-23 10:23 ` Lars Ingebrigtsen
2018-06-23 10:34 ` Lars Ingebrigtsen
2018-06-23 10:48 ` Jimmy Yuen Ho Wong
2018-06-23 11:32 ` Lars Ingebrigtsen
2018-06-23 11:55 ` Jimmy Yuen Ho Wong
2018-06-23 12:05 ` Lars Ingebrigtsen
2018-06-23 12:13 ` Eli Zaretskii
2018-06-23 12:15 ` Lars Ingebrigtsen
2018-06-23 12:26 ` Eli Zaretskii
2018-07-07 9:57 ` Eli Zaretskii
2018-07-08 14:01 ` Lars Ingebrigtsen
2018-07-08 14:53 ` Eli Zaretskii
2018-07-08 15:06 ` Lars Ingebrigtsen
2018-07-08 15:23 ` Eli Zaretskii
2018-06-23 12:45 ` Jimmy Yuen Ho Wong
2018-06-24 12:53 ` Lars Ingebrigtsen
2018-07-05 13:33 ` Perry E. Metzger
2018-07-05 13:49 ` Eli Zaretskii
2018-07-05 15:29 ` Perry E. Metzger
2018-07-05 18:55 ` Eli Zaretskii
2018-07-05 19:26 ` Paul Eggert
2018-07-05 19:35 ` Eli Zaretskii
2018-07-05 20:01 ` Eli Zaretskii
2018-07-06 17:03 ` Paul Eggert
2018-07-06 17:36 ` Eli Zaretskii
2018-07-06 18:15 ` Paul Eggert
2018-07-07 7:04 ` Eli Zaretskii
2018-07-07 10:30 ` Jimmy Yuen Ho Wong
2018-07-07 11:35 ` Eli Zaretskii
2018-07-05 20:46 ` Perry E. Metzger
2018-07-05 20:45 ` Perry E. Metzger
2018-07-06 6:29 ` Eli Zaretskii
2018-07-06 23:08 ` Richard Stallman
2018-07-07 12:18 ` Perry E. Metzger
2018-07-07 13:19 ` Eli Zaretskii
2018-07-07 13:46 ` Perry E. Metzger
2018-07-07 14:17 ` Eli Zaretskii
2018-07-07 15:25 ` Perry E. Metzger
2018-07-07 16:08 ` Eli Zaretskii
2018-07-07 23:46 ` Richard Stallman
2018-07-08 0:25 ` Perry E. Metzger
2018-07-08 2:44 ` Eli Zaretskii
2018-07-08 22:55 ` Richard Stallman
2018-07-07 14:32 ` Jimmy Yuen Ho Wong [this message]
2018-07-07 15:15 ` Perry E. Metzger
2018-07-07 15:39 ` Jimmy Yuen Ho Wong
2018-07-07 18:16 ` Paul Eggert
2018-07-07 23:03 ` Jimmy Yuen Ho Wong
2018-07-07 15:57 ` Eli Zaretskii
2018-07-07 23:45 ` Richard Stallman
2018-07-05 13:50 ` Jimmy Yuen Ho Wong
2018-07-05 15:30 ` Perry E. Metzger
2018-07-05 15:36 ` Stefan Monnier
2018-07-05 16:05 ` Perry E. Metzger
2018-07-05 22:44 ` Richard Stallman
2018-07-06 6:01 ` Eli Zaretskii
2018-06-23 0:00 ` Paul Eggert
2018-06-23 0:10 ` Stefan Monnier
2018-06-23 9:57 ` Lars Ingebrigtsen
2018-06-23 2:17 ` Noam Postavsky
2018-06-23 6:40 ` Eli Zaretskii
2018-06-23 10:21 ` Jimmy Yuen Ho Wong
2018-06-23 11:26 ` Eli Zaretskii
2018-06-23 22:28 ` Noam Postavsky
2018-06-24 14:23 ` Eli Zaretskii
2018-06-24 14:34 ` Lars Ingebrigtsen
2018-06-24 14:48 ` Noam Postavsky
2018-06-24 15:30 ` Eli Zaretskii
2018-06-24 16:57 ` Lars Ingebrigtsen
2018-06-24 17:10 ` Jimmy Yuen Ho Wong
2018-06-24 17:39 ` Lars Ingebrigtsen
2018-06-24 18:29 ` Jimmy Yuen Ho Wong
2018-06-24 18:51 ` Eli Zaretskii
2018-06-24 21:30 ` Jimmy Yuen Ho Wong
2018-06-25 1:25 ` Van L
2018-06-25 2:28 ` Jimmy Yuen Ho Wong
2018-06-25 2:38 ` Jimmy Yuen Ho Wong
2018-06-25 17:16 ` Eli Zaretskii
2018-06-25 17:25 ` Jimmy Yuen Ho Wong
2018-06-25 18:06 ` Jimmy Yuen Ho Wong
2018-06-24 20:58 ` Lars Ingebrigtsen
2018-06-24 21:07 ` Lars Ingebrigtsen
2018-06-24 22:47 ` Jimmy Yuen Ho Wong
2018-06-25 0:04 ` Lars Ingebrigtsen
2018-06-25 0:33 ` Noam Postavsky
2018-06-25 0:36 ` Lars Ingebrigtsen
2018-06-24 21:28 ` Noam Postavsky
2018-06-24 21:57 ` Lars Ingebrigtsen
2018-06-25 16:06 ` Eli Zaretskii
2018-06-25 16:29 ` Jimmy Yuen Ho Wong
2018-06-25 16:58 ` Lars Ingebrigtsen
2018-06-25 17:08 ` Jimmy Yuen Ho Wong
2018-06-25 17:18 ` Eli Zaretskii
2018-06-30 17:40 ` Jimmy Yuen Ho Wong
2018-06-30 18:04 ` Eli Zaretskii
2018-06-25 17:09 ` Eli Zaretskii
2018-06-25 17:17 ` Eli Zaretskii
2018-06-25 16:55 ` Lars Ingebrigtsen
2018-06-25 17:06 ` Eli Zaretskii
2018-06-25 17:20 ` Jimmy Yuen Ho Wong
2018-06-25 17:33 ` Lars Ingebrigtsen
2018-07-05 15:52 ` Perry E. Metzger
2018-07-05 15:58 ` Jimmy Yuen Ho Wong
2018-07-05 16:36 ` Perry E. Metzger
2018-07-05 16:51 ` Jimmy Yuen Ho Wong
2018-07-05 18:25 ` Perry E. Metzger
2018-07-05 18:32 ` Eli Zaretskii
2018-07-05 18:43 ` Noam Postavsky
2018-07-05 20:31 ` Perry E. Metzger
2018-07-08 11:43 ` Lars Ingebrigtsen
2018-07-08 14:48 ` Eli Zaretskii
2018-07-06 9:01 ` Eli Zaretskii
2018-07-05 15:33 ` Perry E. Metzger
2018-07-05 18:58 ` Eli Zaretskii
2018-07-06 8:36 ` Robert Pluim
2018-07-06 8:49 ` Eli Zaretskii
2018-07-06 9:35 ` Robert Pluim
2018-07-06 12:32 ` Eli Zaretskii
2018-07-06 12:52 ` Robert Pluim
2018-07-06 13:31 ` Eli Zaretskii
2018-07-06 9:45 ` Stephen Berman
2018-07-06 12:41 ` Eli Zaretskii
2018-07-06 13:50 ` Stephen Berman
2018-07-07 7:15 ` martin rudalics
2018-07-07 12:22 ` Stephen Berman
2018-07-07 13:22 ` Eli Zaretskii
2018-07-07 13:47 ` Stephen Berman
2018-07-08 8:11 ` martin rudalics
2018-07-05 15:10 ` Perry E. Metzger
2018-06-23 6:45 ` Eli Zaretskii
2018-06-23 10:34 ` Jimmy Yuen Ho Wong
2018-07-05 15:58 ` Perry E. Metzger
2018-07-05 19:20 ` Paul Eggert
2018-07-05 20:46 ` Perry E. Metzger
2018-07-05 22:44 ` Richard Stallman
2018-07-06 6:42 ` Jimmy Yuen Ho Wong
2018-07-06 8:16 ` Eli Zaretskii
2018-07-06 9:28 ` Robert Pluim
2018-07-06 13:18 ` Eli Zaretskii
2018-07-06 18:06 ` Jimmy Yuen Ho Wong
2018-07-06 18:48 ` Perry E. Metzger
2018-07-07 7:02 ` Eli Zaretskii
2018-07-07 9:36 ` Robert Pluim
2018-07-07 9:59 ` Jimmy Yuen Ho Wong
2018-07-07 10:01 ` Jimmy Yuen Ho Wong
2018-07-07 21:44 ` Ted Zlatanov
2018-07-07 21:59 ` Paul Eggert
2018-07-07 22:11 ` Jimmy Yuen Ho Wong
2018-07-09 23:09 ` Ted Zlatanov
2018-07-10 18:20 ` Jimmy Yuen Ho Wong
2018-07-10 18:36 ` Eli Zaretskii
2018-07-10 18:40 ` Jimmy Yuen Ho Wong
2018-07-10 18:58 ` Eli Zaretskii
2018-07-13 20:50 ` Jimmy Yuen Ho Wong
2018-07-14 6:37 ` Eli Zaretskii
2018-07-14 17:18 ` Jimmy Yuen Ho Wong
2018-07-14 18:25 ` Eli Zaretskii
2018-07-07 22:13 ` Jimmy Yuen Ho Wong
2018-07-09 13:09 ` Robert Pluim
2018-07-09 13:33 ` Jimmy Yuen Ho Wong
2018-07-09 13:43 ` Lars Ingebrigtsen
2018-07-09 13:49 ` Jimmy Yuen Ho Wong
2018-07-09 17:15 ` Eli Zaretskii
2018-07-09 17:24 ` Jimmy Yuen Ho Wong
2018-07-10 0:06 ` Perry E. Metzger
2018-07-10 0:03 ` Perry E. Metzger
2018-07-10 0:02 ` Perry E. Metzger
2018-07-06 13:03 ` Jimmy Yuen Ho Wong
2018-07-06 14:06 ` Eli Zaretskii
2018-07-06 21:24 ` Jimmy Yuen Ho Wong
2018-07-07 7:55 ` Eli Zaretskii
2018-07-08 14:06 ` Lars Ingebrigtsen
2018-07-08 14:54 ` Jimmy Yuen Ho Wong
2018-07-08 15:13 ` Lars Ingebrigtsen
2018-07-08 16:56 ` Jimmy Yuen Ho Wong
2018-07-08 17:06 ` Paul Eggert
2018-07-08 17:25 ` Jimmy Yuen Ho Wong
2018-07-08 17:53 ` Lars Ingebrigtsen
2018-07-08 18:54 ` Jimmy Yuen Ho Wong
2018-07-08 19:30 ` Lars Ingebrigtsen
2018-07-08 19:32 ` Jimmy Yuen Ho Wong
2018-07-08 22:56 ` Richard Stallman
2018-07-08 17:47 ` Lars Ingebrigtsen
2018-07-08 18:10 ` Eli Zaretskii
2018-07-08 18:12 ` Jimmy Yuen Ho Wong
2018-07-08 18:26 ` Eli Zaretskii
2018-07-08 18:39 ` Lars Ingebrigtsen
2018-07-08 18:53 ` Eli Zaretskii
2018-07-08 19:22 ` Jimmy Yuen Ho Wong
2018-07-09 16:57 ` Eli Zaretskii
2018-07-09 17:17 ` Jimmy Yuen Ho Wong
2018-07-09 17:36 ` Jimmy Yuen Ho Wong
2018-07-09 17:38 ` Jimmy Yuen Ho Wong
2018-07-09 18:04 ` Eli Zaretskii
2018-07-09 18:10 ` Jimmy Yuen Ho Wong
2018-07-09 18:33 ` Eli Zaretskii
2018-07-09 18:47 ` Jimmy Yuen Ho Wong
2018-07-10 16:10 ` Eli Zaretskii
2018-07-08 19:28 ` Lars Ingebrigtsen
2018-07-08 19:31 ` Jimmy Yuen Ho Wong
2018-07-09 17:04 ` Eli Zaretskii
2018-07-09 17:02 ` Eli Zaretskii
2018-07-09 17:09 ` Jimmy Yuen Ho Wong
2018-07-09 15:29 ` Jimmy Yuen Ho Wong
2018-07-09 16:35 ` Robert Pluim
2018-07-08 18:31 ` Jimmy Yuen Ho Wong
2018-07-08 18:42 ` Lars Ingebrigtsen
2018-07-08 19:28 ` Jimmy Yuen Ho Wong
2018-07-08 17:53 ` Eli Zaretskii
2018-07-08 19:16 ` Jimmy Yuen Ho Wong
2018-07-08 14:55 ` Eli Zaretskii
2018-07-08 14:58 ` Jimmy Yuen Ho Wong
2018-07-08 15:18 ` Eli Zaretskii
2018-07-08 15:16 ` Lars Ingebrigtsen
2018-07-06 16:53 ` Paul Eggert
2018-07-06 23:11 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKDRQS63FZKdU1HdC=M5UU58e1aVUXqzZTz24jRvArTF32RpCw@mail.gmail.com' \
--to=wyuenho@gmail.com \
--cc=eggert@cs.ucla.edu \
--cc=eliz@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=larsi@gnus.org \
--cc=perry@piermont.com \
--cc=rms@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.