From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jimmy Yuen Ho Wong Newsgroups: gmane.emacs.devel Subject: A couple of questions and concerns about Emacs network security Date: Fri, 22 Jun 2018 23:00:13 +0100 Message-ID: NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1529704704 18887 195.159.176.226 (22 Jun 2018 21:58:24 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 22 Jun 2018 21:58:24 +0000 (UTC) To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Fri Jun 22 23:58:20 2018 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fWU4P-0004mD-M7 for ged-emacs-devel@m.gmane.org; Fri, 22 Jun 2018 23:58:17 +0200 Original-Received: from localhost ([::1]:36397 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fWU6X-0000qd-4T for ged-emacs-devel@m.gmane.org; Fri, 22 Jun 2018 18:00:29 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:42647) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fWU6P-0000qY-QL for emacs-devel@gnu.org; Fri, 22 Jun 2018 18:00:23 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fWU6M-00044X-PF for emacs-devel@gnu.org; Fri, 22 Jun 2018 18:00:21 -0400 Original-Received: from mail-wm0-x231.google.com ([2a00:1450:400c:c09::231]:34638) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fWU6M-00044H-DF for emacs-devel@gnu.org; Fri, 22 Jun 2018 18:00:18 -0400 Original-Received: by mail-wm0-x231.google.com with SMTP id l15-v6so7317063wmc.1 for ; Fri, 22 Jun 2018 15:00:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version; bh=JqwND8Vlad4NQaRot+eyPWOQLudybLU9epgf1qBkXPg=; b=Wq1HRo+GKwhBA5fz+UDclYaNK+acj/wJxwHKrv1sQcm5DBnu8fUaav8ycEbZr6v2gQ tSj+aJgv8fjpz8jQWhuEELDruSaVeCJQTdrJllynAu58Z+YVDBdH4CODsi+4ksG/Zq/k STLwW6l23ggCl4SGwhuv5WyhFDqRCCVU00yAwGmM5/PcSMYAaAK2pmv08gL/Bds7MVwE m1v81MS6VagnAlaJsnY60begBPT/PjTkmcyr8dVG563Nzdyu68QCd+Uj/r/pkOhKfxqB FP0+bx+yv6A6/j6swCcSFkic04pxU+qAQt9PNnViXbcDPaWrjxY2wK8NRD/5yIEb5mkS lsxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=JqwND8Vlad4NQaRot+eyPWOQLudybLU9epgf1qBkXPg=; b=Uu85Cuo8Jt5yURwDZgXOWWQxb8kfv+9EiziFY85CgduBDsH5xN/ERjhJ8Zfidxl0UY o7YTj/L8ED1/VwWIVaqduT+igrVJVUhEQYZ1pfjgpvEjOLHHixshvc7ehwAFT/dPIv8V xSLkcPCK32HizLHKPKK4IWzSOzJq8zjkBqpDEyqmL73VGSE9B0OyrmFjuhbmk130hWRD nXCwkv7L/5jYTG5UKX0aa5hNxjQbN2CJcJBiNIUv4rKd2PTymw3NUduQ8wYdHUWRG0pk Bsq73OHNlFIgKEDi3EkNwWJkeHF5xL1R1wOmaNzTjljZkbbBNpZRa2ObKsJ7cq6RjFnQ 7pHQ== X-Gm-Message-State: APt69E3HQWtY7MurbVebABKsd1VRoPY7e3/krVzJAqy6+N9ORLIUfAfA VMHqoS5gWRg2WwxHr2MvjPeoXRvH X-Google-Smtp-Source: AAOMgpcRxtkGAFHlKTxv8zNcDXSPYdfr/0FRsR9fUgwUh0qbbElE2I1okJZYCBoxy9eTN3YQhtXXvg== X-Received: by 2002:a1c:b2c4:: with SMTP id b187-v6mr3010348wmf.79.1529704816794; Fri, 22 Jun 2018 15:00:16 -0700 (PDT) Original-Received: from mobilecat.lan ([88.98.208.53]) by smtp.gmail.com with ESMTPSA id p196-v6sm4127636wmb.20.2018.06.22.15.00.14 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Jun 2018 15:00:15 -0700 (PDT) X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:1450:400c:c09::231 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:226598 Archived-At: Hi everyone, I've been digging around Emacs' network security settings lately and I've noticed a couple of oddities. I was wondering what the reasos are and if there are any plans to improve them. For `--with-gnutls` builds using GnuTLS 3.5.18: 1. `gnutls-verify-error` is set to nil by default, so server certs aren't verified by default. 2. `gnutls-min-prime-bits` has been 256 by default since 2012, whereas a reasonable number should probably be 2048 in 2018. 3. `gnutls-algorithm-priority` is nil by default. All of this means there's zero network security OTTB for Emacs. After some experimentation, I've come up with the following settings that brings the balance of default security and compatibility to as good as I could: (setq gnutls-algorithm-priority "SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:%PROFILE_MEDIUM" gnutls-min-prime-bits 2048 gnutl-verify-error t) However, this setting still fail the following tests rather alarmingly: (mapcar (lambda (host) (ignore-errors (url-retrieve-synchronously host))) '("https://revoked.badssl.com/" "https://pinning-test.badssl.com/" "https://invalid-expected-sct.badssl.com/")) ;; This should return a list of `'(nil nil nil)`, but doesn't. My questions are: 1. Can we update the default network security settings? 2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't seem to be doing a very good job, can we link to something better maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS? Lastly, I notice there's this thing call `nsm.el` seemingly doing redundant checks if your TLS settings are reasonable, what's the history of it and why is it not obsolete when `tls.el` and `starttls.el` are? Thanks in advance, Jimmy Wong