From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Lars Magne Ingebrigtsen Newsgroups: gmane.emacs.devel Subject: Re: POP3 password in plaintext? Date: Wed, 01 Oct 2014 16:02:12 +0200 Message-ID: References: <878ul1x4kw.fsf@uwakimon.sk.tsukuba.ac.jp> <87ppecv3pj.fsf@uwakimon.sk.tsukuba.ac.jp> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1412172187 17077 80.91.229.3 (1 Oct 2014 14:03:07 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 1 Oct 2014 14:03:07 +0000 (UTC) Cc: "Stephen J. Turnbull" , rms@gnu.org, emacs-devel@gnu.org To: Stefan Monnier Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Wed Oct 01 16:03:01 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XZKUe-0003jZ-OP for ged-emacs-devel@m.gmane.org; Wed, 01 Oct 2014 16:03:00 +0200 Original-Received: from localhost ([::1]:55562 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XZKUe-0008WG-DD for ged-emacs-devel@m.gmane.org; Wed, 01 Oct 2014 10:03:00 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43646) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XZKUL-0008RL-Nh for emacs-devel@gnu.org; Wed, 01 Oct 2014 10:02:47 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XZKUE-0001DS-NZ for emacs-devel@gnu.org; Wed, 01 Oct 2014 10:02:41 -0400 Original-Received: from hermes.netfonds.no ([80.91.224.195]:43102) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XZKUE-0001D8-HW; Wed, 01 Oct 2014 10:02:34 -0400 Original-Received: from cm-84.215.51.58.getinternet.no ([84.215.51.58] helo=stories.gnus.org) by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1XZKTt-0004m9-Co; Wed, 01 Oct 2014 16:02:13 +0200 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAHlBMVEWAeXdEBwqbk5DhFxzR GyCtqKSAaWeMhoPc1tR9QUJXtgB/AAACX0lEQVQ4jXWSTW/TQBCGp5XwKrcsCkK5haXOlms3yg9I HKC3YLSuuZmKrJvbYqlecYOAg49WlY/63zJrp4kTlVe+eJ6Zd3ZmF1ZeQ+9bIymlL105hdXorRBi IEQFUgusbmA1+S32GjoH0Pl4BIZ13Peh4zZBOqjjzD+pSAduDRhWfG4Ccb+vGDVBX8z2YHIMJnsg Ghr2xFXd3T2p4DvA5MmpuBjWVgjc4LpEKVQEXOwGkdDG6WtZwscHEC6MSRjjPx76M2Bj4dZLgXWe SYbqfWn3X2oEsycQZtImTYOH4NZWTBqA2T33AEi/AR4Q+LbdlJ/zAMHVDmzDjHFszvypNkEyFsMD 4Ghyz/wbzi0Y7MGCccY06bkunx6BjBl04uCA6Z2PhXAZq4DEAe2EjDs4+rexuMUt4K6KcAGEGc40 8ERHAPMIk7QL20ufA+McklRp3NctJ3YPLdscC4DweayJspbVgr5CcbkwWpG0PE/ta40xmhhmDBQy A4cYZVLvuvTEYJuYSkDv/hoNYJKLYaRWQnywQcAQLYLW1h6Ye2WJ420IwT/tAG2f0cgoUhgz97xS xbVTC+jrM0q7sTOvbl3FmI+fLoCuf1FUlzhzBcRozJ4T08Ie6ze00sY4CgFa6bKMEbR3gNK1j0iR qod+srIq78MbR5UR2YFPT4B2tXZ7qiw3eAqgj99pQ/G7F3b7WNGhR+rSsw0gglOwP+CzgNIIrYhd cn25taq3kEMnf14WxItg+dPcPea5zOWfC89zPe/Sgq6jl8to9qooylRhfCQtwDxXZlkuszBE64PV 4396/APfwEHORlN7ugAAAABJRU5ErkJggg== X-Now-Playing: Maja Ratkje's _In Dialogue with Eugeniusz Rudnik_: "Maja S. K. Ratkje - In Dialogue with Rudnik" X-Hashcash: 1:23:141001:stephen@xemacs.org::HfEiCrjWrJm2esiE:00000000000000000000000000000000000000000006x2p X-Hashcash: 1:23:141001:monnier@iro.umontreal.ca::Fm6AaYy5Ba/t7WGY:0000000000000000000000000000000000000V1TW X-Hashcash: 1:23:141001:emacs-devel@gnu.org::tpb1O7GhxRlfBGiB:000000000000000000000000000000000000000000basp X-Hashcash: 1:23:141001:rms@gnu.org::4V5pdRLy6lN0u4e4:000000ixF1 In-Reply-To: (Stefan Monnier's message of "Wed, 01 Oct 2014 09:48:48 -0400") User-Agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/24.4.50 (gnu/linux) X-MailScanner-ID: 1XZKTt-0004m9-Co MailScanner-NULL-Check: 1412776933.84807@fAeaN3ECjIvH7sA+Fgi/aw X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 80.91.224.195 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:174908 Archived-At: Stefan Monnier writes: >> I liked Ted's suggestion about providing modeline indicators. > > I'd much rather just signal an error if a password is sent in the clear. > And then provide some configuration option to indicate when it's OK to > send the password in the clear on this connection. Yes, sort of. What I had planned on implementing was a way to make the user manage the security more explicitly. Here are the main options we need: 1) The connection is TLS, and the certificate is valid. Everything OK; don't ask the user for anything. 2) The connection is TLS, but the certificate can't be validated (i.e., self-signed certificate, which is very common on pop3/imap/smtp/nntp/etcp connections), or it is invalid. We then notify the user of this, display bits of the certificate, and ask how to proceed. The user will typically say "no, get me out of here", "OK for this session only" or "OK always". Emacs will then store the choice, and store a fingerprint of the certificate, so that we can verify that we're still making the same choice later on. 3) The connection is not TLS: Ask the user whether she really wants to send anything unencrypted to this server, and store the choice. It can all be done on the `open-network-stream' level. Somebody just has to write this thing. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no