[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
A couple of questions and concerns about Emacs network security
From: |
Jimmy Yuen Ho Wong |
Subject: |
A couple of questions and concerns about Emacs network security |
Date: |
Fri, 22 Jun 2018 23:00:13 +0100 |
Hi everyone,
I've been digging around Emacs' network security settings lately and
I've noticed a couple of oddities. I was wondering what the reasos are
and if there are any plans to improve them.
For `--with-gnutls` builds using GnuTLS 3.5.18:
1. `gnutls-verify-error` is set to nil by default, so server certs
aren't verified by default.
2. `gnutls-min-prime-bits` has been 256 by default since 2012, whereas
a reasonable number should probably be 2048 in 2018.
3. `gnutls-algorithm-priority` is nil by default.
All of this means there's zero network security OTTB for Emacs. After
some experimentation, I've come up with the following settings that
brings the balance of default security and compatibility to as good as I
could:
(setq gnutls-algorithm-priority
"SECURE192:+SECURE128:-VERS-ALL:+VERS-TLS1.2:%PROFILE_MEDIUM"
gnutls-min-prime-bits 2048
gnutl-verify-error t)
However, this setting still fail the following tests rather alarmingly:
(mapcar (lambda (host)
(ignore-errors (url-retrieve-synchronously host)))
'("https://revoked.badssl.com/"
"https://pinning-test.badssl.com/"
"https://invalid-expected-sct.badssl.com/"))
;; This should return a list of `'(nil nil nil)`, but doesn't.
My questions are:
1. Can we update the default network security settings?
2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't
seem to be doing a very good job, can we link to something better
maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS?
Lastly, I notice there's this thing call `nsm.el` seemingly
doing redundant checks if your TLS settings are reasonable, what's the
history of it and why is it not obsolete when `tls.el` and `starttls.el`
are?
Thanks in advance,
Jimmy Wong
- A couple of questions and concerns about Emacs network security,
Jimmy Yuen Ho Wong <=
- Re: A couple of questions and concerns about Emacs network security, Paul Eggert, 2018/06/22
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/22
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/22
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/22
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/23
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/23
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/23
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/23
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/06/23
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/06/23