emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From: Perry E. Metzger
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Thu, 5 Jul 2018 12:05:05 -0400 
On Thu, 05 Jul 2018 11:36:55 -0400 Stefan Monnier
<address@hidden> wrote:
> > In spite of the name "gnu" in "gnutls", gnutls is not FSF or Gnu
> > software. I think Emacs should be using OpenSSL, as it is a much
> > better maintained library.  
> 
> I don't have a strong preference either way, but I've heard the
> above argument combined with arguments of security, but AFAIK
> gnutls is still maintained and its security track record is no
> worse than that of OpenSSL.

It's had CVEs that OpenSSL hasn't, and admittedly vice versa.

> IOW someone really concerned about security would likely choose
> something else than OpenSSL or gnutls.  E.g. something not written
> in a language that makes it hard to write safe code, for instance.

So if one wants to go down that path, Firefox now uses components
of the cryptographic libraries from Project Everest, in which the code
is almost (but not yet) fully formally verified:

https://project-everest.github.io/

(So far they're just using the HACL* component.)

This goes the whole thing one better.

Perry
-- 
Perry E. Metzger                address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]