Re: A couple of questions and concerns about Emacs network security

[Robert Pluim]

Eli Zaretskii <address@hidden> writes:

>> Date: Thu, 5 Jul 2018 11:33:20 -0400
>> From: "Perry E. Metzger" <address@hidden>
>> Cc: Noam Postavsky <address@hidden>, address@hidden, address@hidden,
>>  address@hidden, address@hidden
>> 
>> > > Can we bump gnutls-min-prime-bits to 1024 on the release branch?  
>> > 
>> > No, I don't think so.  Changing these settings needs a prolonged
>> > testing period to uncover any subtle problems with non-conforming
>> > servers that users must be able to access, and such testing is
>> > unlikely to happen on emacs-26 before the next bug-fix release.
>> 
>> All modern browsers set 1024 as a minimum. There is no need for Emacs
>> to worry about this as it has been years since you could connect to a
>> web site with less than 1024 bits security. It should be changed as
>> soon as possible. Even 1024 bits is too small, but this is at least
>> better than the current situation.
>
> Emacs is not a Web browser, it uses the network for purposes other
> than browsing Web pages, so what browsers do is less relevant than
> what you seem to imply.
>
> Anyway, it seems you completely miss my point: I didn't say that we
> shouldn't increase the number of bits, just that we shouldn't do that
> on the release branch, unless we are willing to delay Emacs 26.2
> significantly.

FWIW, Iʼve had gnutls-min-prime-bits set to 1024 since 2014-11-25, and
have seen no adverse effects from it, so I donʼt think the risk is
that great.

Regarsd

Robert