Re: A couple of questions and concerns about Emacs network security

[Stephen Berman]

On Fri, 06 Jul 2018 15:41:30 +0300 Eli Zaretskii <address@hidden> wrote:

>> From: Stephen Berman <address@hidden>
>> Cc: Robert Pluim <address@hidden>,  address@hidden
>> Date: Fri, 06 Jul 2018 11:45:17 +0200
>> 
>>   After setting gnutls-min-prime-bits to 1024 I no longer get this
>>   warning.
>> 
>> Given this, it seems reasonable to conclude that most Emacs users who
>> continue to use the current default setting are aware of the risk, and
>> those who have changed it haven't experienced a problem worth reporting.
>> Therefore, changing the default at this time is not likely to cause a
>> problem for most long-time users, and will be safer for all new users,
>> and most likely unproblematic for them (and if it is a problem, then
>> they will know the trade-off).
>
> Thanks, but I don't see how can we deduce "most" from any such
> reports.  

Strictly speaking, of course not.  But since Emacs has emitted the
Gnutls warning for at least five years, it doesn't seem too far-fetched
that "most" Emacs users (i.e., enough to cover all but the rarest of
corner cases) have been exposed to it and acted on it or at least know
the risk.

>           And the users who have made such a setting don't need the
> defaults to change anyway.

No, but it's the new users who would benefit.

> Not that "most" counts here, anyway: the whole point of prolonged
> testing of modified defaults is to uncover those rare use cases where
> the new values do some harm, and see whether we need to augment the
> new settings with something.  I see no way around that, sorry, not
> when a feature as basic as network connections is concerned.

My point was that the higher setting has in effect been tested for at
least five years by many (if not "most") users, in response to the
warning, and there have been no bug reports about it AFAIK.  Are you
expecting and planning more systematic testing beyond changing the
default and waiting for bug reports?

Steve Berman