Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

On Sat, Jul 7, 2018 at 8:04 AM, Eli Zaretskii <address@hidden> wrote:
>> Cc: address@hidden, address@hidden, address@hidden, address@hidden,
>>  address@hidden
>> From: Paul Eggert <address@hidden>
>> Date: Fri, 6 Jul 2018 11:15:13 -0700
>>
>> All I'm saying is that the EWW defaults should be
>> similar to what Firefox and the other browsers use; that's just common sense.
>
> We agree on that (provided that those browsers don't do something that
> is known to be silly).
>
>> If there are good reasons for the NSM to use different default
>> settings for non-EWW connections, then of course the NSM should do
>> that.
>
> That's exactly the essence of the discussion.  In any case, the
> current baseline seems to be that we do quite a lot more than the
> browsers, AFAIU.

I keep hearing we are doing more than the browsers, but that's not
straightly comparible. For the 10 low checks for example, I check for
TLS 1.0 in the protocol version check, browsers haven't disabled them
but Mozilla's Telemetry shows that at least on Firefox, TLS 1.0 only
count of 0.02% of all successful TLS handshakes. I've included it only
because PCI DSS has deprecate it back in 2016, and the deadline for
that has just passed on June 30th, 2018. Not that we care about PCI
compliance, but might as well since TLS 1.0 has effectively been
neutered by the other checks.

For the rest of the low level checks other than the cert checks,
browsers have removed all the features or implemented the RFCs to
mitigate the issues, but we still support older version of GnuTLS,
checks for things like RC4 and TLS compression are necessary.
(Speaking of which, I've put in the GnuTLS version numbers in the
docstrings where these checks are applicable to). Similarly, so are
the checks for medium and 3 out of 4 of the high level checks. There's
an extra CBC check on the high level that's not dealt with by browsers
because of compatibility concerns. I throw it in because CBC mode
ciphers are known to be problematic due to padding oracles. This hole
has been plugged by the encrypt-then-MAC TLS extension (RFC 7366), so
the 2 CBC checks are only done when encrypt-then-MAC is not enabled
after the handshake. Basically, all of the checks are tailors to
Emacs' multiple network security levels and GnuTLS version changes.
They take inspirations from browsers but they are not a direct copy.
We don't ever restrict what the users do, if they want to enable RC4,
they can still do it by adjusting `gnutls-algorithm-priority`, we just
warn them when that happens.