Re: A couple of questions and concerns about Emacs network security

[Eli Zaretskii]

> Date: Sat, 7 Jul 2018 09:46:22 -0400
> From: "Perry E. Metzger" <address@hidden>
> Cc: address@hidden, address@hidden, address@hidden, address@hidden,
>  address@hidden
> 
> On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <address@hidden> wrote:
> > > Date: Sat, 7 Jul 2018 08:18:33 -0400
> > > From: "Perry E. Metzger" <address@hidden>
> > > Cc: Eli Zaretskii <address@hidden>, address@hidden,
> > > address@hidden, address@hidden, address@hidden
> > > 
> > > There is ample evidence that people in such situations rarely if
> > > ever understand what the right thing to do is.  
> > 
> > That doesn't necessarily mean we need to assume none of them will
> > understand that, if the considerations are explained in clear terms
> > that can be mapped to the user's environment.
> 
> The difference between "none" and "under 5%" is so small as to be
> unimportant.

I don't know where you took that number.  Any idea what is the
correlation between those 5% and the percentage of people who use
Emacs, btw?

> In tests, even with very careful explanations, only a
> really tiny fraction of users seem to make good decisions some of
> the time, and that's even when computer science undergraduates are the
> test subjects.

We are not talking about the same decisions in the same terms.  Once
again, I suggest to re-read my comments to Jimmy's patches and the
following discussion.

> > And my personal experience definitely contradicts your "everyone"
> > claim: e.g., my home network is set up with several non-default
> > defenses, and so is my smartphone.  Why should we assume a
> > significant part of Emacs users is in the "everyone" camp?  They
> > did choose to use Emacs, didn't they?
> 
> The difference between one person in a hundred and no one is so small
> for purposes of deciding on default behavior as to be unimportant.

I don't think your estimation of the percentage is accurate, wrt Emacs
users.  They are not the typical mass user of computers.

> As for your own configuration, you're free to change the defaults any
> way you like, so why are you arguing anyway?

Because I think there are many others like me.  I'm not special in any
way, neither in my Emacs usage patterns nor in how I approach
security.

> > You are entitled to your opinions
> 
> These are not opinions. They're facts. They're based on decades of
> field experience and objective studies published in the academic
> literature. There is almost universal agreement among the
> studies, too -- there are no published outliers that I'm aware of.

I meant your opinions about how Emacs should design its
security-related UI and treat its users.  They are definitely not
facts, because we are talking about something that doesn't yet exist,
so it couldn't be a subject of decades of studies.

> > but I don't agree that we should
> > design our defaults based on the assumption that we cannot expect
> > our users to make informed decisions.
> 
> And this sets you apart from people who have worked in the field for
> decades, and from people who have done objective studies in the field.

Studies on Emacs users?

> I strongly suspect, by the way, that I could easily get you to make a
> bad security decision in a test environment. I don't trust myself to
> evaluate the origin of certificates in real time -- it's just too
> difficult to read an x.509 cert's contents and verify everything you
> need to (including the hash algorithms used in the entire chain,
> figuring out if the CA is one I should be expecting for this
> particular host, etc.) That is in spite of the fact that I've been
> doing this professionally for a very long time. I suspect I could
> easily cook up certs that you wouldn't be able to figure out, and
> that you would make the wrong decision if prompted to look at them.

You are completely missing the point.  No one claimed we should expect
users to judge certificates.

> > > The other thing is, in spite of the constant claims, running with
> > > the level of security provided by Firefox or Chrome or Safari
> > > isn't the least bit inconvenient, so there's no obvious reason
> > > not to do at least _that_.  
> > 
> > One would think that those "constant claims" might just provide
> > such a reason.
> 
> The only one making this claim is _you_.

My "claims" are facts.  I see these issues every day, using mostly
Firefox and IE.  I'd be surprised if I were the only one, because
there's nothing special in my setups.

> > Besides, we don't really follow what those browsers do,
> 
> But we should. It's insane not to.

Please read Jimmy's comments on this, and respond to them if you want.