Re: A couple of questions and concerns about Emacs network security

[Perry E. Metzger]

On Sat, 07 Jul 2018 17:17:24 +0300 Eli Zaretskii <address@hidden> wrote:
> > Date: Sat, 7 Jul 2018 09:46:22 -0400
> > From: "Perry E. Metzger" <address@hidden>
> > Cc: address@hidden, address@hidden, address@hidden,
> > address@hidden, address@hidden
> > 
> > On Sat, 07 Jul 2018 16:19:40 +0300 Eli Zaretskii <address@hidden>
> > wrote:  
> > > > Date: Sat, 7 Jul 2018 08:18:33 -0400
> > > > From: "Perry E. Metzger" <address@hidden>
> > > > Cc: Eli Zaretskii <address@hidden>, address@hidden,
> > > > address@hidden, address@hidden, address@hidden
> > > > 
> > > > There is ample evidence that people in such situations rarely
> > > > if ever understand what the right thing to do is.    
> > > 
> > > That doesn't necessarily mean we need to assume none of them
> > > will understand that, if the considerations are explained in
> > > clear terms that can be mapped to the user's environment.  
> > 
> > The difference between "none" and "under 5%" is so small as to be
> > unimportant.  
> 
> I don't know where you took that number.

Maybe you should learn about the topics you have such strong opinions
on before expressing the strong opinions. If you were actually in the
field or even reading the literature, you wouldn't need to ask such
things.

> > > And my personal experience definitely contradicts your
> > > "everyone" claim: e.g., my home network is set up with several
> > > non-default defenses, and so is my smartphone.  Why should we
> > > assume a significant part of Emacs users is in the "everyone"
> > > camp?  They did choose to use Emacs, didn't they?  
> > 
> > The difference between one person in a hundred and no one is so
> > small for purposes of deciding on default behavior as to be
> > unimportant.  
> 
> I don't think your estimation of the percentage is accurate, wrt
> Emacs users.  They are not the typical mass user of computers.

*I* cannot make such decisions safely, and *I* am one of the people
who created the protocols in question. I'm certain I can construct
certs that will fool *you*. There's no point in pretending
sufficiently educated humans can make such decisions when the
decisions are too complicated and must be made correctly _every
single time_ or you're done for. Humans cannot reliably make
complicated decisions with perfect safety thousands of times in a
row.

> > As for your own configuration, you're free to change the defaults
> > any way you like, so why are you arguing anyway?  
> 
> Because I think there are many others like me.

So the others like you can change the defaults any way you like. WHAT
IS THE PROBLEM.

> > > You are entitled to your opinions  
> > 
> > These are not opinions. They're facts. They're based on decades of
> > field experience and objective studies published in the academic
> > literature. There is almost universal agreement among the
> > studies, too -- there are no published outliers that I'm aware
> > of.  
> 
> I meant your opinions about how Emacs should design its
> security-related UI and treat its users.  They are definitely not
> facts,

So far, I hear a number of people saying "the reasonable thing is to
use the same default behavior that pretty much everything else uses",
and I hear Eli saying "no, no, I want to make things more complicated
because I claim that somehow there will be great inconvenience if
the software rejects obviously forged certificates or obviously
insecure cipher suites by default".

What exactly is the inconvenience you anticipate if an Emacs IMAP
user connecting to google rejects a certificate that isn't vouched
for by the CT mechanism? Can you explain _precisely_ why you insist
that it is necessary to have different defaults than everyone else
uses?

> > > but I don't agree that we should
> > > design our defaults based on the assumption that we cannot
> > > expect our users to make informed decisions.  
> > 
> > And this sets you apart from people who have worked in the field
> > for decades, and from people who have done objective studies in
> > the field.  
> 
> Studies on Emacs users?

Emacs users are for the most part human beings, yes. They browse the
web and read email using the same sorts of brains that evolution gave
everyone else.

> > I strongly suspect, by the way, that I could easily get you to
> > make a bad security decision in a test environment. I don't trust
> > myself to evaluate the origin of certificates in real time --
> > it's just too difficult to read an x.509 cert's contents and
> > verify everything you need to (including the hash algorithms used
> > in the entire chain, figuring out if the CA is one I should be
> > expecting for this particular host, etc.) That is in spite of the
> > fact that I've been doing this professionally for a very long
> > time. I suspect I could easily cook up certs that you wouldn't be
> > able to figure out, and that you would make the wrong decision if
> > prompted to look at them.  
> 
> You are completely missing the point.  No one claimed we should
> expect users to judge certificates.

Then what the hell are you arguing for? What exactly is it about the
defaults that Firefox, Chrome, Safari, Edge and the rest use that you
don't like? If your answer is "I don't know, I haven't looked at
them", shouldn't you be just a trace ashamed of yourself for having a
strong opinion in the absence of any examination?

> > > > The other thing is, in spite of the constant claims, running
> > > > with the level of security provided by Firefox or Chrome or
> > > > Safari isn't the least bit inconvenient, so there's no
> > > > obvious reason not to do at least _that_.    
> > > 
> > > One would think that those "constant claims" might just provide
> > > such a reason.  
> > 
> > The only one making this claim is _you_.  
> 
> My "claims" are facts.

Your claim is not a fact.

> I see these issues every day, using mostly
> Firefox and IE.

Why are you using IE? And what exactly is failing for you? I haven't
hit a single problem connecting to anything which wasn't a legitimate
failure (that is, the browser actually protecting me when it should)
in many months, possibly longer. There are careful studies the
browser vendors make of such things, and failures are currently
pretty damn rare. And yes, that's a fact.

> Please read Jimmy's comments on this, and respond to them if you
> want.

Jimmy is entirely reasonable here. I'm not arguing with him because
he's not saying anything terribly wrong.

Perry
-- 
Perry E. Metzger                address@hidden