Re: A couple of questions and concerns about Emacs network security

[Jimmy Yuen Ho Wong]

On Mon, Jul 9, 2018 at 6:15 PM Eli Zaretskii <address@hidden> wrote:
>
> > From: Lars Ingebrigtsen <address@hidden>
> > Cc: Emacs-Devel devel <address@hidden>,  "Perry E. Metzger" 
> > <address@hidden>,  Eli Zaretskii <address@hidden>,  Paul Eggert 
> > <address@hidden>,  address@hidden
> > Date: Mon, 09 Jul 2018 15:43:43 +0200
> >
> > Jimmy Yuen Ho Wong <address@hidden> writes:
> >
> > > I thought about this, but there's no standard that bans TLS 1.1, nor
> > > TLS client implementations that disabled it by default. Besides, all
> > > the problems TLS 1.1 has is already checked by the other checks. This
> > > reason I'm checking for TLS 1.0 is somewhat arbitrary, as all the
> > > problems it has is already checked by other checks too. So maybe even
> > > checking for 1.0 is already too strict, but PCI DSS does ban it, so...
> >
> > For those who don't understand security acronym soup, the latter means
> > "Payment Card Industry Data Security Standard".
> >
> > And I don't think that's the level we should be considering for Emacs,
> > even at the "high" level, because it's pretty...  excessive.  Last time
> > I checked.
>
> So maybe for 'paranoid'?

Nooooooo...... enough with this 'paranoid business already :(

As I've replied to Robert and a few others already, the checks I have
done is already multi-layered. Under normal circumtances, warning for
TLS 1.0 should already takes care of checking of CBC mode
ciphers/encrypt-then-MAC (if the server was configured correctly when
TLS 1.0 was in vogue), but I check both regardless. The checks are
already plenty paranoid without being crying-wolf under a vast
majority normal usage.