Re: Getting SSL test A+ grade on elpa.gnu.org

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting SSL test A+ grade on elpa.gnu.org

From:	Vasilij Schneidermann
Subject:	Re: Getting SSL test A+ grade on elpa.gnu.org
Date:	Wed, 25 Nov 2020 18:38:12 +0100

> It could have a bad effect on security and privacy for emacs users. Would
> you apply only TLS 1.3 on elpa.gnu.org?

ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
successfully establish a connection to GNU ELPA?

Another thing to watch out for is the cipher suites. To reach a good
rating several of them need to be disabled and extensive testing is
required to ensure that we don't exclude users from fetching packages
for no apparent reason.

Something else I'm curious about, what exactly blocks us from forcing a
HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
widely used Emacs version or are there others?

Vasilij

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Getting SSL test A+ grade on elpa.gnu.org, 김민우, 2020/11/25
- Re: Getting SSL test A+ grade on elpa.gnu.org, Robert Pluim, 2020/11/25
  - Re: Getting SSL test A+ grade on elpa.gnu.org, 김민우, 2020/11/26
- Re: Getting SSL test A+ grade on elpa.gnu.org, Vasilij Schneidermann <=
  - Re: Getting SSL test A+ grade on elpa.gnu.org, Robert Pluim, 2020/11/25
    - Re: Getting SSL test A+ grade on elpa.gnu.org, Vasilij Schneidermann, 2020/11/25
    - Re: Getting SSL test A+ grade on elpa.gnu.org, Stefan Monnier, 2020/11/25

Prev by Date: Re: emacs for pure Gtk3
Next by Date: Re: Getting SSL test A+ grade on elpa.gnu.org
Previous by thread: Re: Getting SSL test A+ grade on elpa.gnu.org
Next by thread: Re: Getting SSL test A+ grade on elpa.gnu.org
Index(es):
- Date
- Thread