[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network security manager
From: |
Ted Zlatanov |
Subject: |
Re: Network security manager |
Date: |
Tue, 18 Nov 2014 12:40:33 -0500 |
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) |
On Tue, 18 Nov 2014 18:28:26 +0100 Lars Magne Ingebrigtsen <address@hidden>
wrote:
LMI> Ted Zlatanov <address@hidden> writes:
LMI> 1) Drop certificate checking for images in shr. I mean, do we care?
>>
>> I think we care.
LMI> What are the security implications of inserting an image from a source
LMI> we can't validate?
Malicious binary payloads in images are quite common. There are also
attacks/exploits/hacks that load Javascript from images. Regardless,
you'd be lowering the security level of the data exchange.
LMI> 99% of the images aren't over TLS, anyway, and aren't validated...
OK, but that's not relevant to the above :)
LMI> 2) If being run from the async context (how do we check for that?),
LMI> refuse to handle insecure TLS connections silently.
>>
>> Works for me, as long as the errors are reviewable in the NSM. I should
>> be able to go somewhere and hit a button "allow this cert from now on".
LMI> shr should really insert "broken image" markers into the buffers (and
LMI> "loading images"), and then the user could just hit RET on one of the
LMI> broken images and then get queried about the certificate
LMI> interactively...
OK with me, that's a good solution for this particular case. But there
will be others where you can't see the things that went wrong in the
background. I suggested a modeline indicator previously... it's better
than silent failure, right?
LMI> Which reminds me: We need a way to determine that Emacs is running
LMI> non-interactively as well as being run from an async context. What's
LMI> the way to do that?
I know in non-interactive mode the minibuffer reads from stdio, so
there's definitely some distinction for batch mode. But I don't know how
to distinguish it in ELisp or check the async mode, sorry.
Ted
- Re: Network security manager, (continued)
- Re: Network security manager, Toke Høiland-Jørgensen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Ted Zlatanov, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager,
Ted Zlatanov <=
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18
- Re: Network security manager, Eli Zaretskii, 2014/11/18
- Re: Network security manager, Lars Magne Ingebrigtsen, 2014/11/18