Re: A couple of questions and concerns about Emacs network security

[Lars Ingebrigtsen]

Paul Eggert <address@hidden> writes:

> On 06/22/2018 03:00 PM, Jimmy Yuen Ho Wong wrote:
>> 1. Can we update the default network security settings?
>
> Yes, I would think so, in the master branch. As you say, the current
> defaults are inappropriate for today's users.

They are?  In what way?

>> there's this thing call `nsm.el` seemingly doing redundant checks if
>> your TLS settings are reasonable, what's the history of it and why is
>> it not obsolete when `tls.el` and `starttls.el` are?
>
> Lars is the person to ask about that. I'll CC: him.

They are not redundant checks.  Emacs lets network actions happen, and
then passes the result to nsm.el, which is very similar to how all other
applications do this stuff (Firefox etc).

The Emacs Network Security Manager does the user interface job handling
various classes of (insecure) network access classes.  Are there places
where it fails to do its job?

You'd set `gnutls-verify-error' and friends only if you don't want to
query the user for how to handle TLS-related problems, but fail
immediately.  But that's not a good default for an interactive
application.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no