Re: A couple of questions and concerns about Emacs network security

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From:	Eli Zaretskii
Subject:	Re: A couple of questions and concerns about Emacs network security
Date:	Mon, 25 Jun 2018 20:06:52 +0300

> From: Lars Ingebrigtsen <address@hidden>
> Cc: address@hidden,  address@hidden,  address@hidden,  address@hidden
> Date: Mon, 25 Jun 2018 18:55:22 +0200
> 
> >  . Do I understand correctly that most of the changes, including those
> >    in gnutls.c, are so that intermediary certificates could be
> >    verified?  If so, would it make sense to omit that for emacs-26,
> >    and only beef up the medium level of security in NSM with the rest
> >    of the checks?
> 
> Yes, that is definitely a possibility.  The nsm.el changes should be
> safe to backport (after they've been in master for a couple of weeks so
> that people can test them), while the gnutls.c change might be more
> dangerous.
> 
> However, the thing that's protecting against (a SHA1 intermediate
> certificate (oops, I see I've called it "intermediary" in the code and
> doc; I'll fix that now)) is, I seem to remember, now being considered a
> realistic attack (i.e., you can generate valid-looking fake certificates
> based on one).

If this is deemed a very serious vulnerability (I'm not an expert on
these matters), then I guess we will have to wait longer before we
backport the changes to emacs-26.

Thanks.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: A couple of questions and concerns about Emacs network security, (continued)

Prev by Date: Re: auto-complete popup is broken on master
Next by Date: Re: A couple of questions and concerns about Emacs network security
Previous by thread: Re: A couple of questions and concerns about Emacs network security
Next by thread: Re: A couple of questions and concerns about Emacs network security
Index(es):
- Date
- Thread