Re: A couple of questions and concerns about Emacs network security

[Perry E. Metzger]

On Thu, 05 Jul 2018 16:49:30 +0300 Eli Zaretskii <address@hidden> wrote:
> > Date: Thu, 5 Jul 2018 09:33:46 -0400
> > From: "Perry E. Metzger" <address@hidden>
> > Cc: Paul Eggert <address@hidden>, Jimmy Yuen Ho Wong
> > <address@hidden>, address@hidden
> > 
> > Pinning is what is done by sites like gmail to prevent third world
> > dictatorships from using stolen certificate credentials to spy on
> > their citizens. People who have been victims of this have had
> > their email read, been arrested by state security forces for
> > dissent, and have been tortured to death for lack of certificate
> > pinning working in their browsers.
> > 
> > This is a matter of life and death for many people.
> >   
> > > do this via ELPA, I think.  Whether it's worth doing is another
> > > issue; I think the jury is still out on that one...  
> > 
> > Do you think it's worth keeping people from quite literally being
> > tortured to death?
> > 
> > For most of the secure HTTP stuff we've been discussing, I would
> > far rather be inconvenienced here and there than know my slight
> > extra convenience was being paid for in human blood.  
> 
> It isn't the Emacs way to second-guess our users' needs, 

Most users do not know or understand anything about setting
security, so defaults have to do the right thing.

> definitely
> not to decide for them what is and what isn't a matter of life and
> death for them.

Most users depend on software vendors to set the correct amount of
security. They have no understanding of the protocols in use and it
is unreasonable to ask them to make such decisions by default.

I'm dead serious in saying if you do not obey the standards for how
browsers are supposed to behave, you might quite literally kill
someone. People have died this way. Do you want me to start posting
names and incidents? You want descriptions of dissidents having their
genitals electrocuted and being locked upright in freezing cold
rooms, I'll happily start linking to Amnesty International reports
for you.

Many countries now use the internet as an instrument of control and
oppression. We should not be making their job easier.

If people want to remove security on their own, that's their business,
but providing defaults that are not even as secure as what Chrome or
Firefox does is totally irresponsible.

> We provide options with some reasonable defaults,
> and then let users make informed decisions which defaults are not
> good enough for them.
> 
> It is IMO unreasonable to make our defaults match what happens in
> dictatorships that you describe,

You do not understand the issue and are thus incompetent to make a
decision on this.

Certificate pinning has nothing to do with defaults that are set
only for such countries. It is a general mechanism deployed in any
browser you can download today, and was created to prevent people
using browsers who cannot trust their network -- which is to say, all
users -- from having untrustworthy certificates substituted in by
malign actors who intend to man-in-the-middle attack TLS connections.

Various web sites, like gmail, have deliberately requested pinning of
certs used with their sites to prevent this from happening, and it
is not our place to second-guess their security policies.

Do you really want me to describe some of the things that have
happened to people who have had their communications intercepted
because software developers were irresponsible? You can find pretty
graphic descriptions online.

> because that would unnecessarily
> inconvenience the majority of the users.

Certificate pinning is used by Chrome, Firefox, Safari and all other
browsers. Do you think they inconvenience their users? Have you ever
even gotten a single false error from this? No you haven't. I assure
you that the people setting the standards for such things spend a lot
of time making sure that it is invisible to their users.

If a site demands pinning, you should accept that they have made this
decision for good reasons.

> Let's not follow the bad
> example of the TSA (whose rationale is, unsurprisingly, also matters
> of life and death).

Your metaphor is completely inaccurate. The TSA misses something over
95% of weapons in adversarial tests for example.

Security professionals have set standards in bodies like the IETF for
how browsers should behave by default. If you want to allow
consenting adults to turn off such defenses that's one thing, but the
default should be to provide security to the users.

Richard has a blurb in every one of his emails because state security
actors are of that much concern to him, and you honestly propose
ignoring the need to protect users from network based attacks?

Perry
-- 
Perry E. Metzger                address@hidden