emacs-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security


From: Perry E. Metzger
Subject: Re: A couple of questions and concerns about Emacs network security
Date: Thu, 5 Jul 2018 16:45:00 -0400

On Thu, 05 Jul 2018 21:55:04 +0300 Eli Zaretskii <address@hidden> wrote:
> > I'm dead serious in saying if you do not obey the standards for
> > how browsers are supposed to behave, you might quite literally
> > kill someone. People have died this way. Do you want me to start
> > posting names and incidents? You want descriptions of dissidents
> > having their genitals electrocuted and being locked upright in
> > freezing cold rooms, I'll happily start linking to Amnesty
> > International reports for you.
> > 
> > Many countries now use the internet as an instrument of control
> > and oppression. We should not be making their job easier.  
> 
> People die on the roads every day, but restricting free movement due
> to that somehow doesn't sound right to me.

No one's freedom is restricted by providing sane default security in
anything that can be used as a browser. You're not removing the
ability of users to reconfigure things any way they want. They can
turn off the security any time they want. However, by setting
sane defaults, you're making things work reasonably so that, for
example, thugs cannot intercept their email. (Emacs is, after all, a
mail reader for many of us, and we would prefer that random sets of
thugs with torture chambers _not_ be able to intercept our IMAP
connections by default by forging certificates.)

This is no more a "restriction" than configuring a vacuum cleaner so
that, by default, it does not electrocute its users who are just
trying to clean their floors, or, by default, not putting poison into
food. People are still free to add poison to their own food or to
modify their vacuums to electrocute them if they're complete morons.

Emacs even makes it easy to customize things. We're just giving
people reasonable defaults.

As I noted, RMS cares about this stuff enough that the front of every
single email he sends talks about state sponsored espionage on
citizens. Why would we not implement simple, sane things like setting
reasonable minimum keylengths for Diffie-Hellman to prevent known
downgrade attacks?

> > If people want to remove security on their own, that's their
> > business, but providing defaults that are not even as secure as
> > what Chrome or Firefox does is totally irresponsible.  
> 
> Emacs is not a Web browser,

It is if you use it to browse the web. TLS is also used for a variety
of other things -- email, file transfer, etc. -- that Emacs does
pretty regularly for people.

> > you honestly propose ignoring the need to protect users from
> > network based attacks?  
> 
> I said nothing of the kind.  I said that we need to have "the right
> amount" of security, that's all.  Dumping all the possible
> protection methods on users without careful analysis of what is
> more and less important is a bad starting point.

How the heck does obeying a site's explicit request for pinning or CT
"dump all the possible protection methods on users without careful
analysis"? If the site owners want to specify a particular key be
used, why is it up to us to not allow that? How does
requiring a minimum of 1024 bit keys, which is already way too low,
"dump all the possible protection methods on users without careful
analysis"? What careful analysis do you need to know that 256 bit DH
keys can be cracked even by amateurs? How does not allowing the use
of compromised cryptographic algorithms that are no longer accepted
for use by any browser or command line tool "dump all the possible
protection methods on users without careful analysis"?


Perry
-- 
Perry E. Metzger                address@hidden



reply via email to

[Prev in Thread] Current Thread [Next in Thread]