[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A couple of questions and concerns about Emacs network security
From: |
Perry E. Metzger |
Subject: |
Re: A couple of questions and concerns about Emacs network security |
Date: |
Mon, 9 Jul 2018 20:06:40 -0400 |
On Mon, 9 Jul 2018 18:24:03 +0100 Jimmy Yuen Ho Wong
<address@hidden> wrote:
> On Mon, Jul 9, 2018 at 6:15 PM Eli Zaretskii <address@hidden> wrote:
> >
> > > From: Lars Ingebrigtsen <address@hidden>
> > > Cc: Emacs-Devel devel <address@hidden>, "Perry E.
> > > Metzger" <address@hidden>, Eli Zaretskii <address@hidden>,
> > > Paul Eggert <address@hidden>, address@hidden Date: Mon, 09
> > > Jul 2018 15:43:43 +0200
> > >
> > > Jimmy Yuen Ho Wong <address@hidden> writes:
> > >
> > > > I thought about this, but there's no standard that bans TLS
> > > > 1.1, nor TLS client implementations that disabled it by
> > > > default. Besides, all the problems TLS 1.1 has is already
> > > > checked by the other checks. This reason I'm checking for TLS
> > > > 1.0 is somewhat arbitrary, as all the problems it has is
> > > > already checked by other checks too. So maybe even checking
> > > > for 1.0 is already too strict, but PCI DSS does ban it,
> > > > so...
> > >
> > > For those who don't understand security acronym soup, the
> > > latter means "Payment Card Industry Data Security Standard".
> > >
> > > And I don't think that's the level we should be considering for
> > > Emacs, even at the "high" level, because it's pretty...
> > > excessive. Last time I checked.
> >
> > So maybe for 'paranoid'?
>
> Nooooooo...... enough with this 'paranoid business already :(
>
> As I've replied to Robert and a few others already, the checks I
> have done is already multi-layered. Under normal circumtances,
> warning for TLS 1.0 should already takes care of checking of CBC
> mode ciphers/encrypt-then-MAC (if the server was configured
> correctly when TLS 1.0 was in vogue), but I check both regardless.
> The checks are already plenty paranoid without being crying-wolf
> under a vast majority normal usage.
I strongly agree. PCI compliance is an industry base/minimum. It's
not paranoid. It's not even what I'd prefer -- it isn't nearly good
enough on TLS standards, but it's fine.
Perry
--
Perry E. Metzger address@hidden
- Re: A couple of questions and concerns about Emacs network security, (continued)
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Robert Pluim, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security,
Perry E. Metzger <=
- Re: A couple of questions and concerns about Emacs network security, Perry E. Metzger, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Perry E. Metzger, 2018/07/09
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/06
- Re: A couple of questions and concerns about Emacs network security, Eli Zaretskii, 2018/07/07
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Lars Ingebrigtsen, 2018/07/08
- Re: A couple of questions and concerns about Emacs network security, Jimmy Yuen Ho Wong, 2018/07/08