Re: A couple of questions and concerns about Emacs network security

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions and concerns about Emacs network security

From:	Perry E. Metzger
Subject:	Re: A couple of questions and concerns about Emacs network security
Date:	Mon, 9 Jul 2018 20:06:40 -0400

On Mon, 9 Jul 2018 18:24:03 +0100 Jimmy Yuen Ho Wong
<address@hidden> wrote:
> On Mon, Jul 9, 2018 at 6:15 PM Eli Zaretskii <address@hidden> wrote:
> >  
> > > From: Lars Ingebrigtsen <address@hidden>
> > > Cc: Emacs-Devel devel <address@hidden>,  "Perry E.
> > > Metzger" <address@hidden>,  Eli Zaretskii <address@hidden>,
> > > Paul Eggert <address@hidden>,  address@hidden Date: Mon, 09
> > > Jul 2018 15:43:43 +0200
> > >
> > > Jimmy Yuen Ho Wong <address@hidden> writes:
> > >  
> > > > I thought about this, but there's no standard that bans TLS
> > > > 1.1, nor TLS client implementations that disabled it by
> > > > default. Besides, all the problems TLS 1.1 has is already
> > > > checked by the other checks. This reason I'm checking for TLS
> > > > 1.0 is somewhat arbitrary, as all the problems it has is
> > > > already checked by other checks too. So maybe even checking
> > > > for 1.0 is already too strict, but PCI DSS does ban it,
> > > > so...  
> > >
> > > For those who don't understand security acronym soup, the
> > > latter means "Payment Card Industry Data Security Standard".
> > >
> > > And I don't think that's the level we should be considering for
> > > Emacs, even at the "high" level, because it's pretty...
> > > excessive.  Last time I checked.  
> >
> > So maybe for 'paranoid'?  
> 
> Nooooooo...... enough with this 'paranoid business already :(
> 
> As I've replied to Robert and a few others already, the checks I
> have done is already multi-layered. Under normal circumtances,
> warning for TLS 1.0 should already takes care of checking of CBC
> mode ciphers/encrypt-then-MAC (if the server was configured
> correctly when TLS 1.0 was in vogue), but I check both regardless.
> The checks are already plenty paranoid without being crying-wolf
> under a vast majority normal usage.

I strongly agree. PCI compliance is an industry base/minimum. It's
not paranoid. It's not even what I'd prefer -- it isn't nearly good
enough on TLS standards, but it's fine.

Perry
-- 
Perry E. Metzger                address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

Re: A couple of questions and concerns about Emacs network security, (continued)

Prev by Date: Re: A couple of questions and concerns about Emacs network security
Next by Date: Re: Predicate for true lists
Previous by thread: Re: A couple of questions and concerns about Emacs network security
Next by thread: Re: A couple of questions and concerns about Emacs network security
Index(es):
- Date
- Thread