bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#16978: 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities

From: Jens Lechtenboerger
Subject: bug#16978: 24.3; SSL/TLS with multiple man-in-the-middle vulnerabilities
Date: Tue, 18 Mar 2014 22:04:08 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3.50 (gnu/linux) 
On 2014-03-17, Ted Zlatanov wrote:

> On Mon, 10 Mar 2014 07:52:43 +0100 Jens Lechtenboerger
> <jens.lechtenboerger@fsfe.org> wrote:
>
> JL> gnutls-cli --tofu opens a TLS connection and asks whether the
> JL> certificate can be trusted.
> JL> [...]
> JL> to prevent the process from hanging while waiting for the
> JL> user's reply, option --strict-tofu (introduced in GnuTLS
> JL> 3.2.12) can be used.
>
> That's wonderful, but please realize this doesn't work for Emacs because
> often, interactive prompting would not be available.  The consensus so
> far has been to abort the connection and tell the user how to allow a
> host specifically.

Hi Ted,

are you outlining plans for the future?  According to what I
observed so far, I’m either vulnerable to MITM attacks or I cannot
use servers with self-signed certificates.

I see three partially contradictory requirements here:
1. No interactive prompting.
2. Allow self-signed certificates.
3. Protect against MITM attacks (at least those involving
   self-signed forged certs; better yet, also with “trusted” forged
   certs).

Among those three, at most two can be guaranteed simultaneously.

>From http://debbugs.gnu.org/13374 I got the impression that (2) is a
must.  (I rely on self-signed certs as well.)  In addition, in my
view (3) is a must.  Others may disagree and choose the convenience of
(1) over the security of (3).  If Emacs defaults to (1) over (3)
based on a deliberate decision, that decision needs to be documented
prominently.

Coming back to your comment, I believe that --strict-tofu satisfies
precisely what you describe: It aborts the connection, and you can
add the new certificate with --tofu.

> Can you suggest a cleaner way, perhaps using TOFU
> with some C automation?

I’m not really sure what you are looking for.

> (`gnutls-cli' should not be assumed to be available)

Sadly, that’s true.  But it could (a) be recommended and (b) be used
if it is available (and (c) be used in a safer way).

> I appreciate all your review.  It's too late to make these changes for
> 24.4, but I think if you can review the state of things in 24.4, maybe
> we could discuss an expedited 24.5 release with security fixes (that
> would be up to the Emacs maintainers, of course).

I’ll certainly work with 24.4.  Just let me know what kind of input
you need then.

Best wishes
Jens
reply via email to
[Prev in Thread] Current Thread [Next in Thread]