From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f41.google.com ([209.85.128.41]) by ewsd; Mon Jul 20 10:20:22 EDT 2020
Received: by mail-wm1-f41.google.com with SMTP id w3so25335774wmi.4
        for <9front@9front.org>; Mon, 20 Jul 2020 07:20:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=Uo7fz+JlPzLe3pGf4PlMceTnKr4PpnrKOF5w5k7++Rs=;
        b=f1cc4jPaMKw5Ng9vcS2q2NmFXwYWR0n+JNiW+y7+NR8y515MBkjPunZp3GBDzB5o51
         nfTMSczmJckDcXefOLniaacf9GZ0WVVDsGYb/4taX/xKN0TW9Q4OsTelI1ViWOiCJjqI
         cGJVr1kBq/prGpaLLmk5bdcOU6TKD0egr4wF+0kCTYOh4zFANNuhqHXFVkUw2/npBe5w
         PZcO7F8CpR8ml0QuMjuqyg8apI4DNP+M24zlTFi8g9Y2bNpeQey1iei4AeG9Slr+joCI
         LnUUqr7Sym2bq/l936ttDHkRDD/h7gXTpsVUYC18oP4IVmr/vlC3gCB1hAtvEoC4AeQY
         Yhkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=Uo7fz+JlPzLe3pGf4PlMceTnKr4PpnrKOF5w5k7++Rs=;
        b=d8DPwWbFotmZ9MN41gAZk+YBwxcEKbBAlJB0RHgEwzrp3eB6qAq/Es0XR6F5mV5GpC
         VbCzqNHasq07OYjMJe9mkMfHdPOHkSqkBarvt75m55fUb6P/0zsvq85HzUZ9FbkFdt/s
         +oeAGWyvDSSMhxvr6tRLXYrunrMrcBdqdNC1Xk5lBkHgutkVGyRGMuhcTXn/Frb4Z/kh
         vhjVnRR6r8gRi45pbshHljke8y1UAeevL7h9GMJsAoCsF1KWsgqSoC4rEicRHRm4vjMe
         kuMvGt3/eH/ijIvAyvDhL9PdJQaaICcH+a2BxO+GXTOKyn3dji4+09UEBBIZEl0QpOHR
         kWdA==
X-Gm-Message-State: AOAM530lbKSLJXY4lLWO5FAgEZbbTmtJ0Te9eYI9zOEJAFUg5mA5g0h7
	zvZ+2QjJBhwRYPeKDw0D7tOaBVfbEWwmLIPHwg+wXvhf
X-Google-Smtp-Source: ABdhPJxnzWnXgBAg2TLUPM7R2+kWXwICEtSMuic6di5wq0WaHx6FI4WHpYNCuHhTskGCWTu89/yK0uCpv2Tw/e8/5WE=
X-Received: by 2002:a1c:4846:: with SMTP id v67mr22861586wma.175.1595254816300;
 Mon, 20 Jul 2020 07:20:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:fd51:0:0:0:0:0 with HTTP; Mon, 20 Jul 2020 07:20:15
 -0700 (PDT)
In-Reply-To: <12797BEC64C15CAB8201AA7801E6B319@eigenstate.org>
References: <CAF5U_z0x8AGHiKhGR1v-7Kzk5NDTHX=j==Ef4_8J6e7Qkazs8g@mail.gmail.com>
 <12797BEC64C15CAB8201AA7801E6B319@eigenstate.org>
From: hiro <23hiro@gmail.com>
Date: Mon, 20 Jul 2020 16:20:15 +0200
Message-ID: <CAFSF3XPgh7n-cQMaX7+gaGhxc5G7bwn+-8V3RuvsL+vxB_S4uQ@mail.gmail.com>
Subject: Re: [9front] patch smtp: ignore unrecognized certificates
To: 9front@9front.org
Content-Type: text/plain; charset="UTF-8"
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: self-healing private SQL over AJAX lifecycle-aware pipelining optimizer 

isn't the issue that the cert keeps on randomly changing on server
side and thus making this "security" completely unachievable?

i maintain a similar patch for dillo so that i can visit https-only
websites that aren't worth protecting with SSL anyway.

whoever manually adds the certificates sometimes (Ori, do you?), do
you really check their validity?

once CAs are involved there's a lot of problems, and I doubt 9front is
in the position to change anything about that. that's why we have
dp9ik at least for our protocols and services :)

On 7/20/20, ori@eigenstate.org <ori@eigenstate.org> wrote:
>> this patch adds a new flag -c to upas/smtp command ( smtp(8) ). This flag
>> removes the need to manually add thumbprints for tls certificates to
>> /sys/lib/tls/smtp, ignoring unrecognized certificates.
>
> I think this is a bad idea -- I'd prefer to make it more obvious how
> to add the certificate in the first place. Possibly a upas/configmail
> command that prompts for the server/login/..., and then gets the
> thumbnail.
>
> Ignoring the thumbprint entirely opens you up to MITM attacks.
>
>