From: arno@natisbad.org (Arnaud Ebalard)
To: Matthias Andree <matthias.andree@gmx.de>
Cc: Daiki Ueno <ueno@unixuser.org>,
Simon Josefsson <simon@josefsson.org>,
499774@bugs.debian.org, RISKO Gergely <risko@debian.org>,
ding@gnus.org
Subject: Re: Bug#499774: starttls is a joke
Date: Wed, 08 Oct 2008 07:54:53 +0200 [thread overview]
Message-ID: <878wszskb6.fsf@natisbad.org> (raw)
In-Reply-To: <m3zllgrvd6.fsf@merlin.emma.line.org> (Matthias Andree's message of "Tue, 07 Oct 2008 22:41:25 +0200")
Hi,
Matthias Andree <matthias.andree@gmx.de> writes:
> Reiner Steib <reinersteib+gmane@imap.cc> writes:
>
>>> Then, someone should correct the code to support passing trust anchors,
>>> allow passing the verify value, and document capabilities and
>>> limitations.
>>
>> Gnus currently uses starttls if starttls and gnutls-cli are available
>> for backward compatibility.
>>
>> Would it make sense to prefer gnutls-cli and warn when using starttls
>> (if gnutls-cli is not installed)?
>
> It would make sense to fix the tools first, and stop using them in
> unsafe ways.
>
> I recently found on Cygwin, when setting up Emacs+Gnus, that gnutls-cli
> (2.4.2 IIRC) has some subtle "accept b0rked cert chain" behaviour: it
> would happily accept any garbage^Wuntrusted certificate chain without
> notice -- when I'm not using "--x509cafile FOO" on the command line.
> This isn't documented anywhere (manual, manpage, --help), I found this
> out through systematic testing.
>
> I find this most disturbing, since if I don't provide a set of trusted
> X.509 CA certs, I trust nobody (rather than everybody as gnutls-cli
> does)... gnutls-cli should bail out if it has no trusted root
> certificates, rather than silently trust everyone. Go figure - there's a
> difference between giving "--x509cafile /dev/null" and not giving this
> option at all. :-(
Maybe I missed the point in Simon's response below because if you are
correct (I just don't have gnutls-cli on my laptop to test) that
deserves a bug report (and a clarification from Simon):
http://article.gmane.org/gmane.linux.debian.devel.bugs.general/493201
> While I'm at it, from the end user's perspective, I find it very hard to
> figure what options I need for a proper configuration that doesn't use
> b0rked protocols such as SSLv2, that uses proper X.509 certificate
> validation to detect MITM attacks. Few applications except Firefox 3 get
> that right, and I couldn't tell one off-hand.
>
> I think that EVERY tool that has a remotely security-related context
> should default to bulletproof mode and require that the user relaxes
> every test explicitly.
>
> Yes, I need to do homework here, fetchmail doesn't get this right
> either... compatibility and all that.
>
> So I'd say make Gnus default to gnutls-cli and change the sample
> configuration to include --x509cafile and add instructions to the
> defcustom blah self-documentation telling the user to cat(1) his trusted
> ROOT certificates (in PEM format) together to form this file.
+1 (a big one).
Cheers,
a+
next prev parent reply other threads:[~2008-10-08 5:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-22 8:52 Arnaud Ebalard
2008-09-22 9:13 ` RISKO Gergely
2008-09-22 9:49 ` Arnaud Ebalard
2008-09-22 10:43 ` Arnaud Ebalard
2008-09-22 16:15 ` Reiner Steib
2008-09-22 16:38 ` Simon Josefsson
2008-09-22 17:48 ` Arnaud Ebalard
2008-10-02 10:04 ` Simon Josefsson
2008-10-07 20:43 ` Matthias Andree
2008-10-07 22:41 ` Simon Josefsson
2008-10-08 10:45 ` Matthias Andree
2008-10-08 11:55 ` Arnaud Ebalard
2008-10-07 20:41 ` Matthias Andree
2008-10-08 5:54 ` Arnaud Ebalard [this message]
2008-09-23 17:18 ` Riskó Gergely
2008-09-23 14:43 ` Uwe Brauer
2008-09-24 3:39 ` Sebastian Krause
2008-09-26 13:19 ` Uwe Brauer
2008-09-26 13:25 ` Sebastian Krause
2008-09-26 21:16 ` Uwe Brauer
2008-09-26 23:27 ` Sebastian Krause
2008-09-26 15:09 ` Magnus Henoch
2008-09-26 21:14 ` Uwe Brauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878wszskb6.fsf@natisbad.org \
--to=arno@natisbad.org \
--cc=499774@bugs.debian.org \
--cc=ding@gnus.org \
--cc=matthias.andree@gmx.de \
--cc=risko@debian.org \
--cc=simon@josefsson.org \
--cc=ueno@unixuser.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).