From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67413 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.linux.debian.devel.bugs.general,gmane.emacs.gnus.general Subject: Bug#499774: starttls is a joke Date: Mon, 22 Sep 2008 18:38:44 +0200 Message-ID: <87fxnsjfu3.fsf@mocca.josefsson.org> References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu> <87od2g31hf.fsf@natisbad.org> <87tzc8upgf.fsf@marauder.physik.uni-ulm.de> Reply-To: Simon Josefsson , 499774@bugs.debian.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222101843 9469 80.91.229.12 (22 Sep 2008 16:44:03 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 22 Sep 2008 16:44:03 +0000 (UTC) Cc: Daiki Ueno , 499774@bugs.debian.org, RISKO Gergely , ding@gnus.org To: Arnaud Ebalard Original-X-From: bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org Mon Sep 22 18:44:58 2008 Return-path: Envelope-to: glddb-debian-bugs-dist@m.gmane.org Original-Received: from liszt.debian.org ([82.195.75.100]) by lo.gmane.org with esmtp (Exim 4.50) id 1KhoWw-0004FU-2t for glddb-debian-bugs-dist@m.gmane.org; Mon, 22 Sep 2008 18:44:58 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with QMQP id 7B15813A50B0; Mon, 22 Sep 2008 16:43:54 +0000 (UTC) Old-Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on liszt.debian.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=4.0 tests=FOURLA,RCVD_IN_DNSWL_LOW autolearn=no version=3.2.3 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with ESMTP id 1473313A50AB for ; Mon, 22 Sep 2008 16:43:46 +0000 (UTC) Original-Received: from liszt.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id 04276-25 for ; Mon, 22 Sep 2008 16:43:44 +0000 (UTC) Original-Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by liszt.debian.org (Postfix) with ESMTP id 04DB813A4E87; Mon, 22 Sep 2008 16:43:44 +0000 (UTC) Original-Received: from debbugs by rietz.debian.org with local (Exim 4.63) (envelope-from ) id 1KhoU6-0003od-PY; Mon, 22 Sep 2008 16:42:02 +0000 X-Loop: owner@bugs.debian.org Resent-From: Simon Josefsson Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: RISKO Gergely Resent-Date: Mon, 22 Sep 2008 16:42:02 +0000 Resent-Message-ID: X-Debian-PR-Message: followup 499774 X-Debian-PR-Package: starttls X-Debian-PR-Keywords: X-Debian-PR-Source: starttls Original-Received: via spool by 499774-submit@bugs.debian.org id=B499774.122210153612370 (code B ref 499774); Mon, 22 Sep 2008 16:42:02 +0000 Original-Received: (at 499774) by bugs.debian.org; 22 Sep 2008 16:38:56 +0000 Original-Received: from yxa-v.extundo.com ([83.241.177.39] ident=Debian-exim) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KhoR6-0003CN-Ai for 499774@bugs.debian.org; Mon, 22 Sep 2008 16:38:56 +0000 Original-Received: from c80-216-18-41.bredband.comhem.se ([80.216.18.41] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from ) id 1KhoQu-0003xA-SD; Mon, 22 Sep 2008 18:38:45 +0200 OpenPGP: id=B565716F; url=http://josefsson.org/key.txt X-Hashcash: 1:22:080922:arno@natisbad.org::MjSg5hD/UVUGO5nh:lX4 X-Hashcash: 1:22:080922:ueno@unixuser.org::WV3kdQZg0GG+RaxO:55HI X-Hashcash: 1:22:080922:ding@gnus.org::jg5zJYJk4DE/4IEZ:7u4M X-Hashcash: 1:22:080922:499774@bugs.debian.org::zrcuYfWQmgik7c4f:5piy X-Hashcash: 1:22:080922:risko@debian.org::l69lmtnnXH3hOLXV:LZ1I In-Reply-To: <87tzc8upgf.fsf@marauder.physik.uni-ulm.de> (Reiner Steib's message of "Mon, 22 Sep 2008 18:15:28 +0200") User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) Resent-Date: Mon, 22 Sep 2008 16:42:02 +0000 X-Virus-Scanned: at lists.debian.org with policy bank bug X-Amavis-Spam-Status: No, score=-1.87 tagged_above=3.6 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, UNWANTED_LANGUAGE_BODY=0.03] X-Debian-Message: from BTS X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2007-10-04_01 X-Mailing-List: archive/latest/408378 X-Loop: debian-bugs-dist@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Precedence: list Resent-Sender: debian-bugs-dist-request@lists.debian.org Xref: news.gmane.org gmane.linux.debian.devel.bugs.general:490298 gmane.emacs.gnus.general:67413 Archived-At: Reiner Steib writes: > Would it make sense to prefer gnutls-cli and warn when using starttls > (if gnutls-cli is not installed)? Possibly, yes. Note that emacs22 (the version in debian testing) supports both starttls and gnutls-cli, so the comment made earlier that removing the starttls package will break imaps/pop3s connections from emacs based muas is false. >> "This software does not have any authentication capabilities: it does >> not allow you to authenticate your peer, which is a basic requirement >> for TLS/SSL to be used securely. You should only use it for testing >> purposes and not relaying important information. Be aware that you are >> vulnerable to MITM when using it" That seems correct to me. Note that even if you use gnutls-cli, you need to configure it to use appropriate trust anchors to get full security. If you don't, I believe gnutls-cli is still superior to starttls though, since gnutls-cli verify that the server hostname match the hostname in the certificate. /Simon