From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67411 Path: news.gmane.org!not-for-mail From: arno@natisbad.org (Arnaud Ebalard) Newsgroups: gmane.emacs.gnus.general Subject: Re: Bug#499774: starttls is a joke Date: Mon, 22 Sep 2008 11:49:09 +0200 Message-ID: <87iqso4iju.fsf@natisbad.org> References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222094975 15514 80.91.229.12 (22 Sep 2008 14:49:35 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 22 Sep 2008 14:49:35 +0000 (UTC) To: ding@gnus.org Original-X-From: ding-owner+M15861@lists.math.uh.edu Mon Sep 22 16:50:31 2008 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.50) id 1Khmju-0003MA-Lz for ding-account@gmane.org; Mon, 22 Sep 2008 16:50:15 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1Khmi6-0003Ea-MS; Mon, 22 Sep 2008 09:48:22 -0500 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1Khi8K-0001ns-Fq for ding@lists.math.uh.edu; Mon, 22 Sep 2008 04:55:08 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtp (Exim 4.69) (envelope-from ) id 1Khi8H-0005a4-9g for ding@lists.math.uh.edu; Mon, 22 Sep 2008 04:55:08 -0500 Original-Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian)) id 1Khi8K-0005TR-00 for ; Mon, 22 Sep 2008 11:55:08 +0200 Original-Received: from root by ciao.gmane.org with local (Exim 4.43) id 1Khi8E-0002lE-HK for ding@gnus.org; Mon, 22 Sep 2008 09:55:02 +0000 Original-Received: from cct.net8.nerim.net ([213.41.184.223]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 22 Sep 2008 09:55:02 +0000 Original-Received: from arno by cct.net8.nerim.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 22 Sep 2008 09:55:02 +0000 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 76 Original-X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: cct.net8.nerim.net User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux) X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026 Cancel-Lock: sha1:3WvuPDgSOpu8ODdoIX2FpRFyXOw= X-Spam-Score: -3.6 (---) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:67411 Archived-At: Hi, RISKO Gergely writes: > Sorry, I haven't noticed that you have cc'd mailing lists. Please > find below my first response to Arnaud. At least, thanks for the quick reply. > You surely knows about the gnus usage of this, since you CC'd the > mailing list, sorry. yes. > So my option is that a disclaimer should be placed, but SSL with > SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all. No, it is not. It is worse. It provides a feeling of security to the people that use it. It is like driving with deactivated airbags. > And the joke is SSL's security model - where you are considered secure > if you pay $500/year -, not starttls. 1) I use my own PKI for some of my services, which costs me nothing. 2) As a client, you do not pay for the server certificates (cf gmail) and trust anchors. 3) It is a lame excuse. > -=- my original response here: -=- > > severity 499774 wishlist > thanks > > Dear Arno, > > Thanks for your suggestions and reasoning. Probably you haven't > noticed that starttls is mainly an integration utility for mainly > GNU/Emacs. And yeah, it is also good for testing StartTLS based > services as a system administrator. > > I'm against the removal, since it will break imaps/pop3s connections > from emacs based muas (I'm at least sure in gnus, I use it hourly). Then, someone should correct the code to support passing trust anchors, allow passing the verify value, and document capabilities and limitations. > And I'm also against the removal, because this is a very good tool for > testing. I will also send a copy of this reply to security@debian.org. > You are right, it's package description should be changed and a > disclaimer should be placed. Probably an 'are you sure?' question > shouldn't be implemented (or if implemented, it shouldn't be the > default), because it would block integrations like with emacs. > > As this is a documentation or a new feature request issue, I > changed severity to wishlist. It is not a "wishlist" feature, it is a security issue. > Thanks again for your contribution to Debian, if you write the > disclaimer in a few world that should be appended to the package > description in your opinion, it would be a big help. "This software does not have any authentication capabilities: it does not allow you to authenticate your peer, which is a basic requirement for TLS/SSL to be used securely. You should only use it for testing purposes and not relaying important information. Be aware that you are vulnerable to MITM when using it" Cheers, a+