From: arno@natisbad.org (Arnaud Ebalard)
To: RISKO Gergely <risko@debian.org>
Cc: 499774@bugs.debian.org, submit@bugs.debian.org,
security@debian.org, ding@gnus.org, emacs-mime-en@m17n.org
Subject: Bug#499774: starttls is a joke
Date: Mon, 22 Sep 2008 12:43:08 +0200 [thread overview]
Message-ID: <87od2g31hf.fsf@natisbad.org> (raw)
In-Reply-To: <87y71kpmq7.fsf@bubble.risko.hu> (RISKO Gergely's message of "Mon, 22 Sep 2008 11:13:20 +0200")
Hi, [resending, forgot some CC]
RISKO Gergely <risko@debian.org> writes:
> Sorry, I haven't noticed that you have cc'd mailing lists. Please
> find below my first response to Arnaud.
At least, thanks for the quick reply.
> You surely knows about the gnus usage of this, since you CC'd the
> mailing list, sorry.
yes.
> So my option is that a disclaimer should be placed, but SSL with
> SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all.
No, it is not. It is worse. It provides a feeling of security to the
people that use it. It is like driving with deactivated airbags.
> And the joke is SSL's security model - where you are considered secure
> if you pay $500/year -, not starttls.
1) I use my own PKI for some of my services, which costs me nothing.
2) As a client, you do not pay for the server certificates (cf gmail)
and trust anchors.
3) It is a lame excuse.
> -=- my original response here: -=-
>
> severity 499774 wishlist
> thanks
>
> Dear Arno,
>
> Thanks for your suggestions and reasoning. Probably you haven't
> noticed that starttls is mainly an integration utility for mainly
> GNU/Emacs. And yeah, it is also good for testing StartTLS based
> services as a system administrator.
>
> I'm against the removal, since it will break imaps/pop3s connections
> from emacs based muas (I'm at least sure in gnus, I use it hourly).
Then, someone should correct the code to support passing trust anchors,
allow passing the verify value, and document capabilities and
limitations.
> And I'm also against the removal, because this is a very good tool for
> testing.
I will also send a copy of this reply to security@debian.org.
> You are right, it's package description should be changed and a
> disclaimer should be placed. Probably an 'are you sure?' question
> shouldn't be implemented (or if implemented, it shouldn't be the
> default), because it would block integrations like with emacs.
>
> As this is a documentation or a new feature request issue, I
> changed severity to wishlist.
It is not a "wishlist" feature, it is a security issue.
> Thanks again for your contribution to Debian, if you write the
> disclaimer in a few world that should be appended to the package
> description in your opinion, it would be a big help.
"This software does not have any authentication capabilities: it does
not allow you to authenticate your peer, which is a basic requirement
for TLS/SSL to be used securely. You should only use it for testing
purposes and not relaying important information. Be aware that you are
vulnerable to MITM when using it"
Cheers,
a+
next prev parent reply other threads:[~2008-09-22 10:43 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-22 8:52 Arnaud Ebalard
2008-09-22 9:13 ` RISKO Gergely
2008-09-22 9:49 ` Arnaud Ebalard
2008-09-22 10:43 ` Arnaud Ebalard [this message]
2008-09-22 16:15 ` Reiner Steib
2008-09-22 16:38 ` Simon Josefsson
2008-09-22 17:48 ` Arnaud Ebalard
2008-10-02 10:04 ` Simon Josefsson
2008-10-07 20:43 ` Matthias Andree
2008-10-07 22:41 ` Simon Josefsson
2008-10-08 10:45 ` Matthias Andree
2008-10-08 11:55 ` Arnaud Ebalard
2008-10-07 20:41 ` Matthias Andree
2008-10-08 5:54 ` Arnaud Ebalard
2008-09-23 17:18 ` Riskó Gergely
2008-09-23 14:43 ` Uwe Brauer
2008-09-24 3:39 ` Sebastian Krause
2008-09-26 13:19 ` Uwe Brauer
2008-09-26 13:25 ` Sebastian Krause
2008-09-26 21:16 ` Uwe Brauer
2008-09-26 23:27 ` Sebastian Krause
2008-09-26 15:09 ` Magnus Henoch
2008-09-26 21:14 ` Uwe Brauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87od2g31hf.fsf@natisbad.org \
--to=arno@natisbad.org \
--cc=499774@bugs.debian.org \
--cc=ding@gnus.org \
--cc=emacs-mime-en@m17n.org \
--cc=risko@debian.org \
--cc=security@debian.org \
--cc=submit@bugs.debian.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).