Gnus development mailing list
 help / color / mirror / Atom feed
From: arno@natisbad.org (Arnaud Ebalard)
To: RISKO Gergely <risko@debian.org>
Cc: 499774@bugs.debian.org,  submit@bugs.debian.org,
	 security@debian.org,  ding@gnus.org,  emacs-mime-en@m17n.org
Subject: Bug#499774: starttls is a joke
Date: Mon, 22 Sep 2008 12:43:08 +0200	[thread overview]
Message-ID: <87od2g31hf.fsf@natisbad.org> (raw)
In-Reply-To: <87y71kpmq7.fsf@bubble.risko.hu> (RISKO Gergely's message of "Mon, 22 Sep 2008 11:13:20 +0200")

Hi,                                     [resending, forgot some CC]

RISKO Gergely <risko@debian.org> writes:

> Sorry, I haven't noticed that you have cc'd mailing lists.  Please
> find below my first response to Arnaud.

At least, thanks for the quick reply.

> You surely knows about the gnus usage of this, since you CC'd the
> mailing list, sorry.

yes.

> So my option is that a disclaimer should be placed, but SSL with
> SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all.

No, it is not. It is worse. It provides a feeling of security to the
people that use it. It is like driving with deactivated airbags.

> And the joke is SSL's security model - where you are considered secure
> if you pay $500/year -, not starttls.

1) I use my own PKI for some of my services, which costs me nothing.
2) As a client, you do not pay for the server certificates (cf gmail)
   and trust anchors.
3) It is a lame excuse.

> -=- my original response here: -=-
>
> severity 499774 wishlist
> thanks
>
> Dear Arno,
>
> Thanks for your suggestions and reasoning.  Probably you haven't
> noticed that starttls is mainly an integration utility for mainly
> GNU/Emacs.  And yeah, it is also good for testing StartTLS based
> services as a system administrator.
>
> I'm against the removal, since it will break imaps/pop3s connections
> from emacs based muas (I'm at least sure in gnus, I use it hourly).

Then, someone should correct the code to support passing trust anchors,
allow passing the verify value, and document capabilities and
limitations. 

> And I'm also against the removal, because this is a very good tool for
> testing.

I will also send a copy of this reply to security@debian.org.

> You are right, it's package description should be changed and a
> disclaimer should be placed.  Probably an 'are you sure?' question
> shouldn't be implemented (or if implemented, it shouldn't be the
> default), because it would block integrations like with emacs.
>
> As this is a documentation or a new feature request issue, I
> changed severity to wishlist.

It is not a "wishlist" feature, it is a security issue.

> Thanks again for your contribution to Debian, if you write the
> disclaimer in a few world that should be appended to the package
> description in your opinion, it would be a big help.

"This software does not have any authentication capabilities: it does
not allow you to authenticate your peer, which is a basic requirement
for TLS/SSL to be used securely. You should only use it for testing
purposes and not relaying important information. Be aware that you are
vulnerable to MITM when using it"

Cheers,

a+





  parent reply	other threads:[~2008-09-22 10:43 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-22  8:52 Arnaud Ebalard
2008-09-22  9:13 ` RISKO Gergely
2008-09-22  9:49   ` Arnaud Ebalard
2008-09-22 10:43   ` Arnaud Ebalard [this message]
2008-09-22 16:15     ` Reiner Steib
2008-09-22 16:38       ` Simon Josefsson
2008-09-22 17:48         ` Arnaud Ebalard
2008-10-02 10:04           ` Simon Josefsson
2008-10-07 20:43             ` Matthias Andree
2008-10-07 22:41               ` Simon Josefsson
2008-10-08 10:45                 ` Matthias Andree
2008-10-08 11:55                   ` Arnaud Ebalard
2008-10-07 20:41       ` Matthias Andree
2008-10-08  5:54         ` Arnaud Ebalard
2008-09-23 17:18     ` Riskó Gergely
2008-09-23 14:43   ` Uwe Brauer
2008-09-24  3:39     ` Sebastian Krause
2008-09-26 13:19       ` Uwe Brauer
2008-09-26 13:25         ` Sebastian Krause
2008-09-26 21:16           ` Uwe Brauer
2008-09-26 23:27             ` Sebastian Krause
2008-09-26 15:09         ` Magnus Henoch
2008-09-26 21:14           ` Uwe Brauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87od2g31hf.fsf@natisbad.org \
    --to=arno@natisbad.org \
    --cc=499774@bugs.debian.org \
    --cc=ding@gnus.org \
    --cc=emacs-mime-en@m17n.org \
    --cc=risko@debian.org \
    --cc=security@debian.org \
    --cc=submit@bugs.debian.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).