From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67410 Path: news.gmane.org!not-for-mail From: arno@natisbad.org (Arnaud Ebalard) Newsgroups: gmane.linux.debian.devel.bugs.general,gmane.emacs.gnus.general Subject: Bug#499774: starttls is a joke Date: Mon, 22 Sep 2008 12:43:08 +0200 Message-ID: <87od2g31hf.fsf@natisbad.org> References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu> Reply-To: arno@natisbad.org (Arnaud Ebalard), 499774@bugs.debian.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222080548 29765 80.91.229.12 (22 Sep 2008 10:49:08 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 22 Sep 2008 10:49:08 +0000 (UTC) Cc: 499774@bugs.debian.org, submit@bugs.debian.org, security@debian.org, ding@gnus.org, emacs-mime-en@m17n.org To: RISKO Gergely Original-X-From: bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org Mon Sep 22 12:50:01 2008 Return-path: Envelope-to: glddb-debian-bugs-dist@m.gmane.org Original-Received: from liszt.debian.org ([82.195.75.100]) by lo.gmane.org with esmtp (Exim 4.50) id 1KhizO-00066r-2w for glddb-debian-bugs-dist@m.gmane.org; Mon, 22 Sep 2008 12:49:58 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with QMQP id 8E64613A5027; Mon, 22 Sep 2008 10:48:54 +0000 (UTC) Old-Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on liszt.debian.org X-Spam-Level: X-Spam-Status: No, score=0.6 required=4.0 tests=FOURLA,MONEY,RCVD_IN_DNSWL_LOW, STOCKLIKE autolearn=no version=3.2.3 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with ESMTP id 13BA613A4861 for ; Mon, 22 Sep 2008 10:48:46 +0000 (UTC) Original-Received: from liszt.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id 24543-53 for ; Mon, 22 Sep 2008 10:48:44 +0000 (UTC) Original-Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by liszt.debian.org (Postfix) with ESMTP id D096913A5027; Mon, 22 Sep 2008 10:48:43 +0000 (UTC) Original-Received: from debbugs by rietz.debian.org with local (Exim 4.63) (envelope-from ) id 1KhixW-0007tp-QN; Mon, 22 Sep 2008 10:48:02 +0000 X-Loop: owner@bugs.debian.org Resent-From: arno@natisbad.org (Arnaud Ebalard) Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: RISKO Gergely Resent-Date: Mon, 22 Sep 2008 10:48:02 +0000 Resent-Message-ID: X-Debian-PR-Message: followup 499774 X-Debian-PR-Package: starttls X-Debian-PR-Keywords: X-Debian-PR-Source: starttls Original-Received: via spool by submit@bugs.debian.org id=B.122208030227617 (code B ref -1); Mon, 22 Sep 2008 10:48:02 +0000 Original-Received: (at submit) by bugs.debian.org; 22 Sep 2008 10:45:02 +0000 Original-Received: from moog.chdir.org ([88.191.42.160]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1Khiub-00078m-NI; Mon, 22 Sep 2008 10:45:01 +0000 Original-Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f78] (helo=localhost.localdomain) by moog.chdir.org with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1KhiuL-0000bT-GI; Mon, 22 Sep 2008 12:44:45 +0200 X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026 X-Hashcash: 1:20:080922:ding@gnus.org::X4O4k7v2zpgRrcOp:00000Fqj X-Hashcash: 1:20:080922:security@debian.org::56ieEerR8Z6J+kCD:0000000000000000000000000000000000000000000KeQ X-Hashcash: 1:20:080922:499774@bugs.debian.org::4nvgq81Dlw79mtZr:0000000000000000000000000000000000000001Oi3 X-Hashcash: 1:20:080922:submit@bugs.debian.org::S4A5Wx7sYN90vutj:0000000000000000000000000000000000000004uxe X-Hashcash: 1:20:080922:emacs-mime-en@m17n.org::Ze5E+J0dPkFzTPe0:0000000000000000000000000000000000000007TX0 X-Hashcash: 1:20:080922:risko@debian.org::HFr4yB7YP398rDpG:0AJDN In-Reply-To: <87y71kpmq7.fsf@bubble.risko.hu> (RISKO Gergely's message of "Mon, 22 Sep 2008 11:13:20 +0200") User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux) Resent-Date: Mon, 22 Sep 2008 10:48:02 +0000 X-Virus-Scanned: at lists.debian.org with policy bank bug X-Amavis-Spam-Status: No, score=-0.4 tagged_above=3.6 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, MONEY=0.5, STOCKLIKE=1] X-Debian-Message: from BTS X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2007-10-04_01 X-Mailing-List: archive/latest/408274 X-Loop: debian-bugs-dist@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Precedence: list Resent-Sender: debian-bugs-dist-request@lists.debian.org Xref: news.gmane.org gmane.linux.debian.devel.bugs.general:490194 gmane.emacs.gnus.general:67410 Archived-At: Hi, [resending, forgot some CC] RISKO Gergely writes: > Sorry, I haven't noticed that you have cc'd mailing lists. Please > find below my first response to Arnaud. At least, thanks for the quick reply. > You surely knows about the gnus usage of this, since you CC'd the > mailing list, sorry. yes. > So my option is that a disclaimer should be placed, but SSL with > SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all. No, it is not. It is worse. It provides a feeling of security to the people that use it. It is like driving with deactivated airbags. > And the joke is SSL's security model - where you are considered secure > if you pay $500/year -, not starttls. 1) I use my own PKI for some of my services, which costs me nothing. 2) As a client, you do not pay for the server certificates (cf gmail) and trust anchors. 3) It is a lame excuse. > -=- my original response here: -=- > > severity 499774 wishlist > thanks > > Dear Arno, > > Thanks for your suggestions and reasoning. Probably you haven't > noticed that starttls is mainly an integration utility for mainly > GNU/Emacs. And yeah, it is also good for testing StartTLS based > services as a system administrator. > > I'm against the removal, since it will break imaps/pop3s connections > from emacs based muas (I'm at least sure in gnus, I use it hourly). Then, someone should correct the code to support passing trust anchors, allow passing the verify value, and document capabilities and limitations. > And I'm also against the removal, because this is a very good tool for > testing. I will also send a copy of this reply to security@debian.org. > You are right, it's package description should be changed and a > disclaimer should be placed. Probably an 'are you sure?' question > shouldn't be implemented (or if implemented, it shouldn't be the > default), because it would block integrations like with emacs. > > As this is a documentation or a new feature request issue, I > changed severity to wishlist. It is not a "wishlist" feature, it is a security issue. > Thanks again for your contribution to Debian, if you write the > disclaimer in a few world that should be appended to the package > description in your opinion, it would be a big help. "This software does not have any authentication capabilities: it does not allow you to authenticate your peer, which is a basic requirement for TLS/SSL to be used securely. You should only use it for testing purposes and not relaying important information. Be aware that you are vulnerable to MITM when using it" Cheers, a+