From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67507 Path: news.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: Bug#499774: starttls is a joke Date: Thu, 02 Oct 2008 12:04:40 +0200 Message-ID: <87prmjjosn.fsf@mocca.josefsson.org> References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu> <87od2g31hf.fsf@natisbad.org> <87tzc8upgf.fsf@marauder.physik.uni-ulm.de> <87fxnsjfu3.fsf@mocca.josefsson.org> <87wsh4gjgi.fsf@natisbad.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222942036 19550 80.91.229.12 (2 Oct 2008 10:07:16 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 2 Oct 2008 10:07:16 +0000 (UTC) Cc: Daiki Ueno , 499774@bugs.debian.org, RISKO Gergely , ding@gnus.org To: arno@natisbad.org (Arnaud Ebalard) Original-X-From: ding-owner+M15958@lists.math.uh.edu Thu Oct 02 12:08:14 2008 connect(): Connection refused Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.50) id 1KlL4Y-0003o7-O3 for ding-account@gmane.org; Thu, 02 Oct 2008 12:06:15 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1KlL3H-0001ee-AK; Thu, 02 Oct 2008 05:04:55 -0500 Original-Received: from mx2.math.uh.edu ([129.7.128.33]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1KlL3G-0001eQ-4M for ding@lists.math.uh.edu; Thu, 02 Oct 2008 05:04:54 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx2.math.uh.edu with esmtp (Exim 4.69) (envelope-from ) id 1KlL3D-0005IS-Gi for ding@lists.math.uh.edu; Thu, 02 Oct 2008 05:04:54 -0500 Original-Received: from yxa-v.extundo.com ([83.241.177.39] ident=Debian-exim) by quimby.gnus.org with esmtp (Exim 3.36 #1 (Debian)) id 1KlL3I-000234-00 for ; Thu, 02 Oct 2008 12:04:56 +0200 Original-Received: from c80-216-18-41.bredband.comhem.se ([80.216.18.41] helo=mocca.josefsson.org) by yxa-v.extundo.com with esmtpsa (TLS-1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.63) (envelope-from ) id 1KlL32-0007t8-VA; Thu, 02 Oct 2008 12:04:42 +0200 OpenPGP: id=B565716F; url=http://josefsson.org/key.txt Mail-Copies-To: nobody X-Hashcash: 1:22:081002:ding@gnus.org::3hJjqKag88wBtcY1:0d38 X-Hashcash: 1:22:081002:ueno@unixuser.org::mhc+2hEEBjvU/Asc:3zIZ X-Hashcash: 1:22:081002:arno@natisbad.org::VxC/7MPFpkcbGh72:7Cef X-Hashcash: 1:22:081002:risko@debian.org::8HFnLYXsnmg7c19K:Bx4S X-Hashcash: 1:22:081002:499774@bugs.debian.org::14hzOwN3CQJEj/zk:Efos In-Reply-To: <87wsh4gjgi.fsf@natisbad.org> (Arnaud Ebalard's message of "Mon, 22 Sep 2008 19:48:45 +0200") User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.2.3 (2007-08-08) host=yxa-v.extundo.com X-Spam-Score: -2.6 (--) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:67507 Archived-At: arno@natisbad.org (Arnaud Ebalard) writes: >>>> "This software does not have any authentication capabilities: it does >>>> not allow you to authenticate your peer, which is a basic requirement >>>> for TLS/SSL to be used securely. You should only use it for testing >>>> purposes and not relaying important information. Be aware that you are >>>> vulnerable to MITM when using it" >> >> That seems correct to me. >> >> Note that even if you use gnutls-cli, you need to configure it to use >> appropriate trust anchors to get full security. > ^^^^^^^^^^^^^ > > I hope you mean "a working setup". If you do not provide it any (set of) > trust anchor, it should not be able to verify server's certificate and > should fail, shouldn't it? Right, and that's what I meant with "you need to configure it to use appropriate trust anchors". If you do that, you should get full security (whatever that means). /Simon