From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67417 Path: news.gmane.org!not-for-mail From: =?UTF-8?Q?Risk=C3=B3?= Gergely Newsgroups: gmane.linux.debian.devel.bugs.general,gmane.emacs.gnus.general Subject: Bug#499774: starttls is a joke Date: Tue, 23 Sep 2008 19:18:19 +0200 Message-ID: <87tzc6aihw.fsf@jenson.atom.hu> References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu> <87od2g31hf.fsf@natisbad.org> Reply-To: =?UTF-8?Q?Risk=C3=B3?= Gergely , 499774@bugs.debian.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222190658 12547 80.91.229.12 (23 Sep 2008 17:24:18 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 23 Sep 2008 17:24:18 +0000 (UTC) Cc: 499774@bugs.debian.org, security@debian.org, ding@gnus.org, emacs-mime-en@m17n.org To: arno@natisbad.org (Arnaud Ebalard) Original-X-From: bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org Tue Sep 23 19:25:15 2008 Return-path: Envelope-to: glddb-debian-bugs-dist@m.gmane.org Original-Received: from liszt.debian.org ([82.195.75.100]) by lo.gmane.org with esmtp (Exim 4.50) id 1KiBdI-000892-A7 for glddb-debian-bugs-dist@m.gmane.org; Tue, 23 Sep 2008 19:25:04 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with QMQP id 8DC8C13A522E; Tue, 23 Sep 2008 17:24:00 +0000 (UTC) Old-Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on liszt.debian.org X-Spam-Level: X-Spam-Status: No, score=-0.9 required=4.0 tests=FOURLA,RCVD_IN_DNSWL_LOW autolearn=no version=3.2.3 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with ESMTP id 730D213A537F for ; Tue, 23 Sep 2008 17:23:51 +0000 (UTC) Original-Received: from liszt.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id 17835-67 for ; Tue, 23 Sep 2008 17:23:49 +0000 (UTC) Original-Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by liszt.debian.org (Postfix) with ESMTP id 472E513A51F7; Tue, 23 Sep 2008 17:23:49 +0000 (UTC) Original-Received: from debbugs by rietz.debian.org with local (Exim 4.63) (envelope-from ) id 1KiBZQ-0006Xd-Sv; Tue, 23 Sep 2008 17:21:04 +0000 X-Loop: owner@bugs.debian.org Resent-From: =?UTF-8?Q?Risk=C3=B3?= Gergely Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: RISKO Gergely Resent-Date: Tue, 23 Sep 2008 17:21:04 +0000 Resent-Message-ID: X-Debian-PR-Message: followup 499774 X-Debian-PR-Package: starttls X-Debian-PR-Keywords: X-Debian-PR-Source: starttls Original-Received: via spool by 499774-submit@bugs.debian.org id=B499774.122219033221680 (code B ref 499774); Tue, 23 Sep 2008 17:21:04 +0000 Original-Received: (at 499774) by bugs.debian.org; 23 Sep 2008 17:18:52 +0000 Original-Received: from jenson.atom.hu ([62.112.193.66]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KiBXH-0005bX-R8 for 499774@bugs.debian.org; Tue, 23 Sep 2008 17:18:52 +0000 Original-Received: from [62.112.193.66] (port=41528 helo=risko.hu) by jenson.atom.hu with esmtp (Exim v4) (envelope-from ) id 1KiBWl-0008FC-UO; Tue, 23 Sep 2008 19:18:20 +0200 In-Reply-To: <87od2g31hf.fsf@natisbad.org> (Arnaud Ebalard's message of "Mon, 22 Sep 2008 12:43:08 +0200") User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux) Resent-Date: Tue, 23 Sep 2008 17:21:04 +0000 X-Virus-Scanned: at lists.debian.org with policy bank bug X-Amavis-Spam-Status: No, score=-1.9 tagged_above=3.6 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1] X-Debian-Message: from BTS X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2007-10-04_01 X-Mailing-List: archive/latest/408705 X-Loop: debian-bugs-dist@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Precedence: list Resent-Sender: debian-bugs-dist-request@lists.debian.org Xref: news.gmane.org gmane.linux.debian.devel.bugs.general:490624 gmane.emacs.gnus.general:67417 Archived-At: > Then, someone should correct the code to support passing trust anchors, > allow passing the verify value, and document capabilities and > limitations. (*) I certainly don't have time to do it, and since I can't agree with the politics behind the whole SSL model, I don't think that I will have time to implement this in the (near) future. Someone else? If not, then do the interested parties agree with this text to be the warning in the package's description field? > "This software does not have any authentication capabilities: it does > not allow you to authenticate your peer, which is a basic requirement > for TLS/SSL to be used securely. You should only use it for testing > purposes and not relaying important information. Be aware that you are > vulnerable to MITM when using it" Security team: is this doc change enough to close the security issue, and handle the modification requests (see (*)) as a wishlist? Thanks for your help and your contribution, Gergely