Bug#499774: starttls is a joke

Gnus development mailing list
 help / color / mirror / Atom feed

From: RISKO Gergely <risko@debian.org>
To: arno@natisbad.org (Arnaud Ebalard)
Cc: 499774@bugs.debian.org,  submit@bugs.debian.org,
	 security@debian.org, ding@gnus.org,  emacs-mime-en@m17n.org
Subject: Bug#499774: starttls is a joke
Date: Mon, 22 Sep 2008 11:13:20 +0200	[thread overview]
Message-ID: <87y71kpmq7.fsf@bubble.risko.hu> (raw)
In-Reply-To: <871vzca7gp.fsf@natisbad.org> (Arnaud Ebalard's message of "Mon\, 22 Sep 2008 10\:52\:06 +0200")

Sorry, I haven't noticed that you have cc'd mailing lists.  Please
find below my first response to Arnaud.

You surely knows about the gnus usage of this, since you CC'd the
mailing list, sorry.

So my option is that a disclaimer should be placed, but SSL with
SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all.
And the joke is SSL's security model - where you are considered secure
if you pay $500/year -, not starttls.

-=- my original response here: -=-

severity 499774 wishlist
thanks

Dear Arno,

Thanks for your suggestions and reasoning.  Probably you haven't
noticed that starttls is mainly an integration utility for mainly
GNU/Emacs.  And yeah, it is also good for testing StartTLS based
services as a system administrator.

I'm against the removal, since it will break imaps/pop3s connections
from emacs based muas (I'm at least sure in gnus, I use it hourly).
And I'm also against the removal, because this is a very good tool for
testing.

You are right, it's package description should be changed and a
disclaimer should be placed.  Probably an 'are you sure?' question
shouldn't be implemented (or if implemented, it shouldn't be the
default), because it would block integrations like with emacs.

As this is a documentation or a new feature request issue, I
changed severity to wishlist.

Thanks again for your contribution to Debian, if you write the
disclaimer in a few world that should be appended to the package
description in your opinion, it would be a big help.

Gergely

On Mon, 22 Sep 2008 10:52:06 +0200, arno@natisbad.org (Arnaud Ebalard) writes:

> Package: starttls
> Version: 0.10-3
> Severity: critical
>
> starttls package should IMHO be removed from Debian repositories, as it
> looks like a security joke:
>
> - it does not allow passing trust anchors to be used to verify the
>   remote peer: are users expected to see the issue by themselves and not
>   use it?
> - usage advertises a --verify option to set the verificaion level (no
>   details on accepted values): in all cases, it is not considered in the
>   code and SSL_VERIFY_NONE is used instead.
> - The man page does not describe the options the program accept and does
>   not warn the user about the lack of checks.
>
> AFAICT, starttls provides a good example of how OpenSSL API should *not*
> be used! Its use should only be limited to testing purposes and a *huge*
> disclaimer on its limitations should be put somewhere.
>
> Comments welcome.
>
> Cheers,
>
> a+
>
> ps: emacs-mime-en@m17n.org is in CC, because previous list of issues is
>     still valid against CVS version of starttls.
> pps: Gnus ML is in CC as some people might be using it (for years?).

next prev parent reply	other threads:[~2008-09-22  9:13 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-22  8:52 Arnaud Ebalard
2008-09-22  9:13 ` RISKO Gergely [this message]
2008-09-22  9:49   ` Arnaud Ebalard
2008-09-22 10:43   ` Arnaud Ebalard
2008-09-22 16:15     ` Reiner Steib
2008-09-22 16:38       ` Simon Josefsson
2008-09-22 17:48         ` Arnaud Ebalard
2008-10-02 10:04           ` Simon Josefsson
2008-10-07 20:43             ` Matthias Andree
2008-10-07 22:41               ` Simon Josefsson
2008-10-08 10:45                 ` Matthias Andree
2008-10-08 11:55                   ` Arnaud Ebalard
2008-10-07 20:41       ` Matthias Andree
2008-10-08  5:54         ` Arnaud Ebalard
2008-09-23 17:18     ` Riskó Gergely
2008-09-23 14:43   ` Uwe Brauer
2008-09-24  3:39     ` Sebastian Krause
2008-09-26 13:19       ` Uwe Brauer
2008-09-26 13:25         ` Sebastian Krause
2008-09-26 21:16           ` Uwe Brauer
2008-09-26 23:27             ` Sebastian Krause
2008-09-26 15:09         ` Magnus Henoch
2008-09-26 21:14           ` Uwe Brauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y71kpmq7.fsf@bubble.risko.hu \
    --to=risko@debian.org \
    --cc=499774@bugs.debian.org \
    --cc=arno@natisbad.org \
    --cc=ding@gnus.org \
    --cc=emacs-mime-en@m17n.org \
    --cc=security@debian.org \
    --cc=submit@bugs.debian.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).