From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67409 Path: news.gmane.org!not-for-mail From: RISKO Gergely Newsgroups: gmane.linux.debian.devel.bugs.general,gmane.emacs.gnus.general Subject: Bug#499774: starttls is a joke Date: Mon, 22 Sep 2008 11:13:20 +0200 Message-ID: <87y71kpmq7.fsf@bubble.risko.hu> References: <871vzca7gp.fsf@natisbad.org> Reply-To: RISKO Gergely , 499774@bugs.debian.org NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1222075075 11868 80.91.229.12 (22 Sep 2008 09:17:55 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 22 Sep 2008 09:17:55 +0000 (UTC) Cc: 499774@bugs.debian.org, submit@bugs.debian.org, security@debian.org, ding@gnus.org, emacs-mime-en@m17n.org To: arno@natisbad.org (Arnaud Ebalard) Original-X-From: bounce-debian-bugs-dist=glddb-debian-bugs-dist=m.gmane.org@lists.debian.org Mon Sep 22 11:18:51 2008 Return-path: Envelope-to: glddb-debian-bugs-dist@m.gmane.org Original-Received: from liszt.debian.org ([82.195.75.100]) by lo.gmane.org with esmtp (Exim 4.50) id 1KhhZA-0001hw-4x for glddb-debian-bugs-dist@m.gmane.org; Mon, 22 Sep 2008 11:18:48 +0200 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with QMQP id AF72113A5060; Mon, 22 Sep 2008 09:17:44 +0000 (UTC) Old-Return-Path: X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on liszt.debian.org X-Spam-Level: X-Spam-Status: No, score=-4.4 required=4.0 tests=FOURLA,LDO_WHITELIST,MONEY, RCVD_IN_DNSWL_LOW,STOCKLIKE autolearn=failed version=3.2.3 Original-Received: from localhost (localhost [127.0.0.1]) by liszt.debian.org (Postfix) with ESMTP id 5611E13A5067 for ; Mon, 22 Sep 2008 09:17:36 +0000 (UTC) Original-Received: from liszt.debian.org ([127.0.0.1]) by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525) with ESMTP id 24543-11 for ; Mon, 22 Sep 2008 09:17:34 +0000 (UTC) Original-Received: from rietz.debian.org (rietz.debian.org [140.211.166.43]) by liszt.debian.org (Postfix) with ESMTP id 676D213A5066; Mon, 22 Sep 2008 09:17:34 +0000 (UTC) Original-Received: from debbugs by rietz.debian.org with local (Exim 4.63) (envelope-from ) id 1KhhVa-0003Y9-L0; Mon, 22 Sep 2008 09:15:06 +0000 X-Loop: owner@bugs.debian.org Resent-From: RISKO Gergely Resent-To: debian-bugs-dist@lists.debian.org Resent-Date: Mon, 22 Sep 2008 09:15:05 +0000 Resent-Message-ID: X-Debian-PR-Message: followup 499774 X-Debian-PR-Package: starttls X-Debian-PR-Keywords: X-Debian-PR-Source: starttls Original-Received: via spool by submit@bugs.debian.org id=B.122207481912214 (code B ref -1); Mon, 22 Sep 2008 09:15:05 +0000 Original-Received: (at submit) by bugs.debian.org; 22 Sep 2008 09:13:39 +0000 Original-Received: from jenson.atom.hu ([62.112.193.66]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KhhUA-00039Z-Ky; Mon, 22 Sep 2008 09:13:39 +0000 Original-Received: from risko@atom.hu by jenson.atom.hu with esmtpsa (Exim v4) (envelope-from ) id 1KhhTr-0001fW-Rv; Mon, 22 Sep 2008 11:13:19 +0200 In-Reply-To: <871vzca7gp.fsf@natisbad.org> (Arnaud Ebalard's message of "Mon\, 22 Sep 2008 10\:52\:06 +0200") User-Agent: Gnus Emacs Resent-Date: Mon, 22 Sep 2008 09:15:06 +0000 X-Virus-Scanned: at lists.debian.org with policy bank bug X-Amavis-Spam-Status: No, score=-5.4 tagged_above=3.6 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, LDO_WHITELIST=-5, MONEY=0.5, STOCKLIKE=1] X-Debian-Message: from BTS X-Rc-Virus: 2007-09-13_01 X-Rc-Spam: 2007-10-04_01 X-Mailing-List: archive/latest/408248 X-Loop: debian-bugs-dist@lists.debian.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: Precedence: list Resent-Sender: debian-bugs-dist-request@lists.debian.org Xref: news.gmane.org gmane.linux.debian.devel.bugs.general:490168 gmane.emacs.gnus.general:67409 Archived-At: Sorry, I haven't noticed that you have cc'd mailing lists. Please find below my first response to Arnaud. You surely knows about the gnus usage of this, since you CC'd the mailing list, sorry. So my option is that a disclaimer should be placed, but SSL with SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all. And the joke is SSL's security model - where you are considered secure if you pay $500/year -, not starttls. -=- my original response here: -=- severity 499774 wishlist thanks Dear Arno, Thanks for your suggestions and reasoning. Probably you haven't noticed that starttls is mainly an integration utility for mainly GNU/Emacs. And yeah, it is also good for testing StartTLS based services as a system administrator. I'm against the removal, since it will break imaps/pop3s connections from emacs based muas (I'm at least sure in gnus, I use it hourly). And I'm also against the removal, because this is a very good tool for testing. You are right, it's package description should be changed and a disclaimer should be placed. Probably an 'are you sure?' question shouldn't be implemented (or if implemented, it shouldn't be the default), because it would block integrations like with emacs. As this is a documentation or a new feature request issue, I changed severity to wishlist. Thanks again for your contribution to Debian, if you write the disclaimer in a few world that should be appended to the package description in your opinion, it would be a big help. Gergely On Mon, 22 Sep 2008 10:52:06 +0200, arno@natisbad.org (Arnaud Ebalard) writes: > Package: starttls > Version: 0.10-3 > Severity: critical > > starttls package should IMHO be removed from Debian repositories, as it > looks like a security joke: > > - it does not allow passing trust anchors to be used to verify the > remote peer: are users expected to see the issue by themselves and not > use it? > - usage advertises a --verify option to set the verificaion level (no > details on accepted values): in all cases, it is not considered in the > code and SSL_VERIFY_NONE is used instead. > - The man page does not describe the options the program accept and does > not warn the user about the lack of checks. > > AFAICT, starttls provides a good example of how OpenSSL API should *not* > be used! Its use should only be limited to testing purposes and a *huge* > disclaimer on its limitations should be put somewhere. > > Comments welcome. > > Cheers, > > a+ > > ps: emacs-mime-en@m17n.org is in CC, because previous list of issues is > still valid against CVS version of starttls. > pps: Gnus ML is in CC as some people might be using it (for years?).