From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/67541 Path: news.gmane.org!not-for-mail From: Matthias Andree Newsgroups: gmane.emacs.gnus.general Subject: Re: Bug#499774: starttls is a joke Date: Tue, 07 Oct 2008 22:43:19 +0200 Message-ID: References: <871vzca7gp.fsf@natisbad.org> <87y71kpmq7.fsf@bubble.risko.hu> <87od2g31hf.fsf@natisbad.org> <87tzc8upgf.fsf@marauder.physik.uni-ulm.de> <87fxnsjfu3.fsf@mocca.josefsson.org> <87wsh4gjgi.fsf@natisbad.org> <87prmjjosn.fsf@mocca.josefsson.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1223412259 16654 80.91.229.12 (7 Oct 2008 20:44:19 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 7 Oct 2008 20:44:19 +0000 (UTC) Cc: Daiki Ueno , RISKO Gergely , ding@gnus.org To: simon@josefsson.org Original-X-From: ding-owner+M15992@lists.math.uh.edu Tue Oct 07 22:45:17 2008 Return-path: Envelope-to: ding-account@gmane.org Original-Received: from util0.math.uh.edu ([129.7.128.18]) by lo.gmane.org with esmtp (Exim 4.50) id 1KnJQa-0001s7-0J for ding-account@gmane.org; Tue, 07 Oct 2008 22:45:08 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu) by util0.math.uh.edu with smtp (Exim 4.63) (envelope-from ) id 1KnJPS-00067K-2G; Tue, 07 Oct 2008 15:43:58 -0500 Original-Received: from mx1.math.uh.edu ([129.7.128.32]) by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1KnJPR-000679-15 for ding@lists.math.uh.edu; Tue, 07 Oct 2008 15:43:57 -0500 Original-Received: from quimby.gnus.org ([80.91.231.51]) by mx1.math.uh.edu with esmtp (Exim 4.69) (envelope-from ) id 1KnJPN-0006Pt-N1 for ding@lists.math.uh.edu; Tue, 07 Oct 2008 15:43:56 -0500 Original-Received: from mail.gmx.net ([213.165.64.20]) by quimby.gnus.org with smtp (Exim 3.36 #1 (Debian)) id 1KnJPT-0007OX-00 for ; Tue, 07 Oct 2008 22:43:59 +0200 Original-Received: (qmail invoked by alias); 07 Oct 2008 20:43:22 -0000 Original-Received: from g227125196.adsl.alicedsl.de (EHLO m2a2.dyndns.org) [92.227.125.196] by mail.gmx.net (mp053) with SMTP; 07 Oct 2008 22:43:22 +0200 X-Authenticated: #428038 X-Provags-ID: V01U2FsdGVkX19DcWgOUcJD9aKI6X3pRUxcABCV3pjfip90UZJiyP hOXy5ViFEQUd5u Original-Received: from localhost (localhost [127.0.0.1]) by merlin.emma.line.org (Postfix) with ESMTP id 41809200338; Tue, 7 Oct 2008 22:43:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at emma.line.org Original-Received: from m2a2.dyndns.org ([127.0.0.1]) by localhost (m2a2.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzPtfZTRZwW1; Tue, 7 Oct 2008 22:43:20 +0200 (CEST) Original-Received: by merlin.emma.line.org (Postfix, from userid 500) id D6D892005AE; Tue, 7 Oct 2008 22:43:19 +0200 (CEST) In-Reply-To: <87prmjjosn.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 02 Oct 2008 12:04:40 +0200") User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) X-PGP-Key: http://home.pages.de/~mandree/keys/GPGKEY.asc X-Y-GMX-Trusted: 0 X-FuHaFi: 0.64 X-Spam-Score: -2.6 (--) List-ID: Precedence: bulk Xref: news.gmane.org gmane.emacs.gnus.general:67541 Archived-At: [Stripping Debian BTS bug from Cc: list] Simon Josefsson writes: > arno@natisbad.org (Arnaud Ebalard) writes: > >>>>> "This software does not have any authentication capabilities: it does >>>>> not allow you to authenticate your peer, which is a basic requirement >>>>> for TLS/SSL to be used securely. You should only use it for testing >>>>> purposes and not relaying important information. Be aware that you are >>>>> vulnerable to MITM when using it" >>> >>> That seems correct to me. >>> >>> Note that even if you use gnutls-cli, you need to configure it to use >>> appropriate trust anchors to get full security. >> ^^^^^^^^^^^^^ >> >> I hope you mean "a working setup". If you do not provide it any (set of) >> trust anchor, it should not be able to verify server's certificate and >> should fail, shouldn't it? > > Right, and that's what I meant with "you need to configure it to use > appropriate trust anchors". If you do that, you should get full > security (whatever that means). Please change that for gnutls-cli 2.8.0 - preferably, the tool should get a new name then to make the change of paradigm obvious to consumers such as Gnus. -- Matthias Andree