From: Matthias Andree <matthias.andree@gmx.de>
To: Arnaud Ebalard <arno@natisbad.org>
Cc: Daiki Ueno <ueno@unixuser.org>,
Simon Josefsson <simon@josefsson.org>,
499774@bugs.debian.org, RISKO Gergely <risko@debian.org>,
ding@gnus.org
Subject: Re: Bug#499774: starttls is a joke
Date: Tue, 07 Oct 2008 22:41:25 +0200 [thread overview]
Message-ID: <m3zllgrvd6.fsf@merlin.emma.line.org> (raw)
In-Reply-To: <87tzc8upgf.fsf@marauder.physik.uni-ulm.de> (Reiner Steib's message of "Mon, 22 Sep 2008 18:15:28 +0200")
Reiner Steib <reinersteib+gmane@imap.cc> writes:
>> Then, someone should correct the code to support passing trust anchors,
>> allow passing the verify value, and document capabilities and
>> limitations.
>
> Gnus currently uses starttls if starttls and gnutls-cli are available
> for backward compatibility.
>
> Would it make sense to prefer gnutls-cli and warn when using starttls
> (if gnutls-cli is not installed)?
It would make sense to fix the tools first, and stop using them in
unsafe ways.
I recently found on Cygwin, when setting up Emacs+Gnus, that gnutls-cli
(2.4.2 IIRC) has some subtle "accept b0rked cert chain" behaviour: it
would happily accept any garbage^Wuntrusted certificate chain without
notice -- when I'm not using "--x509cafile FOO" on the command line.
This isn't documented anywhere (manual, manpage, --help), I found this
out through systematic testing.
I find this most disturbing, since if I don't provide a set of trusted
X.509 CA certs, I trust nobody (rather than everybody as gnutls-cli
does)... gnutls-cli should bail out if it has no trusted root
certificates, rather than silently trust everyone. Go figure - there's a
difference between giving "--x509cafile /dev/null" and not giving this
option at all. :-(
While I'm at it, from the end user's perspective, I find it very hard to
figure what options I need for a proper configuration that doesn't use
b0rked protocols such as SSLv2, that uses proper X.509 certificate
validation to detect MITM attacks. Few applications except Firefox 3 get
that right, and I couldn't tell one off-hand.
I think that EVERY tool that has a remotely security-related context
should default to bulletproof mode and require that the user relaxes
every test explicitly.
Yes, I need to do homework here, fetchmail doesn't get this right
either... compatibility and all that.
So I'd say make Gnus default to gnutls-cli and change the sample
configuration to include --x509cafile and add instructions to the
defcustom blah self-documentation telling the user to cat(1) his trusted
ROOT certificates (in PEM format) together to form this file.
--
Matthias Andree
next prev parent reply other threads:[~2008-10-07 20:41 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-22 8:52 Arnaud Ebalard
2008-09-22 9:13 ` RISKO Gergely
2008-09-22 9:49 ` Arnaud Ebalard
2008-09-22 10:43 ` Arnaud Ebalard
2008-09-22 16:15 ` Reiner Steib
2008-09-22 16:38 ` Simon Josefsson
2008-09-22 17:48 ` Arnaud Ebalard
2008-10-02 10:04 ` Simon Josefsson
2008-10-07 20:43 ` Matthias Andree
2008-10-07 22:41 ` Simon Josefsson
2008-10-08 10:45 ` Matthias Andree
2008-10-08 11:55 ` Arnaud Ebalard
2008-10-07 20:41 ` Matthias Andree [this message]
2008-10-08 5:54 ` Arnaud Ebalard
2008-09-23 17:18 ` Riskó Gergely
2008-09-23 14:43 ` Uwe Brauer
2008-09-24 3:39 ` Sebastian Krause
2008-09-26 13:19 ` Uwe Brauer
2008-09-26 13:25 ` Sebastian Krause
2008-09-26 21:16 ` Uwe Brauer
2008-09-26 23:27 ` Sebastian Krause
2008-09-26 15:09 ` Magnus Henoch
2008-09-26 21:14 ` Uwe Brauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3zllgrvd6.fsf@merlin.emma.line.org \
--to=matthias.andree@gmx.de \
--cc=499774@bugs.debian.org \
--cc=arno@natisbad.org \
--cc=ding@gnus.org \
--cc=risko@debian.org \
--cc=simon@josefsson.org \
--cc=ueno@unixuser.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).