From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: info-gnus-english@gnu.org
Subject: Re: Gmane with Gnus first timer
Date: Thu, 28 Sep 2017 22:26:12 -0400 [thread overview]
Message-ID: <87a81etf3v.fsf@gmail.com> (raw)
In-Reply-To: <878tgzt66x.fsf@eps142.cdf.udc.es>
Alberto Luaces <aluaces@udc.es> writes:
> Hi Maxim,
>
> Maxim Cournoyer writes:
>
>> Are you sure the data obtained from news.gmane.org is not funneled
>> through TLS? And why would Emacs warn about Gmane TLS problems
>> otherwise? The Gnus manual has this to say about the
>> `nntp-open-network-stream':
>>
>> This is the default, and simply connects to some port or other on the
>> remote system. If both Emacs and the server supports it, the connection
>> will be upgraded to an encrypted STARTTLS connection automatically.
>>
>
> Yes, you are right in the TLS part, but I was referring to the trust you
> are putting into a certificate you have also downloaded in an insecure
> way. The certificate system only works if it is signed by someone you
> already trust. If the certificate is self-signed, the only safe way to
> check that it is the valid one would be to exchange fingerprints with
> the owner by means of a different secure channel (telephone, USB
> exchange...)
>
> Otherwise you can suffer from a man-in-the-middle attack even the whole
> communication is encrypted.
Good point! I hadn't given much thought about that one. Still, while
flawed, the exercise of trusting the news.gmane.org server is not
totally pointless: if I was lucky enough to retrieve the certificate
at a time before Malefoy compromised the communication, then I'm at least
protected against later attacks.
Thanks for sharing this important limitation. After Gmane's totally
back, it would be nice that the self-signed certificate be upgraded to a
free Let's Encrypt[1].
Maxim
[1] https://en.wikipedia.org/wiki/Let's_Encrypt
next prev parent reply other threads:[~2017-09-29 2:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 15:12 Maxim Cournoyer
2017-09-27 16:04 ` Alberto Luaces
2017-09-27 19:57 ` Maxim Cournoyer
2017-09-28 11:26 ` Alberto Luaces
2017-09-29 2:26 ` Maxim Cournoyer [this message]
2017-09-29 7:43 ` Alberto Luaces
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a81etf3v.fsf@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=info-gnus-english@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).