From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.user/18734
Path: news.gmane.org!.POSTED!not-for-mail
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Newsgroups: gmane.emacs.gnus.user
Subject: Re: Gmane with Gnus first timer
Date: Thu, 28 Sep 2017 22:26:12 -0400
Message-ID: <87a81etf3v.fsf@gmail.com>
References: <877ewk41ll.fsf@gmail.com> <874lrounzu.fsf@eps142.cdf.udc.es>
	<87k20j3oeo.fsf@gmail.com> <878tgzt66x.fsf@eps142.cdf.udc.es>
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: blaine.gmane.org 1506652001 21671 195.159.176.226 (29 Sep 2017 02:26:41 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 29 Sep 2017 02:26:41 +0000 (UTC)
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
To: info-gnus-english@gnu.org
Original-X-From: info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org Fri Sep 29 04:26:35 2017
Return-path: <info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org>
Envelope-to: gegu-info-gnus-english@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by blaine.gmane.org with esmtp (Exim 4.84_2)
	(envelope-from <info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org>)
	id 1dxl0d-000586-1E
	for gegu-info-gnus-english@m.gmane.org; Fri, 29 Sep 2017 04:26:35 +0200
Original-Received: from localhost ([::1]:33392 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org>)
	id 1dxl0k-0001G9-D7
	for gegu-info-gnus-english@m.gmane.org; Thu, 28 Sep 2017 22:26:42 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56381)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gegu-info-gnus-english@m.gmane.org>)
	id 1dxl0b-0001Fq-Hq
	for info-gnus-english@gnu.org; Thu, 28 Sep 2017 22:26:34 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <gegu-info-gnus-english@m.gmane.org>)
	id 1dxl0Y-0006ZV-Dc
	for info-gnus-english@gnu.org; Thu, 28 Sep 2017 22:26:33 -0400
Original-Received: from [195.159.176.226] (port=45243 helo=blaine.gmane.org)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <gegu-info-gnus-english@m.gmane.org>)
	id 1dxl0Y-0006Ya-6N
	for info-gnus-english@gnu.org; Thu, 28 Sep 2017 22:26:30 -0400
Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2)
	(envelope-from <gegu-info-gnus-english@m.gmane.org>)
	id 1dxl0J-0003mC-RG
	for info-gnus-english@gnu.org; Fri, 29 Sep 2017 04:26:15 +0200
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 40
Original-X-Complaints-To: usenet@blaine.gmane.org
Cancel-Lock: sha1:6wbaeA9HhL0xWbCzrr8HGVi9GmQ=
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 195.159.176.226
X-BeenThere: info-gnus-english@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Announcements and discussions for GNUS,
	the GNU Emacs Usenet newsreader \(in English\)"
	<info-gnus-english.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/info-gnus-english>,
	<mailto:info-gnus-english-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/info-gnus-english/>
List-Post: <mailto:info-gnus-english@gnu.org>
List-Help: <mailto:info-gnus-english-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/info-gnus-english>,
	<mailto:info-gnus-english-request@gnu.org?subject=subscribe>
Errors-To: info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org
Original-Sender: "info-gnus-english"
	<info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.emacs.gnus.user:18734
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.user/18734>

Alberto Luaces <aluaces@udc.es> writes:

> Hi Maxim,
>
> Maxim Cournoyer writes:
>
>> Are you sure the data obtained from news.gmane.org is not funneled
>> through TLS? And why would Emacs warn about Gmane TLS problems
>> otherwise? The Gnus manual has this to say about the
>> `nntp-open-network-stream':
>>
>>     This is the default, and simply connects to some port or other on the
>>     remote system. If both Emacs and the server supports it, the connection
>>     will be upgraded to an encrypted STARTTLS connection automatically.
>>
>
> Yes, you are right in the TLS part, but I was referring to the trust you
> are putting into a certificate you have also downloaded in an insecure
> way.  The certificate system only works if it is signed by someone you
> already trust.  If the certificate is self-signed, the only safe way to
> check that it is the valid one would be to exchange fingerprints with
> the owner by means of a different secure channel (telephone, USB
> exchange...)
>
> Otherwise you can suffer from a man-in-the-middle attack even the whole
> communication is encrypted.

Good point! I hadn't given much thought about that one. Still, while
flawed, the exercise of trusting the news.gmane.org server is not
totally pointless: if I was lucky enough to retrieve the certificate
at a time before Malefoy compromised the communication, then I'm at least
protected against later attacks.

Thanks for sharing this important limitation. After Gmane's totally
back, it would be nice that the self-signed certificate be upgraded to a
free Let's Encrypt[1].

Maxim

[1]  https://en.wikipedia.org/wiki/Let's_Encrypt