From: Alberto Luaces <aluaces@udc.es>
To: info-gnus-english@gnu.org
Subject: Re: Gmane with Gnus first timer
Date: Fri, 29 Sep 2017 09:43:40 +0200 [thread overview]
Message-ID: <87zi9erlub.fsf@eps142.cdf.udc.es> (raw)
In-Reply-To: <87a81etf3v.fsf@gmail.com>
Maxim Cournoyer writes:
> Alberto Luaces <aluaces@udc.es> writes:
>
>> Hi Maxim,
>>
>> Maxim Cournoyer writes:
>>
>>> Are you sure the data obtained from news.gmane.org is not funneled
>>> through TLS? And why would Emacs warn about Gmane TLS problems
>>> otherwise? The Gnus manual has this to say about the
>>> `nntp-open-network-stream':
>>>
>>> This is the default, and simply connects to some port or other on the
>>> remote system. If both Emacs and the server supports it, the connection
>>> will be upgraded to an encrypted STARTTLS connection automatically.
>>>
>>
>> Yes, you are right in the TLS part, but I was referring to the trust you
>> are putting into a certificate you have also downloaded in an insecure
>> way. The certificate system only works if it is signed by someone you
>> already trust. If the certificate is self-signed, the only safe way to
>> check that it is the valid one would be to exchange fingerprints with
>> the owner by means of a different secure channel (telephone, USB
>> exchange...)
>>
>> Otherwise you can suffer from a man-in-the-middle attack even the whole
>> communication is encrypted.
>
> Good point! I hadn't given much thought about that one. Still, while
> flawed, the exercise of trusting the news.gmane.org server is not
> totally pointless: if I was lucky enough to retrieve the certificate
> at a time before Malefoy compromised the communication, then I'm at least
> protected against later attacks.
>
> Thanks for sharing this important limitation. After Gmane's totally
> back, it would be nice that the self-signed certificate be upgraded to a
> free Let's Encrypt[1].
I fully agree. With LE, the excuses for not having a proper SSL system
are not valid anymore.
Regards,
--
Alberto
prev parent reply other threads:[~2017-09-29 7:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-27 15:12 Maxim Cournoyer
2017-09-27 16:04 ` Alberto Luaces
2017-09-27 19:57 ` Maxim Cournoyer
2017-09-28 11:26 ` Alberto Luaces
2017-09-29 2:26 ` Maxim Cournoyer
2017-09-29 7:43 ` Alberto Luaces [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zi9erlub.fsf@eps142.cdf.udc.es \
--to=aluaces@udc.es \
--cc=info-gnus-english@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).