From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.user/18735 Path: news.gmane.org!.POSTED!not-for-mail From: Alberto Luaces Newsgroups: gmane.emacs.gnus.user Subject: Re: Gmane with Gnus first timer Date: Fri, 29 Sep 2017 09:43:40 +0200 Message-ID: <87zi9erlub.fsf@eps142.cdf.udc.es> References: <877ewk41ll.fsf@gmail.com> <874lrounzu.fsf@eps142.cdf.udc.es> <87k20j3oeo.fsf@gmail.com> <878tgzt66x.fsf@eps142.cdf.udc.es> <87a81etf3v.fsf@gmail.com> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Trace: blaine.gmane.org 1506671041 5228 195.159.176.226 (29 Sep 2017 07:44:01 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 29 Sep 2017 07:44:01 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) To: info-gnus-english@gnu.org Original-X-From: info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org Fri Sep 29 09:43:54 2017 Return-path: Envelope-to: gegu-info-gnus-english@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dxpxi-0000l7-2e for gegu-info-gnus-english@m.gmane.org; Fri, 29 Sep 2017 09:43:54 +0200 Original-Received: from localhost ([::1]:34030 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxpxp-0006tg-L3 for gegu-info-gnus-english@m.gmane.org; Fri, 29 Sep 2017 03:44:01 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:38501) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dxpxj-0006tY-L5 for info-gnus-english@gnu.org; Fri, 29 Sep 2017 03:43:56 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dxpxg-0004k7-IR for info-gnus-english@gnu.org; Fri, 29 Sep 2017 03:43:55 -0400 Original-Received: from [195.159.176.226] (port=45370 helo=blaine.gmane.org) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dxpxg-0004jc-BD for info-gnus-english@gnu.org; Fri, 29 Sep 2017 03:43:52 -0400 Original-Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1dxpxT-0008DF-Li for info-gnus-english@gnu.org; Fri, 29 Sep 2017 09:43:39 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-Lines: 46 Original-X-Complaints-To: usenet@blaine.gmane.org Cancel-Lock: sha1:EDG/89rHnde91XJ0wETMQsQ/Slg= X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 195.159.176.226 X-BeenThere: info-gnus-english@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Announcements and discussions for GNUS, the GNU Emacs Usenet newsreader \(in English\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: info-gnus-english-bounces+gegu-info-gnus-english=m.gmane.org@gnu.org Original-Sender: "info-gnus-english" Xref: news.gmane.org gmane.emacs.gnus.user:18735 Archived-At: Maxim Cournoyer writes: > Alberto Luaces writes: > >> Hi Maxim, >> >> Maxim Cournoyer writes: >> >>> Are you sure the data obtained from news.gmane.org is not funneled >>> through TLS? And why would Emacs warn about Gmane TLS problems >>> otherwise? The Gnus manual has this to say about the >>> `nntp-open-network-stream': >>> >>> This is the default, and simply connects to some port or other on the >>> remote system. If both Emacs and the server supports it, the connection >>> will be upgraded to an encrypted STARTTLS connection automatically. >>> >> >> Yes, you are right in the TLS part, but I was referring to the trust you >> are putting into a certificate you have also downloaded in an insecure >> way. The certificate system only works if it is signed by someone you >> already trust. If the certificate is self-signed, the only safe way to >> check that it is the valid one would be to exchange fingerprints with >> the owner by means of a different secure channel (telephone, USB >> exchange...) >> >> Otherwise you can suffer from a man-in-the-middle attack even the whole >> communication is encrypted. > > Good point! I hadn't given much thought about that one. Still, while > flawed, the exercise of trusting the news.gmane.org server is not > totally pointless: if I was lucky enough to retrieve the certificate > at a time before Malefoy compromised the communication, then I'm at least > protected against later attacks. > > Thanks for sharing this important limitation. After Gmane's totally > back, it would be nice that the self-signed certificate be upgraded to a > free Let's Encrypt[1]. I fully agree. With LE, the excuses for not having a proper SSL system are not valid anymore. Regards, -- Alberto