GNU bug report logs - #18600
24.3.94; EWW fails to check https certificates

Previous Next

Package: emacs;

Reported by: Mark H Weaver <mhw <at> netris.org>

Date: Thu, 2 Oct 2014 06:27:02 UTC

Severity: important

Tags: fixed, security

Merged with 16193, 16978

Found in versions 24.3, 24.3.94

Fixed in version 25.1

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Mark H Weaver <mhw <at> netris.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: 18600 <at> debbugs.gnu.org, Glenn Morris <rgm <at> gnu.org>
Subject: bug#18600: 24.3.94; EWW fails to check https certificates
Date: Sun, 05 Oct 2014 13:17:56 -0400

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

>> With these in mind, I have two recommendations:
>> * I believe that eww https should check certificates by default in 24.4,
>>   even though other tls connections are tolerant by default.
>> * At minimum, it should be possible to enable certificate checking for
>>   eww https connections while still allowing self-signed certificates
>>   for other uses of 'open-gnutls-stream' such as imaps and smtps.  This
>>   is fairly common case.
>
> I think it's too late to do that for Emacs-24.4.  But we should apply
> such a change to `emacs-24' after the 24.4 release, so that it will be
> included in the next release regardless if the next release is 25.1 or
> a 24.5 bugfix.

I continue to think this will be ill-received, and could result in more
bad PR for the GNU Project, but having said that, I'll let it go now.

     Thanks,
       Mark
This bug report was last modified 10 years and 180 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.