GNU bug report logs - #19284
25.0.50; tls.el uses option --insecure

Previous Next

Package: emacs;

Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>

Date: Fri, 5 Dec 2014 19:44:01 UTC

Severity: normal

Tags: fixed, security

Found in version 25.0.50

Fixed in version 25.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #10 received at 19284 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>
Cc: 19284 <at> debbugs.gnu.org
Subject: Re: bug#19284: 25.0.50; tls.el uses option --insecure
Date: Sat, 26 Dec 2015 22:15:45 +0100

Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org> writes:

> This is a followup to bug#16978, where I reported multiple MITM
> issues.
>
> tls.el calls gnutls-cli with option --insecure.
>
> As Emacs applies TOFU by default via nsm.el (great work, many
> thanks!), the above is dangerous.  I continue to use the following:
> (setq tls-program '("gnutls-cli --strict-tofu -p %p %h"))
>
> I’m not sure under what conditions tls.el is necessary.  Is it?

tls is not used if Emacs is build with GnuTLS (which all significant
distributions are, I think).  

As Stefan said in a different report -- perhaps we should just require
Emacs with built-in TLS support if you want to use TLS.  That would
essentially mean that we should just remove tls.el and starttls.el.

Alternatively we could, in Emacs 25.1, just remove the --insecure
settings and let people who try to connect to their IMAP server just
fail somewhat mysteriously (it's very common to have self-signed certs
for IMAP).

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
This bug report was last modified 9 years and 148 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.