Hi, [resending, forgot some CC] RISKO Gergely <[EMAIL PROTECTED]> writes:
> Sorry, I haven't noticed that you have cc'd mailing lists. Please > find below my first response to Arnaud. At least, thanks for the quick reply. > You surely knows about the gnus usage of this, since you CC'd the > mailing list, sorry. yes. > So my option is that a disclaimer should be placed, but SSL with > SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all. No, it is not. It is worse. It provides a feeling of security to the people that use it. It is like driving with deactivated airbags. > And the joke is SSL's security model - where you are considered secure > if you pay $500/year -, not starttls. 1) I use my own PKI for some of my services, which costs me nothing. 2) As a client, you do not pay for the server certificates (cf gmail) and trust anchors. 3) It is a lame excuse. > -=- my original response here: -=- > > severity 499774 wishlist > thanks > > Dear Arno, > > Thanks for your suggestions and reasoning. Probably you haven't > noticed that starttls is mainly an integration utility for mainly > GNU/Emacs. And yeah, it is also good for testing StartTLS based > services as a system administrator. > > I'm against the removal, since it will break imaps/pop3s connections > from emacs based muas (I'm at least sure in gnus, I use it hourly). Then, someone should correct the code to support passing trust anchors, allow passing the verify value, and document capabilities and limitations. > And I'm also against the removal, because this is a very good tool for > testing. I will also send a copy of this reply to [EMAIL PROTECTED] > You are right, it's package description should be changed and a > disclaimer should be placed. Probably an 'are you sure?' question > shouldn't be implemented (or if implemented, it shouldn't be the > default), because it would block integrations like with emacs. > > As this is a documentation or a new feature request issue, I > changed severity to wishlist. It is not a "wishlist" feature, it is a security issue. > Thanks again for your contribution to Debian, if you write the > disclaimer in a few world that should be appended to the package > description in your opinion, it would be a big help. "This software does not have any authentication capabilities: it does not allow you to authenticate your peer, which is a basic requirement for TLS/SSL to be used securely. You should only use it for testing purposes and not relaying important information. Be aware that you are vulnerable to MITM when using it" Cheers, a+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
