[ Stripping some cc-ed lists because I only comment on the Gnus side
of the issue. Adding starttls.el authors. ]
On Mon, Sep 22 2008, Arnaud Ebalard wrote:
> RISKO Gergely <[EMAIL PROTECTED]> writes:
[...]
>> You surely knows about the gnus usage of this, since you CC'd the
>> mailing list, sorry.
>
> yes.
>
>> So my option is that a disclaimer should be placed, but SSL with
>> SSL_VERIFY_NONE is MUCH, MUCH, MUCH better than not using SSL at all.
>
> No, it is not. It is worse. It provides a feeling of security to the
> people that use it. It is like driving with deactivated airbags.
>
>> And the joke is SSL's security model - where you are considered secure
>> if you pay $500/year -, not starttls.
>
> 1) I use my own PKI for some of my services, which costs me nothing.
> 2) As a client, you do not pay for the server certificates (cf gmail)
> and trust anchors.
> 3) It is a lame excuse.
[...]
>> I'm against the removal, since it will break imaps/pop3s connections
>> from emacs based muas (I'm at least sure in gnus, I use it hourly).
>
> Then, someone should correct the code to support passing trust anchors,
> allow passing the verify value, and document capabilities and
> limitations.
Gnus currently uses starttls if starttls and gnutls-cli are available
for backward compatibility.
Would it make sense to prefer gnutls-cli and warn when using starttls
(if gnutls-cli is not installed)?
,----[ starttls.el ]
| ;;; Commentary:
|
| ;; This module defines some utility functions for STARTTLS profiles.
|
| ;; [RFC 2595] "Using TLS with IMAP, POP3 and ACAP"
| ;; by Chris Newman <[EMAIL PROTECTED]> (1999/06)
|
| ;; This file now contains a combination of the two previous
| ;; implementations both called "starttls.el". The first one is Daiki
| ;; Ueno's starttls.el which uses his own "starttls" command line tool,
| ;; and the second one is Simon Josefsson's starttls.el which uses
| ;; "gnutls-cli" from GNUTLS.
| ;;
| ;; If "starttls" is available, it is prefered by the code over
| ;; "gnutls-cli", for backwards compatibility. Use
| ;; `starttls-use-gnutls' to toggle between implementations if you have
| ;; both tools installed. It is recommended to use GNUTLS, though, as
| ;; it performs more verification of the certificates.
`----
[...]
>> Thanks again for your contribution to Debian, if you write the
>> disclaimer in a few world that should be appended to the package
>> description in your opinion, it would be a big help.
>
> "This software does not have any authentication capabilities: it does
> not allow you to authenticate your peer, which is a basic requirement
> for TLS/SSL to be used securely. You should only use it for testing
> purposes and not relaying important information. Be aware that you are
> vulnerable to MITM when using it"
Bye, Reiner.
--
,,,
(o o)
---ooO-(_)-Ooo--- | PGP key available | http://rsteib.home.pages.de/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
