Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

[Perry E. Metzger]

On Sat, 25 Oct 2014 05:51:36 +0900 "Stephen J. Turnbull"
<address@hidden> wrote:
> But you're defining "sensitive" in terms of security, and that's the
> wrong definition -- those sensitive users are already doing what you
> advocate and don't need encouragement to upgrade their servers and
> so on.[1]  It's security-insensitive users who would be
> inconvenienced,

For a long time, the community believed that the relevant fact was
that most users were not security sensitive. Then we came to
understand that the same application software is used by your
grandfather and by reporters talking to sources about intelligence
agencies with hostile intent. It is also the case that few users with
high level security needs actually understand how to tune their
applications.

Unfortunately, the proper strategy is to code to the *highest* level
of security that a user of your application might need, not to the
average level of security one of your users might need.

Or, to quote the usual slogan, "there should only be one mode, and it
should be secure".

> [1]  It's true that these users *need* the option to turn off the
> less secure protocol so it doesn't get used inadvertantly, and it's
> probably desirable that it be off by default.

Turning off insecure modes of operation by default is a sort of
minimum, yes. However, it is usually insufficient if it is relatively
easy to turn security off and produces no feedback to the effect
that you are operating in insecure mode.

Once you've listened to the secret service or DEA chatting on the
radio in the clear by accident because they don't realize they
inadvertently turned off the encryption on their P25 radios (which is
trivial to do by accident and provides no warning feedback) you
realize that essentially *no* user can be trusted with such decisions
in the average case.

(This is not a theoretical story, by the way. And yes, you can read
our research group's papers about public safety radio security.)

When you study the failures in enough real world deployed systems,
even when used by trained personnel, you lose your belief that it
is okay to provide knobs to the users that they don't understand very
well. Really the only safe system follows "there should be only one
mode, and it should be secure".

Oh, and the reason P25 radios can be turned to the clear is... wait
for it... *for fallback compatibility*. People's lives have been
endangered by that little decision. (The only agency we found that
does not have serious leakage was the one that made the decision to
remove the clear option from their radios entirely. Somehow, they
found that they could live without compatibility with equipment
that could only do clear.)

Perry
-- 
Perry E. Metzger                address@hidden