Re: Bug#766395: emacs/gnus: Uses s

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From:	Florian Weimer
Subject:	Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date:	Sun, 26 Oct 2014 09:15:48 +0100

* Lars Magne Ingebrigtsen:

> The proposed security manager would store certificate fingerprints, so
> detecting when a known server drops from TLS 1.2 to SSL 3.0 would
> presumably also be something we could warn about, just like we would
> warn when we drop from STARTTLS to unencrypted.
>
> "You are talking to imap:dea.gov via SSL 3.0 now, while last time you
> did this via TLS 1.2.  This might mean that you're suffering from a
> Man-In-The-Middle attack.  Still connect?"

Uhm, if this happens, the server has been downgraded.  The handshake
will fail if a man-in-the-middle attempts to force the use of SSL 3.0,
and both ends support something newer.  (As far as I can tell, Emacs
does not implement the vulnerable protocol downgrade code, unlike
browsers.)

[Prev in Thread]

Current Thread

[Next in Thread]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., (continued)

Prev by Date: Re: gfile-based file notifications are not immediate
Next by Date: Re: Git transition
Previous by thread: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Next by thread: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Index(es):
- Date
- Thread