[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
From: |
Florian Weimer |
Subject: |
Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. |
Date: |
Sun, 26 Oct 2014 09:15:48 +0100 |
* Lars Magne Ingebrigtsen:
> The proposed security manager would store certificate fingerprints, so
> detecting when a known server drops from TLS 1.2 to SSL 3.0 would
> presumably also be something we could warn about, just like we would
> warn when we drop from STARTTLS to unencrypted.
>
> "You are talking to imap:dea.gov via SSL 3.0 now, while last time you
> did this via TLS 1.2. This might mean that you're suffering from a
> Man-In-The-Middle attack. Still connect?"
Uhm, if this happens, the server has been downgraded. The handshake
will fail if a man-in-the-middle attempts to force the use of SSL 3.0,
and both ends support something newer. (As far as I can tell, Emacs
does not implement the vulnerable protocol downgrade code, unlike
browsers.)
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., (continued)
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Magne Ingebrigtsen, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Ted Zlatanov, 2014/10/25
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Magne Ingebrigtsen, 2014/10/25
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.,
Florian Weimer <=
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Lars Magne Ingebrigtsen, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Richard Stallman, 2014/10/25
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/26
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/24
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/27
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/27
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Stephen J. Turnbull, 2014/10/28
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Thien-Thi Nguyen, 2014/10/28