Re: Deprecate TLS1.0 support in emacs

[Lars Ingebrigtsen]

Robert Pluim <address@hidden> writes:

> TLS1.0 is a seriously insecure protocol. I refrained from doing what I
> actually wanted to do, which is deprecate TLS1.1 as well. I think it's
> a disservice to allow TLS1.0 to continue to be used.

It's no more "insecure" to read lists.gnu.org via HTTPS than it is via
HTTP, which is also an option.  Denying the former while allowing the
latter is rather nonsensical.

And if it had been available only via HTTPS, then refusing Emacs users
to access it would also have a security impact: Refusing access to
information is not "security", but the opposite.

> That could be done with nsm, but only if you'll accept setting the
> default network-security-level to 'high, or adding a specific check
> for protocol version at 'medium. Option 1 looks something like this:

No, `high' should be reserved for people that want higher than normal
network security.

It might make sense to warn for TLS1.0 on `medium', though, but I'd have
to check what other web browsers do here.  I think, for instance, that
Firefox still supports TLS1.0, and gives no warning, either.  So unless
I've misunderstood the Firefox situation, I don't think we should do
anything here.

More long-term, I think it may make sense to just treat these "insecure"
protocols as if they were unencrypted, user interface wise, but that
would be up to each individual application (eww, package-list, etc) and
not further down in the network stack?  Perhaps?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no