[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Gmane with Gnus first timer
|
From: |
Maxim Cournoyer |
|
Subject: |
Re: Gmane with Gnus first timer |
|
Date: |
Thu, 28 Sep 2017 22:26:12 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Alberto Luaces <aluaces@udc.es> writes:
> Hi Maxim,
>
> Maxim Cournoyer writes:
>
>> Are you sure the data obtained from news.gmane.org is not funneled
>> through TLS? And why would Emacs warn about Gmane TLS problems
>> otherwise? The Gnus manual has this to say about the
>> `nntp-open-network-stream':
>>
>> This is the default, and simply connects to some port or other on the
>> remote system. If both Emacs and the server supports it, the connection
>> will be upgraded to an encrypted STARTTLS connection automatically.
>>
>
> Yes, you are right in the TLS part, but I was referring to the trust you
> are putting into a certificate you have also downloaded in an insecure
> way. The certificate system only works if it is signed by someone you
> already trust. If the certificate is self-signed, the only safe way to
> check that it is the valid one would be to exchange fingerprints with
> the owner by means of a different secure channel (telephone, USB
> exchange...)
>
> Otherwise you can suffer from a man-in-the-middle attack even the whole
> communication is encrypted.
Good point! I hadn't given much thought about that one. Still, while
flawed, the exercise of trusting the news.gmane.org server is not
totally pointless: if I was lucky enough to retrieve the certificate
at a time before Malefoy compromised the communication, then I'm at least
protected against later attacks.
Thanks for sharing this important limitation. After Gmane's totally
back, it would be nice that the self-signed certificate be upgraded to a
free Let's Encrypt[1].
Maxim
[1] https://en.wikipedia.org/wiki/Let's_Encrypt