Re: Gmane with Gnus first timer

[Alberto Luaces]

Maxim Cournoyer writes:

> Alberto Luaces <aluaces@udc.es> writes:
>
>> Hi Maxim,
>>
>> Maxim Cournoyer writes:
>>
>>> Are you sure the data obtained from news.gmane.org is not funneled
>>> through TLS? And why would Emacs warn about Gmane TLS problems
>>> otherwise? The Gnus manual has this to say about the
>>> `nntp-open-network-stream':
>>>
>>>     This is the default, and simply connects to some port or other on the
>>>     remote system. If both Emacs and the server supports it, the connection
>>>     will be upgraded to an encrypted STARTTLS connection automatically.
>>>
>>
>> Yes, you are right in the TLS part, but I was referring to the trust you
>> are putting into a certificate you have also downloaded in an insecure
>> way.  The certificate system only works if it is signed by someone you
>> already trust.  If the certificate is self-signed, the only safe way to
>> check that it is the valid one would be to exchange fingerprints with
>> the owner by means of a different secure channel (telephone, USB
>> exchange...)
>>
>> Otherwise you can suffer from a man-in-the-middle attack even the whole
>> communication is encrypted.
>
> Good point! I hadn't given much thought about that one. Still, while
> flawed, the exercise of trusting the news.gmane.org server is not
> totally pointless: if I was lucky enough to retrieve the certificate
> at a time before Malefoy compromised the communication, then I'm at least
> protected against later attacks.
>
> Thanks for sharing this important limitation. After Gmane's totally
> back, it would be nice that the self-signed certificate be upgraded to a
> free Let's Encrypt[1].

I fully agree.  With LE, the excuses for not having a proper SSL system
are not valid anymore.

Regards,

-- 
Alberto