Maxim Cournoyer writes: > Alberto Luaces <alua...@udc.es> writes: > >> Hi Maxim, >> >> Maxim Cournoyer writes: >> >>> Are you sure the data obtained from news.gmane.org is not funneled >>> through TLS? And why would Emacs warn about Gmane TLS problems >>> otherwise? The Gnus manual has this to say about the >>> `nntp-open-network-stream': >>> >>> This is the default, and simply connects to some port or other on the >>> remote system. If both Emacs and the server supports it, the connection >>> will be upgraded to an encrypted STARTTLS connection automatically. >>> >> >> Yes, you are right in the TLS part, but I was referring to the trust you >> are putting into a certificate you have also downloaded in an insecure >> way. The certificate system only works if it is signed by someone you >> already trust. If the certificate is self-signed, the only safe way to >> check that it is the valid one would be to exchange fingerprints with >> the owner by means of a different secure channel (telephone, USB >> exchange...) >> >> Otherwise you can suffer from a man-in-the-middle attack even the whole >> communication is encrypted. > > Good point! I hadn't given much thought about that one. Still, while > flawed, the exercise of trusting the news.gmane.org server is not > totally pointless: if I was lucky enough to retrieve the certificate > at a time before Malefoy compromised the communication, then I'm at least > protected against later attacks. > > Thanks for sharing this important limitation. After Gmane's totally > back, it would be nice that the self-signed certificate be upgraded to a > free Let's Encrypt[1].
I fully agree. With LE, the excuses for not having a proper SSL system are not valid anymore. Regards, -- Alberto _______________________________________________ info-gnus-english mailing list info-gnus-english@gnu.org https://lists.gnu.org/mailman/listinfo/info-gnus-english
