bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability

From:	Jens Lechtenboerger
Subject:	bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
Date:	Fri, 05 Dec 2014 21:39:41 +0100
User-agent:	Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

On 2014-12-05, Andreas Schwab wrote:

> Jens Lechtenboerger <jens.lechtenboerger@fsfe.org> writes:
>
>> In addition, imap.el only tries SSLv2 and SSLv3,
>
> imap.el always tries STARTTLS and TLS before SSL, unless you force it to
> do otherwise.

I’m sorry, I meant to talk about imap-ssl-program, which I mentioned
above that quote.  So it should read: “imap-ssl-program in imap.el
only tries SSLv2 and SSLv3”

But you are right, I’m using “:stream ssl” among mail-sources.
If I remove that, the connection uses STARTTLS, which ultimately
calls starttls-gnutls-program, for which I suggested
(setq starttls-extra-arguments '("--strict-tofu"))
in bug#16978 to avoid MITM with “trusted” certificates.

Changing to “:stream tls” seems to invoke tls-program, about which I
filed bug#19284.

Best wishes
Jens

[Prev in Thread]

Current Thread

[Next in Thread]

bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability, Jens Lechtenboerger, 2014/12/05
- bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability, Andreas Schwab, 2014/12/05
  - bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability, Jens Lechtenboerger <=

Prev by Date: bug#19274: tar-mode.el: allow for adding new archive members
Next by Date: bug#19285: 24.4; ruby-imenu-create-index-in-block gets confused by regular expression in source code
Previous by thread: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
Next by thread: bug#19284: 25.0.50; tls.el uses option --insecure
Index(es):
- Date
- Thread