User: Password:
|
|
Subscribe / Log in / New account

Emacs & TLS

This article brought to you by LWN subscribers

Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible.

By Jake Edge
July 11, 2018

A recent query about the status of network security (TLS settings in particular) in Emacs led to a long thread in the emacs-devel mailing list. That thread touched on a number of different areas, including using OpenSSL (or other TLS libraries) rather than GnuTLS, what kinds of problems should lead to complaints out of the box, what settings should be the default, and when those settings could change for Emacs so as not to discombobulate users. The latter issue is one that lots of projects struggle with: what kinds of changes are appropriate for a bug-fix release versus a feature release. For Emacs, its lengthy development cycle, coupled with the perceived urgency of security changes, makes that question even more difficult.

Questions and concerns

In mid-June, Jimmy Yuen Ho Wong posted some "questions and concerns about Emacs network security" to the list. He had run some tests making TLS connections to web sites with bad certificates, but found that Emacs did not complain about the problems. The default values for some security settings were inadequate, he said; he proposed a set of better defaults, but there were still some failures. So he wondered:

  1. Can we update the default network security settings?
  2. Now that `starttls.el` and `tls.el` are obsolete, and GnuTLS doesn't seem to be doing a very good job, can we link to something better maintained, such as OpenSSL/LibreSSL/BoringSSL/NSS?

The emacs-devel post came out of a much less temperate reddit post. In it, he noted that tls.el and starttls.el have been deprecated on the master branch. Using those, he could build Emacs without GnuTLS and use the OpenSSL command-line programs for his TLS connections, but that option is going away. In his mailing list post, he also asked about nsm.el, which is the Emacs Network Security Manager: It is "seemingly doing redundant checks if your TLS settings are reasonable, what's the history of it and why is it not obsolete when `tls.el` and `starttls.el` are?"

The settings that Wong complained about (gnutls-verify-error, gnutls-min-prime-bits, and gnutls-algorithm-priority) are actually for the lower-level gnutls.el library that is the interface to GnuTLS, Lars Ingebrigtsen explained. "The Emacs Network Security Manager does the user interface job handling various classes of (insecure) network access classes", he said. He is the developer of NSM and wrote a blog post about it when it was merged back in 2014. NSM was released as part of Emacs 25.1 in 2016. In a subsequent emacs-devel post, he clarified the role of NSM:

Network security management is done by nsm.el, not by the underlying libraries. The NSM provides, as the name implies, network security, and does stuff like certificate pinning and warns you if a STARTTLS connection has degraded to a non-TLS connection (which, of course, the gnutls.el functions can't do on its own).

But there are still more problems that Wong has found. He listed around two dozen badssl.com sites that did not give any errors when he accessed them from Emacs using the default settings. Three of the failures he rated as "very concerning" (revoked., pinning-test., and sha1-intermediate.) and another was "a bit concerning" (invalid-expected-sct.). All of those were run with the default value of network-security-level, which is "medium"; setting it to "high" only resulted in complaints from two of the sites with too small Diffie-Hellman key sizes (dh480. and dh512.).

Ingebrigtsen acknowledged some of those problems; he suggested that more of those sites should result in complaints on the high security level and that the Diffie-Hellman complaints should move from high to medium. He seemed less convinced on the certificate-pinning problem, but was interested in patches to implement the complaint for a revoked certificate. He also filed a bug to remind himself of a feature he has planned to make the protocol checks more extensible.

Security tradeoffs

Certificate pinning—really public-key pinning—is important, Perry E. Metzger said. In contrast to Ingebrigtsen's ambivalence, Metzger said that it can be a "matter of life or death for many people". Sites can request that their public keys be stored by the browser using HTTP Public Key Pinning (HPKP), not doing so could be disastrous:

Pinning is what is done by sites like gmail to prevent third world dictatorships from using stolen certificate credentials to spy on their citizens. People who have been victims of this have had their email read, been arrested by state security forces for dissent, and have been tortured to death for lack of certificate pinning working in their browsers.

But Emacs co-maintainer Eli Zaretskii is concerned that adopting such measures will result in extra prompts and other inconveniences for those who are not living under such conditions:

It isn't the Emacs way to second-guess our users' needs, definitely not to decide for them what is and what isn't a matter of life and death for them. We provide options with some reasonable defaults, and then let users make informed decisions which defaults are not good enough for them.

It is IMO unreasonable to make our defaults match what happens in dictatorships that you describe, because that would unnecessarily inconvenience the majority of the users. Let's not follow the bad example of the TSA (whose rationale is, unsurprisingly, also matters of life and death).

The settings of various web browsers were often discussed in the thread, at least as a starting point for what the Emacs defaults should be. But NSM is used for more than just web browsing (IMAP, for example) in Emacs, so the fit is not exact. The Emacs Web Wowser (EWW) is used to browse the web, though, so Emacs can learn from the other browsers. As Paul Eggert put it:

However, when Emacs is used to browse the web there's a powerful argument to model its security practices on those of other web browsers. A lot of practical experience has gone into the Firefox and Chrome security models, and it would be much, much more efficient for us Emacs developers to reuse those wheels instead of reinventing them.

But Zaretskii thinks there is more to it since Emacs does more with TLS than just web browsing:

NSM is used for every net connection, not just those on behalf of EWW. If you are arguing that NSM should apply different settings to EWW connections and to the other kind, then this is a separate issue.

Richard Stallman weighed in as well; he disclaimed knowledge of the details, but suggested a "possible avenue for choosing a good response". He wants to ensure that, early on, users get a way to at least consider the question: "might thugs with torture chambers be spying on me" (as he put it in another message).

The idea is that we make sure users see a chance to choose between the alternatives (convenience and safety) early enough that they won't be unsafe. The choice should come with an explanation of each option, first stating what situations it is recommended for, then what it does.

No one really disagreed with that idea, but it is also not really the focus of ongoing efforts. The idea seems reasonable, but the implementation—wording in particular—may be harder than it sounds.

Prime bits

The current setting in Emacs for the minimum number of bits in the prime number used as part of the Diffie-Hellman key exchange algorithm is 256, which is woefully small, according to Wong and others. Various kinds of attacks on key exchanges with small primes are known and TLS-downgrade attacks can be used to force the key exchange to use these smaller prime numbers. Currently, browsers set their minimum to 1024 bits, which is still thought to be susceptible to state-level attackers. Given that, Noam Postavsky asked if that default could be bumped to 1024 on the release branch.

Zaretskii was opposed to doing so on the release branch, since the amount of testing it would require would likely delay the Emacs 26.2 bug-fix release. Part of the changes that Ingebrigtsen has planned would change the medium security level so that NSM would complain about small primes, but it is not clear that those changes would make it into 26.2. Zaretskii is concerned about "unintended breakage" from this kind of change, but others, including Postavsky think "it's unfortunate that we're still going to release a 26.2 which silently accepts primes smaller than 1024 bits by default".

It turns out, however, that NSM does complain about primes that are smaller than 1024 bits, according to Ingebrigtsen. That is a bit inconsistent with the gnutls.el setting, but it does at least solve the problem. Users who have a need to connect to servers with 256-bit Diffie-Hellman primes can still do so without changing gnutls-min-prime-bits, albeit with a warning. Wong got a bit heated in his response, though Ingebrigtsen thought it all makes sense: the lower layer can still do things that the upper layer will warn the user about. He also pointed out that Wong may not be looking at the big picture:

Both here and in other places in this thread you seem to fixate on the particular use cases you're interested in to the extent that you say that other use cases are wrong, somehow. People have different needs and different approaches, and Emacs should empower them to get their work done, and not pressure them into doing it the way we think they should do it.

Along the way, Wong also posted his plans for handling some of the areas where NSM is not up to date with the latest TLS best practices. That includes support for Certificate Transparency (CT), which is being deployed by some browsers instead of HPKP, better support for HPKP, better cipher suite and TLS extension checks, and so on. While Ingebrigtsen has quibbles and has not actually looked at the code, he thinks Wong "is very much on the right track". It would seem that before long Emacs will have a better network security story—though it may not get out to users until Emacs 27, whenever that might be.

Switching TLS libraries

The suggestion to switch to OpenSSL is popular with some, but there are some barriers as well. One, which likely will occur to anyone who has been keeping an eye on OpenSSL over the years, is licensing. OpenSSL has its own unique license that is not compatible with the GPL; other projects have run into that incompatibility along the way. But OpenSSL has been actively working to relicense itself under the Apache Software License v2. As of March 1, the project is close to being able to switch; it plans to do so with its next release.

Another potential issue is the "Gnu" in GnuTLS, but that is something of an accident of history. GnuTLS moved out of the GNU project back in 2012. Normally, GNU projects (such as Emacs) are strongly encouraged (or more) to support and use other GNU projects, but that is no longer a consideration here. However, Zaretskii noted that Emacs had "just switched to GnuTLS as the primary means in Emacs 26.1" and that maintaining both a GnuTLS and an OpenSSL version of the TLS code would be a maintenance burden. He was firmly opposed to the idea.

In the end, Wong more or less agreed. In a lengthy message, which covered a lot of other topics, he said:

In addition, these days I try to live by a motto - Don't let the perfect be the enemy of the good. Replacing GnuTLS with OpenSSL is significantly harder than writing a couple C functions to get the most out of GnuTLS. Replacing it without major regressions even harder. Besides, most of Emacs' network security problems do not come from [its] use of GnuTLS, but deficiencies in NSM. I believe Emacs' network security can get much better faster if we focus our efforts on the current design.

It was a long and scattered thread, but the end result looks like a nice improvement in Emacs network security that comes from a new Emacs developer—Wong went through the process of assigning copyright to the FSF in one of the sub-threads. There are a lot of "fiddly bits" when it comes to network protocols, especially those involving encryption, key exchange, and so on. Having a new expert interested in working on those problems will be a boon to Emacs and its users.

(Log in to post comments)

Emacs & TLS

Posted Jul 11, 2018 17:30 UTC (Wed) by ejr (subscriber, #51652) [Link]

Another question to consider is "might thugs with torture chambers order me to change the setting?" A method to enforce certain security conditions at build time could be useful for software distributions targeting those environments. Although the thugs may ban the software altogether (as used to happen with key lengths) or provide their own build forcing weak requirements.

Emacs & TLS

Posted Jul 11, 2018 17:31 UTC (Wed) by ejr (subscriber, #51652) [Link]

(Oh, and dealing with a compliance audit may count as a torture chamber.)

Emacs & TLS

Posted Jul 12, 2018 6:52 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> Another question to consider is "might thugs with torture chambers order me to change the setting?"

Or "how ethical is it for me to encourage others to oppose thugs with torture chambers from the comfort of my office chair"? Recent history hasn't convinced me that opposing thugs always improves things, and it can be hard to find a safe place willing to take you in when things go wrong and you try to get away.

Emacs & TLS

Posted Jul 12, 2018 20:26 UTC (Thu) by xtifr (subscriber, #143) [Link]

I think there is a difference between *encouraging* others to oppose thugs with etc., and allowing or making it *easier* for others to oppose thugs with etc., should they so choose.

Emacs & TLS

Posted Jul 13, 2018 7:22 UTC (Fri) by michaeljt (subscriber, #39183) [Link]

> I think there is a difference between *encouraging* others to oppose thugs with etc., and allowing or making it *easier* for others to oppose thugs with etc., should they so choose.

True, but the line between facilitating and encouraging is rather fine, especially if those others are starry-eyed. And perhaps I should have also said something about people who did not choose to be involved getting caught in the cross-fire between thugs and those opposing them.

Thugs and Rigged Systems

Posted Jul 19, 2018 5:38 UTC (Thu) by Garak (guest, #99377) [Link]

Pinning is what is done by sites like gmail to prevent third world dictatorships from using stolen certificate credentials to spy on their citizens. People who have been victims of this have had their email read, been arrested by state security forces for dissent, and have been tortured to death for lack of certificate pinning working in their browsers.
This reads too much like the opposite of "GMail will not save you". The phrase 'Citation Needed' also comes to mind. I find it very, very, very hard to believe that 'lack of certificate pinning working in their browsers' would have truly made all the difference in that/those specific examples if they really happened. I don't discount the theoretical plausibility of such a scenario- sure, one could write a screenplay where exactly that happened. But I think it's important to remember that there are a lot of state security forces out there with varying degrees of skill, competence, resources, etc.

If you live under a 'third world dictatorship' that 'tortures to death' 'dissenters', I would strongly advise not using crypto at all, or rather, using computers like everyone else does, but assuming the crypto is broken (like it undoubtedly is, or will become at some point). If you can't work your organized dissent without depending on crypto, I doubt it's going to work out well in the long run. $0.02... Good Luck.

Emacs & TLS

Posted Jul 12, 2018 12:40 UTC (Thu) by hkario (subscriber, #94864) [Link]

> he could build Emacs without GnuTLS and use the OpenSSL command-line programs for his TLS connections

that's a problem in itself

openssl s_client is a *debugging* tool, not intended to be used as a generic purpose TLS client

connect it to arbitrary server and enter "R" followed by enter and you'll see one of the possible unexpected behaviours

other issue is that every line is sent in a separate record, thus leaking size of each header (in HTTP) or command (in IMAP, SMTP) to a passive observer

Emacs & TLS

Posted Jul 12, 2018 18:14 UTC (Thu) by naptastic (subscriber, #60139) [Link]

I can't help but think of xkcd 463 reading this article. (giyf)

Why does a text editor--I mean, yes, I would rather have it use TLS and follow best practices--but what business does a text editor have opening any kind of socket?

Emacs & TLS

Posted Jul 12, 2018 19:29 UTC (Thu) by muep (subscriber, #86754) [Link]

Of course if this was about some minimal, small text editor. Like original vi or nano. But this is about GNU Emacs which is basically an application platform, a bit like web browsers are an application platform that emerged from document viewers which initially, in my impression, did not execute code as part of the document to be viewed.

I would guess that nowadays majority of text-editing work happens on tools where routine use involves also opening a socket.

Emacs & TLS

Posted Jul 12, 2018 20:25 UTC (Thu) by xtifr (subscriber, #143) [Link]

First of all, even if emacs *were* merely a text editor, it's not like all documents in the world are stored on a single machine. The ability to edit files stored on multiple machines from a single instance of an editor provides some *obvious* benefits. Most obviously, cut-and-paste without depending on a graphical user interface (no X required). Beyond that, there's the ability to use keystroke recording to define on-the-fly macros. If you could only edit files on a single machine, you would have to re-record your macro on each new machine with files which need editing--a potentially error-prone process. As it is, you can record the macro once, then apply it to files stored on machines all across your network.

But beyond that, of course, emacs is no more a text editor than gnome or kde is a window manager. But since that's not the question you asked, I won't go into detail about it, except to note that bundling IDLE with python wouldn't make it inappropriate to write other apps in python.

Emacs & TLS

Posted Jul 15, 2018 15:05 UTC (Sun) by naptastic (subscriber, #60139) [Link]

> As it is, you can record the macro once, then apply it to files stored on machines all across your network.

I can??? That's REALLY cool. With the tools in my current toolbox, I'd end up writing a script (probably sed or Perl), uploading the script someplace all my hosts could access, and then maybe

for $host in $(cat hosts_to_zoit); do ssh -t $host "curl $script_url | /bin/sh"; done

and then realize I need to go do something else like shave, or set something on fire... or maybe learn Emacs. ;)

> bundling IDLE with python wouldn't make it inappropriate to write other apps in python.

This answers my question the same way a kōan provides enlightenment. It's not a direct answer, but having read it, my question is answered. Thank you!

Emacs & TLS

Posted Jul 19, 2018 6:38 UTC (Thu) by Wol (guest, #4433) [Link]

Not that I know emacs, really, but I believe it's a bit like Forth. An extensible system that will do whatever you want.

In Forth, you combine primitives until you have a system that does complicated things - like a BIOS, say.

In Lisp, you combine primitives until you have the kitchen sink with emacs :-)

So under the hood, emacs IS Lisp, a powerful programming environment. A completely different approach to languages like C and Fortran, where the compiler is completely separate from the application.

Cheers,
Wol

Emacs & TLS

Posted Jul 18, 2018 7:57 UTC (Wed) by Shugyousha (subscriber, #93672) [Link]

> First of all, even if emacs *were* merely a text editor, it's not like all documents in the world are stored on a single machine. The ability to edit files stored on multiple machines from a single instance of an editor provides some *obvious* benefits. Most obviously, cut-and-paste without depending on a graphical user interface (no X required). Beyond that, there's the ability to use keystroke recording to define on-the-fly macros. If you could only edit files on a single machine, you would have to re-record your macro on each new machine with files which need editing--a potentially error-prone process. As it is, you can record the macro once, then apply it to files stored on machines all across your network.

Personally, I always thought that using something like sshfs and then use the locally installed editor is a much more elegant solution for editing files on different machines. That way your text editor doesn't have to know about network protocols at all.

Emacs & TLS

Posted Jul 18, 2018 8:48 UTC (Wed) by paulj (subscriber, #341) [Link]

Can be really slow though.

Emacs & TLS

Posted Jul 18, 2018 14:22 UTC (Wed) by rweikusat2 (subscriber, #117920) [Link]

Whichever way you turn it, the filesystem API cannot be married to "the network" in a sensible way. An application using a network filesystem remains a networked application and has to be written accordingly. And demanding that all applications using the filesystem have to be written as if they were networked applications just to support the ill-conceived idea of "a network filesystem", as "friends of the NFS" are/ were wont to do, is not reasonable.

Emacs & TLS

Posted Jul 18, 2018 14:31 UTC (Wed) by zlynx (subscriber, #2285) [Link]

Except that even local filesystems are on a network. It's a PCIe bus and usually quite fast. But still a network.

The newer block device schedulers even borrow ideas from networks.

Programmers can try to ignore the complexities when using local filesystems, but in reality they still have all the same problems. Devices can time out, be forced to reset, or just disappear. Even if they're local.

Emacs & TLS

Posted Jul 18, 2018 16:02 UTC (Wed) by rweikusat2 (subscriber, #117920) [Link]

Technically, any connection between two "electric things" can be regarded as "sort-of a network" but that's besides the point.

The filesystem API is an abstract interface provided by the kernel which enables applications to work with "files" and "directories" presumably backed by some kind of persistent storage medium. Making this work is a problem the kernel has to deal with as the API doesn't (and was never meant to) enable applications to do it. The most visible exponent is the "uninterruptible sleep state" --- applications using the file system API don't "block" because it's assumed that all operation will complete within some fairly short time. This isn't really true in practice but usually involves hardware failures (or software errors) which aren't supposed to occur (and hence, all bets are off).

In contrast to this, some functionally critical device on a network, eg, a switch or a router, not being available for an unspecified time or not being capable of handling all of the traffic it should have handled during some time interval are perfectly normal occurences and applications are expected to cope with that.

Emacs & TLS

Posted Jul 18, 2018 15:04 UTC (Wed) by mpr22 (subscriber, #60784) [Link]

An application using a network filesystem remains a networked application and has to be written accordingly.

This statement seems to lead me towards one of two conclusions about you:

  • You think people shouldn't be able to share a single home directory across multiple computers.
  • You think all applications for modern operating systems should be written as networked applications.

I shall be nice, and assume the second :)

Emacs & TLS

Posted Jul 18, 2018 15:52 UTC (Wed) by rweikusat2 (subscriber, #117920) [Link]

A speculation you happen to consider plausible is not a conclusion.

Emacs & TLS

Posted Jul 16, 2018 10:55 UTC (Mon) by ceplm (subscriber, #41334) [Link]

We are talking about https://bugzilla.redhat.com/1331446 , right?


Copyright © 2018, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds