The Emacs Network Security Manager

Emacs 25 will have a network security manager. You know — the thing that nags you when you visit https pages with invalid certificates and annoys all y’all so much.

firefox
The Firefox security manager

Yay.

Designing a thing like that is a minefield. On one hand, you have professional security professionals who seem to insist that the sky is constantly falling and that the only secure thing one can do is to snip the Ethernet cable, pour concrete over the computer and then bury it in a volcano.

On the other hand, you have, literally, everybody else: People who don’t care about network security at all, and if you so much as ask them a simple question once, they get mad and send you email about how mad this makes them.

So! Into the breach.

The network security manager in Emacs 25 (merged into trunk last week and switched on today) checks certificate validity, STARTTLS downgrade attacks, unencrypted sending of passwords via IMAP, POP3 and SMTP, and does certificate/public key pinning for self-signed certificates.

nsm
The Emacs Network Security Manager

If you’re paranoid, you can make it do certificate pinning for validated certificates, too, so that you can see when the NSA man-in-the-middles your traffic by getting a Certificate Authority to issue a forged certificate for the domains you are visiting. That’s not on by default, because we are not paranoid.

It allows you to save all these “security exceptions” for the session or permanently. And that’s where the professional security professionals will balk.

The argument is that if we allow the user to accept unverified connections, there is no security, because users always just says “yes” to everything. While that argument may be valid, the other side of the coin is that failing to communicate can also have negative ramifications.

Only the user can really say whether visiting a web site that has a problematic certificate is justified or not. When visiting an email archive to find the answer to a technical question — perhaps it is. When visiting your bank — probably not.

So: I hope that the network security manager we’ve implemented is sufficiently non-intrusive that people won’t feel it necessary to switch it off, and I hope that it’s encompassing enough that it offers some added security against snooping.

If you want to start using it now, pull down the development version of Emacs.

One thought on “The Emacs Network Security Manager”

  1. Sounds good!

    Would it be an improvement to show what exactly does not match what, in the example shown in the screenshot?

    I.e. changing “certificate host does not match hostname” to “certificate host (a248.e.akamai.net) does not match hostname (tv.eurosport.com)”.

    (A pet peeve of mine in error messages, after spending too much time staring at Kerberos error messages…)

Leave a Reply