36 Network Security
Whenever Emacs establishes any network connection, it passes the
established connection to the Network Security Manager
(NSM). NSM is responsible for enforcing the
network security under your control. Currently, this works by using
the Transport Layer Security (TLS) features.
network-security-level variable determines the security
level that NSM enforces. If its value is
security checks are performed.
If this variable is
medium (which is the default), a number of
checks will be performed. If as result NSM determines that
the network connection might not be trustworthy, it will make you
aware of that, and will ask you what to do about the network
You can decide to register a permanent security exception for an
unverified connection, a temporary exception, or refuse the connection
Below is a list of the checks done on the
- unable to verify a TLS certificate
- If the connection is a TLS, SSL or
STARTTLS connection, NSM will check whether
the certificate used to establish the identity of the server we're
connecting to can be verified.
While an invalid certificate is often the cause for concern (there
could be a Man-in-the-Middle hijacking your network connection and
stealing your password), there may be valid reasons for going ahead
with the connection anyway. For instance, the server may be using a
self-signed certificate, or the certificate may have expired. It's up
to you to determine whether it's acceptable to continue with the
- a self-signed certificate has changed
- If you've previously accepted a self-signed certificate, but it has
now changed, that could mean that the server has just changed the
certificate, but it might also mean that the network connection has
- previously encrypted connection now unencrypted
- If the connection is unencrypted, but it was encrypted in previous
sessions, this might mean that there is a proxy between you and the
server that strips away STARTTLS announcements, leaving the
connection unencrypted. This is usually very suspicious.
- talking to an unencrypted service when sending a password
- When connecting to an IMAP or POP3 server, these
should usually be encrypted, because it's common to send passwords
over these connections. Similarly, if you're sending email via
SMTP that requires a password, you usually want that
connection to be encrypted. If the connection isn't encrypted,
NSM will warn you.
high, the following checks
will be made, in addition to the above:
- a validated certificate changes the public key
- Servers change their keys occasionally, and that is normally nothing
to be concerned about. However, if you are worried that your network
connections are being hijacked by agencies who have access to pliable
Certificate Authorities which issue new certificates for third-party
services, you may want to keep track of these changes.
- Diffie-Hellman low prime bits
- When doing the public key exchange, the number of prime bits
should be high to ensure that the channel can't be eavesdropped on by
third parties. If this number is too low, you will be warned.
- RC4 stream cipher
- The RC4 stream cipher is believed to be of low quality and
may allow eavesdropping by third parties.
- SSL1, SSL2 and SSL3
- The protocols older than TLS1.0 are believed to be
vulnerable to a variety of attacks, and you may want to avoid using
these if what you're doing requires higher security.
paranoid, you will
also be notified the first time NSM sees any new
certificate. This will allow you to inspect all the certificates from
all the connections that Emacs makes.
The following additional variables can be used to control details of
- This is the file where NSM stores details about connections.
It defaults to ~/.emacs.d/network-security.data.
- By default, host names will not be saved for non-
connections. Instead a host/port hash is used to identify connections.
This means that one can't casually read the settings file to see what
servers the user has connected to. If this variable is
NSM will also save host names in the