Hello Alexey,

 RS>> I don't consider it rushed. There's plenty of examples of
 RS>> plain-text TCP application protocols that have had secure (*s
 RS>> over TLS/SSL) alternative port assignments. It's not rocket
 RS>> science.

 AF> Instead of having binkp tunneled through external TLS connection,
 AF> something like STARTTLS should be implemented in binkp proto, removing
 AF> the need of an additional port. This is how TLS works in SMTP on
 AF> standard 25 port. This way no changes would be needed in either
 AF> nodelist flags or DNS. If a node supports TLS, it will be negotiated
 AF> and used. If not, plain-text protocol will be used, unless it is
 AF> configured to use TLS-only on a supporting node.

I prefer running TLS on it's own port. STARTTLS is not a bad thing and would be
better than nothing but leaves room for a man in the middle attack.

 AF> So, what is the rush here? Why trying to push a very poor
 AF> implementation as soon as possible without involving binkd developers
 AF> at least?

I don't think anyone is rushing anything, just moving in that direction.

Synchronet's implementation is looking good to me. Direct TLS and is working in
my experience.

The binkd developers are most welcome although I am not sure who they are.
Alexey perhaps but I am not sure. There is some discussion of all this in the
BINKD area that I have been following and hoping to see the binkd developers
there.

 Ttyl :-),
         Al

--- GoldED+/LNX 1.1.5-b20180707