TIP: Click on subject to list as thread! ANSI
echo: fidonews
to: ALAN IANSON
from: ALEXEY FAYANS
date: 2019-12-17 03:41:00
subject: BINKP over TLS
Hello Alan!

On Mon, 16 Dec 2019 at 14:29 -0800, you wrote to me:

 AF>> No it doesn't. MitM attack can only fool client into thinking
 AF>> that TLS is not supported. But you can require TLS on a client
 AF>> side and it will just disconnect, no harm done.
 AI> I believe it does.

It's not about believing. You can read on wikipedia for example about MitM and
STARTTLS. MitM can fool client into thinking STARTTLS is not supported.
Mitigation is requiring encryption on client side. As simple as that.

 AI> That's why STARTTLS has been depricated.

It's not deprecated globally. Deprecation is only _proposed_ for SMTP and other
mail protocols and there are reasons for that, but that doesn't mean it is
deprecated for everything else.

 AI> I don't think the binkd developers are going to bring STARTTLS to the
 AI> table but we need to hear from them.

Exactly.

 AI>>> Synchronet's implementation is looking good to me. Direct TLS
 AI>>> and is working in my experience.
 AF>> Still it requires modification to configurations, nodelist
 AF>> changes and probably DNS changes as well. STARTTLS would
 AF>> eliminate all of that.
 AI> It requires a binkps listener to receive and "BinkpTLS=true" in the
 AI> node section of sbbsecho.ini for nodes you want to poll with binkps.

Synhcronet is not the only software out there. And manual configuration is not
even an option. Globally, (1) a new nodelist flag is required to indicate
support if binkps and its port; (2) binkps must be supported on DNS level as
well, i.e. _binkps._tcp SRV records; (3) nodelist parsers must be updated to
understand new flag; (4) additional configuration must be introduced in mailers
to support binkps, and for binkd it may be an issue since node records were not
designed for multiple protocols based on different ports.

With STARTTLS none of this is a problem. Additional configuration flag to
require TLS connection is easy to implement, nodelist flag is optional and may
be used to tell client to require TLS when connecting to supporting node, and
additional DNS SRV records are not needed as well.

 AF>> In fact this doesn't look like a good place to discuss technical
 AF>> stuff, BINKD seems like a better one.
 AI> I have eyes on the area so we can move the discussion there if you
 AI> like.

Sure, I'll crosspost it there.

* Originally in FIDONEWS
* Crossposted in BINKD


... Music Station BBS | https://bbs.bsrealm.net | telnet://bbs.bsrealm.net
--- GoldED+/W32-MSVC 1.1.5-b20180707
* Origin: Music Station | https://ms.bsrealm.net (2:5030/1997)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.