TIP: Click on subject to list as thread! ANSI
echo: binkd
to: ALAN IANSON
from: MICHIEL VAN DER VLIST
date: 2019-12-17 10:39:00
subject: Binkd and TLS
Hello Alan,

On Monday December 16 2019 14:59, you wrote to me:

 MV>> 1) Don't fix it if it ain't broke. I am not convinced yet that
 MV>> binkd's security is broke and needs fixing.

 AI> I don't think binkd or the binkp protocol are broken and need fixing.

Then what problem ARE we trying to fix?

 MV>> I am not convinced that TLS offers better protection against
 MV>> snooping than what binkd alread hasy. Half of TLS is providing
 MV>> authoritative identity to the server. I don't see any value for
 MV>> that in Fidonet. TTBOMK there has been no case of someone
 MV>> succesfully setting up a rogue node amd maskerading for someone
 MV>> else. If only because there is no bussines model..

 AI> This has happened in the past. nobogus comes to mind.

Apples and oranges. Nobogus solved problems created by rouge CLIENTS. TLS does
not protect against that. It only authorises the /server/, not the /client/.

 AI> TLS certainly offers better security. No question.

So you say. But merely claiming it is "better" is just like claiming aluminium
is "better" than copper.

In what way is TLS "better"? A claim of "better" security has to be more
specific than just that. Better than what? Better against what threats and by
whom?

If you do not specify the threat, a claim of better security is meaningless.

 MV>> 2) It violates the KISS principle. I see little or no added value
 MV>> in adding TLS to Binkd. In the case of Binkd it just makes things
 MV>> more complicatied and prone to misconfigutaion and other mishaps.

 AI> It does require some setup. Synchronet's BinkIT mailer currently has
 AI> support for a binkps listener setup like this in Synchronet's
 AI> services.ini

The world of Fidonet is bigger than Synchronet (Thank god). You make it sound
like "Synchronet supports it, so it must be a good thing". Sorry, I am not of
the "Synchronet is better" club.

 AI> This was all done without changing binkp. We have simply put binkp on
 AI> a secure channel.

But why? I still have no answer for that. Let me put it this way:

If binkd over TLS is the solution, what is the problem?


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: http://www.vlist.eu (2:280/5555)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.