TIP: Click on subject to list as thread! ANSI
echo: binkd
to: ALEXEY FAYANS
from: ROB SWINDELL
date: 2019-12-20 12:03:00
subject: BINKP over TLS
  Re: BINKP over TLS
  By: Alexey Fayans to Rob Swindell on Fri Dec 20 2019 09:09 pm

 > Hello Rob!
 >
 > On Fri, 20 Dec 2019 at 09:56 -0800, you wrote to me:
 >
 >  >> Isn't it your main argument against STARTTLS?
 >  RS> Under no case is Opportunistic TLS (e.g. STARTTLS) as secure as
 >  RS> Implicit TLS.
 >
 > So far you didn't provide a single fact proving that good STARTTLS
 > implementation is less secure than TLS on a dedicated port.

Opportunistic TLS gives both the client and the server (or a MitM) the ability
to "opt-out" of using TLS. With an Implicit TLS session, no such option is
availble; the entire TCP session is secure, or it doesn't exist.

 >  RS> Yes, the use of self-signed certs is less secure than
 >  RS> CA-signed certs, but that's a different matter and true for both
 >  RS> Opportunistic and Implicit TLS.
 >
 > Use of self-signed certs without a well-defined and implemented mandatory
 > mechanism to verify these certs (either trusted CA or any other similar way)
 > just turns whole security talk into a joke. Seriously.

A less funny joke than Binkd's CRYPT option. Seriously.

 >  >> Why not? It is perfectly mitigated and I explained that a few times
 >  >> already. You gotta stop looking back at old SMTP implementation
 >  >> that wasn't designed against active MitM attacks in the first
 >  >> place.
 >  RS> I look at all the applications of Opportunistic TLS and they're all
 >  RS> less secure than Implicit TLS.
 >
 > Examples?

NNTP, FTP, IRC.

 > Maybe you are just looking at bad / not suitable implementations.
 > Not all implementations are focused on MitM protection and that is fine,
 > similar to use of self-signed certs just to make it a bit harder to sniff
 > the traffic.

Security is a moving target. If you're going to implement something, as I have
with binkps, you shoot for the state of the art, today's best practices, not
yesterday's. STARTTLS is yesterday's solution to TCP session security and is
being phased-out. It would be silly to implement STARTTLS in a newly-defined
TCP applictaion protocol today.

                                            digital man

Synchronet/BBS Terminology Definition #35:
HTTP = Hypertext Transfer Protocol
Norco, CA WX: 71.9øF, 20.0% humidity, 1 mph W wind, 0.00 inches rain/24hrs
--- SBBSecho 3.10-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.