ietf-nntp Draft 20 pre-release 2

Clive D.W. Feather clive at demon.net
Fri Oct 10 09:37:43 PDT 2003 

Russ Allbery said:
>>     Therefore a client sending private information, such as a cleartext
>>     password, to a server SHOULD check the security state of the link
>>     and the identity of the server immediately beforehand and SHOULD NOT
>>     rely on the (cached) results of any previous check. How such a check
>>     is done will, of course, depend on the particular facilities
>>     available from the server.

> Hm.  This section seems unrelated to the whole LIST EXTENSIONS bit, so
> maybe there are more issues happening here simultaneously than I was aware
> of.

Look at the protocol examples immediately above. If the results of LIST
EXTENSIONS are cached, the client may believe that XSECRET is available
on a fresh link even though it isn't.

[Hmm; I'll add some "start of new connection" boilerplate to that example.]

> I'm not entirely sure what this section means; are we talking about
> situations where the security level of a TLS-protected connection may be
> negotiated downwards?  LIST EXTENSIONS isn't how one would determine the
> security state of the link; that would be something internal to the TLS
> protocol.

No.

While I've used "ENCRYPT" (which I'll change to "XENCRYPT") and "XSECRET"
for clarity, this was originally explained as applying to TLS and SASL.
A client shouldn't use SASL PLAIN on a non-TLS link because of
eavesdroppers. It also needs to use LIST EXTENSIONS to determine which SASL
methods work. If it caches the answer from a TLS link and uses it on a
non-TLS link, it exposes its password.

I've added:

        [C] XSECRET   fred flintstone
        [S] 483 Only permitted on secure links

    exposing the password to any eavesdropper.
++  While the primary cause of this is passing a secret without first
++  checking the security of the link, caching of LIST EXTENSIONS results
++  can increase the risk.

Does that help?

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | *** NOTE CHANGE ***
Demon Internet      | WWW: http://www.davros.org | Fax:    +44 870 051 9937
Thus plc            |                            | Mobile: +44 7973 377646

More information about the ietf-nntp mailing list