ietf-nntp Draft 20 pre-release 2
Clive D.W. Feather
clive at demon.net
Fri Oct 10 09:37:43 PDT 2003
Russ Allbery said:
>> Therefore a client sending private information, such as a cleartext
>> password, to a server SHOULD check the security state of the link
>> and the identity of the server immediately beforehand and SHOULD NOT
>> rely on the (cached) results of any previous check. How such a check
>> is done will, of course, depend on the particular facilities
>> available from the server.
> Hm. This section seems unrelated to the whole LIST EXTENSIONS bit, so
> maybe there are more issues happening here simultaneously than I was aware
> of.
Look at the protocol examples immediately above. If the results of LIST
EXTENSIONS are cached, the client may believe that XSECRET is available
on a fresh link even though it isn't.
[Hmm; I'll add some "start of new connection" boilerplate to that example.]
> I'm not entirely sure what this section means; are we talking about
> situations where the security level of a TLS-protected connection may be
> negotiated downwards? LIST EXTENSIONS isn't how one would determine the
> security state of the link; that would be something internal to the TLS
> protocol.
No.
While I've used "ENCRYPT" (which I'll change to "XENCRYPT") and "XSECRET"
for clarity, this was originally explained as applying to TLS and SASL.
A client shouldn't use SASL PLAIN on a non-TLS link because of
eavesdroppers. It also needs to use LIST EXTENSIONS to determine which SASL
methods work. If it caches the answer from a TLS link and uses it on a
non-TLS link, it exposes its password.
I've added:
[C] XSECRET fred flintstone
[S] 483 Only permitted on secure links
exposing the password to any eavesdropper.
++ While the primary cause of this is passing a secret without first
++ checking the security of the link, caching of LIST EXTENSIONS results
++ can increase the risk.
Does that help?
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | *** NOTE CHANGE ***
Demon Internet | WWW: http://www.davros.org | Fax: +44 870 051 9937
Thus plc | | Mobile: +44 7973 377646
More information about the ietf-nntp
mailing list