ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Ken Murchison
ken at oceana.com
Tue Sep 9 07:55:14 PDT 2003
Overall, I think shortcuts like the ones you propose below are a bad
idea, and the potential risks outweight the perceived rewards. Details
below.
Peter Robinson wrote:
> | 5.3 LIST EXTENSIONS
>
> | This command MUST NOT be pipelined.
>
> Why not? I can understand that a client should wait until the LIST
> EXTENSIONS response before trying to use an extension (or not), but why
> shouldn't it do something like this:
>
> [C] LIST EXTENSIONS
> [C] GROUP misc.test
> [S] 202 Extensions supported:
> [S] OVER
> [S] HDR
> [S] .
> [S] 211 1234 3000234 3002322 misc.test
> [C] OVER
> (...)
> ?
I suppose it would be reasonable to allow pipelining LIST EXTENSIONS
with base (mandatory to implement) commands ONLY, but you just know that
some poorly written client will try to pipeline something that it
shouldn't (e.g., AUTHINFO USER/PASS before realizing that its not
supported).
> | It is not required that the client issues this command before
FWIW, I also think that this is a bad idea, especially with AUTHINFO
commands. Perhaps the text should state something to this effect.
> | attempting to make use of any extension. The response generated by
> | this command MAY change during a session because of other state
> | information (which in turn may be changed by the effects of other
> | commands). An NNTP client MUST NOT cache (for use in another session)
> | any information returned if the LIST EXTENSIONS command succeeds.
>
> It seems inconsistent that on one hand, a client can (try to) use an
> extension having no idea whether it's supported, while on the other hand
> it is forbidden to cache the LIST EXTENSIONS response, and use it to
> make an educated guess.
>
> I'd have thought that that kind of decision should be left to newsreader
> authors and users. So
No! A client should always check the available extensions and be
flexible enough to handle changes from session to session.
If a client caches the info, then it can potentially do something
stupid, like expose a user's plaintext password. For example, consider
this conversation:
S: 200 eagle.oceana.com Cyrus NNTP v2.2.1-BETA server ready, posting allowed
C: LIST EXTENSIONS
S: 202 Extension list follows:
S: AUTHINFO USER
S: SASL CRAM-MD5 NTLM DIGEST-MD5
S: STARTTLS
S: STREAMING
S: .
C: STARTTLS
S: 382 Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
C: LIST EXTENSIONS
S: 202 Extension list follows:
S: AUTHINFO USER
S: SASL CRAM-MD5 NTLM DIGEST-MD5 PLAIN
S: STREAMING
S: .
C: AUTHINFO SASL PLAIN a2VuAGtlbgBiYW5hbmEx
S: 281 Success (tls protection)
Authenticated.
Security strength factor: 168
If the client caches the last LIST EXTENSIONS response, then the next
time that it goes to authenticate (w/o checking LIST EXTENSIONS), it
will try to do so in the clear, which is "not a good thing":
S: 200 eagle.oceana.com Cyrus NNTP v2.2.1-BETA server ready, posting allowed
C: LIST EXTENSIONS
S: 202 Extension list follows:
S: AUTHINFO USER
S: SASL CRAM-MD5 NTLM DIGEST-MD5
S: STARTTLS
S: STREAMING
S: .
C: AUTHINFO SASL PLAIN a2VuAGtlbgBiYW5hbmEx
S: 502 no mechanism available
Authentication failed. generic failure
Security strength factor: 0
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list