ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Clive D.W. Feather
clive at demon.net
Wed Sep 10 01:24:09 PDT 2003
Russ Allbery said:
> Ah, I see... SASL PLAIN authentication sends the password on the first
> pass. Hm. That's actually pretty annoying; I like AUTHINFO a lot better
> since it allows the server to abort the authentication without exposing
> the password if something is wrong with the user. Clients using SASL
> PLAIN can authenticate to the wrong server and hence give away their
> password rather than just getting an unknown user error.
But they can give it away anyway like this, with or without LIST
EXTENSIONS.
> Well, given that, I can see the need to issue LIST EXTENSIONS before
> authenticating with SASL PLAIN because SASL PLAIN is (arguably) broken in
> the way that it does authentication negotiation. Sigh.
Sorry, but I *still* don't.
There's two issues here:
(1) Don't use SASL PLAIN on an unprotected link until you've checked that
the other end understands it. That's a good security procedure, but it's
not something that breaks interoperability and so it's not a MUST. It
belongs in Security Considerations.
(2) If you're talking to the wrong server, you could give away your
password to it. But you can do this *anyway*: a malicious server could
offer SASL PLAIN in its LIST EXTENSIONS response just to harvest the
password. That's *also* a Security Considerations question.
Neither of these justify requiring LIST EXTENSIONS before doing
authentication. In particular, if you always start the session with
STARTTLS, then neither is a risk and so LIST EXTENSIONS isn't needed.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | *** NOTE CHANGE ***
Demon Internet | WWW: http://www.davros.org | Fax: +44 870 051 9937
Thus plc | | Mobile: +44 7973 377646
More information about the ietf-nntp
mailing list