ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?

Clive D.W. Feather clive at demon.net
Wed Sep 10 01:24:09 PDT 2003


Russ Allbery said:
> Ah, I see... SASL PLAIN authentication sends the password on the first
> pass.  Hm.  That's actually pretty annoying; I like AUTHINFO a lot better
> since it allows the server to abort the authentication without exposing
> the password if something is wrong with the user.  Clients using SASL
> PLAIN can authenticate to the wrong server and hence give away their
> password rather than just getting an unknown user error.

But they can give it away anyway like this, with or without LIST
EXTENSIONS.

> Well, given that, I can see the need to issue LIST EXTENSIONS before
> authenticating with SASL PLAIN because SASL PLAIN is (arguably) broken in
> the way that it does authentication negotiation.  Sigh.

Sorry, but I *still* don't.

There's two issues here:

(1) Don't use SASL PLAIN on an unprotected link until you've checked that
the other end understands it. That's a good security procedure, but it's
not something that breaks interoperability and so it's not a MUST. It
belongs in Security Considerations.

(2) If you're talking to the wrong server, you could give away your
password to it. But you can do this *anyway*: a malicious server could
offer SASL PLAIN in its LIST EXTENSIONS response just to harvest the
password. That's *also* a Security Considerations question.

Neither of these justify requiring LIST EXTENSIONS before doing
authentication. In particular, if you always start the session with
STARTTLS, then neither is a risk and so LIST EXTENSIONS isn't needed.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | *** NOTE CHANGE ***
Demon Internet      | WWW: http://www.davros.org | Fax:    +44 870 051 9937
Thus plc            |                            | Mobile: +44 7973 377646



More information about the ietf-nntp mailing list