ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Ken Murchison
ken at oceana.com
Wed Sep 10 07:03:23 PDT 2003
Jeffrey M. Vinocur wrote:
> On Tue, 9 Sep 2003, Russ Allbery wrote:
>
>
>>Ah, I see... SASL PLAIN authentication sends the password on the first
>>pass. Hm. That's actually pretty annoying; I like AUTHINFO a lot better
>>since it allows the server to abort the authentication without exposing
>>the password if something is wrong with the user.
>
>
> Well, the initial response is always optional, so in principle it's not a
> protocol problem per se. (Not that we can't point it out in the SASL
> writeup, though.)
Having a client do AUTHINFO SASL PLAIN w/o the initial response just to
see if its supported, would be a complete and utter hack (which I'm sure
you're aware of). If we really think clients would be so alergic to
LIST EXTENSIONS that they would stoop to this level, then just drop LIST
EXTENSIONS completely (which I am NOT in favor of).
>>Clients using SASL PLAIN can authenticate to the wrong server and hence
>>give away their password rather than just getting an unknown user error.
>
>
> But with AUTHINFO USER/PASS, you don't get unknown user errors at all, at
> least with nnrpd:
>
> 200 news.litech.org InterNetNews NNRP server INN 2.5.0 (20030713 CVS prerelease) ready (posting ok).
> AUTHINFO USER zzzzzzzzzzzzz
> 381 PASS required
> AUTHINFO PASS mysecretgoeshere
Please note that returning unknown user errors could also be a security
problem. If I'm a hacker trying random usernames, and the server tells
me which are valid and which aren't, it pinpoints which usernames I can
start doing password guessing on.
A lot of servers will only return an "authentication failed" message
after receiving both the username and password, so that the hacker
doesn't know where the failure occurred.
I am by no means a security expert, but all of this stuff has been
discussed before within the other similar protocols. Its a shame that
some of the people that could have been a big help in this area (e.g.,
Chris Newman, Larry Greenfield) no longer are active participants on
this list, either because of time, lack of interest, or frustration.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list