ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?

Ken Murchison ken at oceana.com
Wed Sep 10 07:03:23 PDT 2003 

Jeffrey M. Vinocur wrote:

> On Tue, 9 Sep 2003, Russ Allbery wrote:
> 
> 
>>Ah, I see... SASL PLAIN authentication sends the password on the first
>>pass.  Hm.  That's actually pretty annoying; I like AUTHINFO a lot better
>>since it allows the server to abort the authentication without exposing
>>the password if something is wrong with the user.
> 
> 
> Well, the initial response is always optional, so in principle it's not a 
> protocol problem per se.  (Not that we can't point it out in the SASL 
> writeup, though.)

Having a client do AUTHINFO SASL PLAIN w/o the initial response just to 
see if its supported, would be a complete and utter hack (which I'm sure 
you're aware of).  If we really think clients would be so alergic to 
LIST EXTENSIONS that they would stoop to this level, then just drop LIST 
EXTENSIONS completely (which I am NOT in favor of).

>>Clients using SASL PLAIN can authenticate to the wrong server and hence
>>give away their password rather than just getting an unknown user error.
> 
> 
> But with AUTHINFO USER/PASS, you don't get unknown user errors at all, at 
> least with nnrpd:
> 
> 200 news.litech.org InterNetNews NNRP server INN 2.5.0 (20030713 CVS prerelease) ready (posting ok).
> AUTHINFO USER zzzzzzzzzzzzz
> 381 PASS required
> AUTHINFO PASS mysecretgoeshere

Please note that returning unknown user errors could also be a security 
problem.  If I'm a hacker trying random usernames, and the server tells 
me which are valid and which aren't, it pinpoints which usernames I can 
start doing password guessing on.

A lot of servers will only return an "authentication failed" message 
after receiving both the username and password, so that the hacker 
doesn't know where the failure occurred.

I am by no means a security expert, but all of this stuff has been 
discussed before within the other similar protocols.  Its a shame that 
some of the people that could have been a big help in this area (e.g., 
Chris Newman, Larry Greenfield) no longer are active participants on 
this list, either because of time, lack of interest, or frustration.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the ietf-nntp mailing list