ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Russ Allbery
rra at stanford.edu
Wed Sep 10 10:00:17 PDT 2003
Ken Murchison <ken at oceana.com> writes:
> I am by no means a security expert, but all of this stuff has been
> discussed before within the other similar protocols. Its a shame that
> some of the people that could have been a big help in this area (e.g.,
> Chris Newman, Larry Greenfield) no longer are active participants on
> this list, either because of time, lack of interest, or frustration.
Yeah, don't worry, I'm just growsing, I don't need SASL experts to
convince me. It is the way that it is and we'll deal with it as is. :)
But the security issue still rests with the client. I don't understand
why we should worry about sending SASL PLAIN to a server that doesn't
support it any more than we should worry about a host of other issues, all
of which reduce to "don't send SASL PLAIN until you're sure of what you're
doing." If a rogue server has hijacked your connection, they're going to
advertise SASL PLAIN in LIST EXTENSIONS anyway.
Do you have any pointers to other mailing lists where this has been
discussed so that I can understand why querying the supported extensions
before using SASL PLAIN results in additional security? I find that
unintuitive, but I know that security considerations often are.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list