ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?
Peter Robinson
pmrobinson at gmx.net
Wed Sep 10 10:05:17 PDT 2003
Clive D.W. Feather <clive at demon.net> wrote:
> Proposed change: current text
[...]
> becomes:
>
> An NNTP client is only able to get the current and correct
> information concerning available extensions at any point during a
> session by issuing a LIST EXTENSIONS command at that point of that
> session and processing the response, and the server MUST ensure that
> those extensions currently listed in the returned information are
> available.
> [...]
> An NNTP client MUST NOT rely on any cached results from this command,
> either earlier in this session or in a previous session, remaining
> correct. While some extensions are likely to be always available or
> never available, others will "appear" and "disappear" depending on
> other changes.
FWIW, I support this.
> I will also craft some Security Considerations text.
>
> > No it is not. If the client is using LIST EXTENSIONS to decide whether
> > and how to provide security (privacy or authentication) then it becomes
> > much more important.
>
> And if it does it in a broken way, it's broken.
Agreed. If a client is prepared to give out usernames and passwords in
the clear under any circumstances, then it is vulnerable to numerous
'attacks' (including user error), and no amount of regulation of LIST
EXTENSIONS will make any difference. And the reality is that plenty of
people *are* prepared to send passwords for NNTP in the clear all the
time (as well as for POP3 and ftp), and servers are happy to accept
them.
Peter
More information about the ietf-nntp
mailing list