ietf-nntp LIST EXTENSIONS non-pipelined and non-cacheable?

Russ Allbery rra at stanford.edu
Wed Sep 10 10:35:54 PDT 2003


Russ Allbery <rra at stanford.edu> writes:

> But the security issue still rests with the client.  I don't understand
> why we should worry about sending SASL PLAIN to a server that doesn't
> support it any more than we should worry about a host of other issues,
> all of which reduce to "don't send SASL PLAIN until you're sure of what
> you're doing."  If a rogue server has hijacked your connection, they're
> going to advertise SASL PLAIN in LIST EXTENSIONS anyway.

> Do you have any pointers to other mailing lists where this has been
> discussed so that I can understand why querying the supported extensions
> before using SASL PLAIN results in additional security?  I find that
> unintuitive, but I know that security considerations often are.

Never mind, I completely forgot the steps of the SASL protocol.  I'm sorry
about that.  Of course you have to query for supported mechanisms before
you start authenticating; it's part of the whole point of SASL to provide
a negotiation protocol for mechanisms.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list