[NNTP] Re: MODE READER
Mark Crispin
mrc at CAC.Washington.EDU
Thu Nov 4 22:23:01 PST 2004
On Thu, 4 Nov 2004, Russ Allbery wrote:
> The cost/benefit tradeoff for using TLS
> routinely, at least for reading (posting can be a separate issue) is
> wrong, and nothing we say in a standard will change that.
Posting is an issue. Session hijacking and IP address spoofing are
currently too much trouble for spammers to use, given all the much easier
ways to spam. That will not always be the case.
Unfortunately, it is not safe to infer that the absence of attacks in the
past is a predictor of the absence of attacks in the future.
As for reading, I'll note that Supernews apparently considers read
security to be important enough to deny me access to their servers when my
client IP address is my office workstation at UW, but to permit it when my
client IP address is one of my home network sites. So read security is
not unimportant.
Note, however, that TLS protects more than public posting. It also
protects the exchange of authentication credentials. For better or worse,
the overwhelming majority of authentications involve userid and password,
transmitted to the server in the clear. Every NNTP server that has
password-based authentication but not mandatory TLS exposes that user's
password to every bad guy in the universe.
I am reasonably confident that IESG will not permit AUTHINFO USER or
AUTHINFO SASL PLAIN to be standardized without mandatory TLS.
Now, you could have AUTHINFO SASL CRAM-MD5 or AUTHINFO SASL GSSAPI or any
other SASL authenticator that does not allow an eavesdropping attacker to
authenticate as the user, and get away without using TLS. But that still
doesn't address session hijacking problems. Not using AUTHINFO at all,
and instead relying upon client IP address validation, doesn't address IP
address spoofing.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
More information about the ietf-nntp
mailing list