[NNTP] Re: MODE READER

[Mark Crispin]

On Thu, 4 Nov 2004, Russ Allbery wrote:
> The cost/benefit tradeoff for using TLS
> routinely, at least for reading (posting can be a separate issue) is
> wrong, and nothing we say in a standard will change that.

Posting is an issue.  Session hijacking and IP address spoofing are 
currently too much trouble for spammers to use, given all the much easier 
ways to spam.  That will not always be the case.

Unfortunately, it is not safe to infer that the absence of attacks in the 
past is a predictor of the absence of attacks in the future.

As for reading, I'll note that Supernews apparently considers read 
security to be important enough to deny me access to their servers when my 
client IP address is my office workstation at UW, but to permit it when my 
client IP address is one of my home network sites.  So read security is 
not unimportant.

Note, however, that TLS protects more than public posting.  It also 
protects the exchange of authentication credentials.  For better or worse, 
the overwhelming majority of authentications involve userid and password, 
transmitted to the server in the clear.  Every NNTP server that has 
password-based authentication but not mandatory TLS exposes that user's 
password to every bad guy in the universe.

I am reasonably confident that IESG will not permit AUTHINFO USER or 
AUTHINFO SASL PLAIN to be standardized without mandatory TLS.

Now, you could have AUTHINFO SASL CRAM-MD5 or AUTHINFO SASL GSSAPI or any 
other SASL authenticator that does not allow an eavesdropping attacker to 
authenticate as the user, and get away without using TLS.  But that still 
doesn't address session hijacking problems.  Not using AUTHINFO at all, 
and instead relying upon client IP address validation, doesn't address IP 
address spoofing.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.