[NNTP] Re: MODE READER

Russ Allbery rra at stanford.edu
Thu Nov 4 23:04:22 PST 2004 

Mark Crispin <mrc at CAC.Washington.EDU> writes:

> Note, however, that TLS protects more than public posting.  It also
> protects the exchange of authentication credentials.  For better or
> worse, the overwhelming majority of authentications involve userid and
> password, transmitted to the server in the clear.

Well, the majority (but probably not overwhelming any more) of NNTP
authentications are based on the IP address of the connecting client and
don't involve any protocol commands at all, since anything heavier-weight
isn't judged to be worth the tradeoff.  (Sites like Supernews are a
special case since they have clients all over the Internet, but most news
servers are for particular organizations, and just accept all connections
coming from the IP addresses of those organizations.)  I'm not sure how
long this will continue to be viable, particularly for protecting posting,
but my experience with helping people install INN is that this is what the
significant majority of INN installations use.

Part of the problem, of course, is the lack of support in clients for
sensible authentication mechanisms that don't involve handing your
passwords out to every server you talk to and sticking them into every
client program you run, but if I start ranting about Kerberos and lack of
support thereof even with network protocols that have allowed for it for
years, I'll be here all day.  :)

> I am reasonably confident that IESG will not permit AUTHINFO USER or
> AUTHINFO SASL PLAIN to be standardized without mandatory TLS.

Yup, I agree with you.

The restriction on AUTHINFO USER will likely be ignored by everyone,
however, even if we put it into the protocol.  I doubt we're going to see
anyone change existing practice for AUTHINFO USER; our best hope is to get
them to do the right thing when they go to AUTHINFO SASL.

But that doesn't mean I think we should take it out.  I'm just saying that
what the standard will say for good, valid security reasons and what
people will do is going to differ for a while, due to where we're at right
now and the slow speed of change.

I don't expect anyone to be convinced that session hijacking is a real
problem until spammers start doing it on a broad basis.  This is one of
those things that is likely to require negative things to happen in
practice before installation configurations will change.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the ietf-nntp mailing list