[NNTP] LIST EXTENSIONS (again)

Russ Allbery rra at stanford.edu
Wed Nov 10 10:21:09 PST 2004 

Mark Crispin <mrc at CAC.Washington.EDU> writes:
> On Tue, 9 Nov 2004, Russ Allbery wrote:

>> It is indeed the fault of the NNTP community and the INN developers for
>> not documenting MODE READER clearly enough so that both you and Diablo
>> made different, apparently reasonable mistakes in implementation
>> (although Diablo's mistake is frankly less reasonable than yours).

> It was not a mistake, for the simple reason that MODE READER was not
> documented!

> It is a painful lesson to learn that, by failing to document a facility,
> the original deployer forfeits the ability to call differing
> implementations broken.  Trust me; I learned *that* particular lesson
> the hard way.  Let's you and I down that sixpack and we'll commiserate
> with our respective war stories.  We can play that fun game of "who has
> the worse tale of woe"... :-)

I think we're splitting hairs.  Let me try phrasing it a different way:

In the case where the initial connection involves one or more of STARTTLS
or AUTHINFO as well as MODE READER, Pine and INN do not interoperate.
Since there was no standard for this command, it's not possible to declare
one or the other of them broken in any formal sense, but given that INN
introduced the MODE READER command and continues to be the only server
that actually requires it, there is no point in implementing MODE READER
in a client unless you're trying to interoperate with INN.  INN's behavior
in this respect has not changed over the lifetime of the server.

> That's what I was told when similar issues came up in IMAP and SMTP.
> Everything had to be reset.

> If you think about it, it only makes sense.  Otherwise, you don't really
> know that MODE READER actually happened, as opposed to having been
> seized by an MITM.  Although I don't think there is much (beyond
> harassment) that could happen by attacking this, a bad guy could
> certainly cause a great deal of confusion!

I can see how an attacker could use a MITM attack to launch a denial of
service attack, but an attacker capable of a MITM attack being able to
deny service isn't particularly uncommon.  IMAP and SMTP don't have this
bizarre mode switch that NNTP does (thankfully!), so I'm not sure that I
see how their experience implies that this is not allowed.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the ietf-nntp mailing list