[NNTP] LIST EXTENSIONS (again)

Mark Crispin mrc at CAC.Washington.EDU
Wed Nov 10 10:48:16 PST 2004 

On Wed, 10 Nov 2004, Russ Allbery wrote:
> In the case where the initial connection involves one or more of STARTTLS
> or AUTHINFO as well as MODE READER, Pine and INN do not interoperate.

And since neither Pine nor inn are broken, MODE READER itself is broken.

MODE READER has multiple, non-interoperable, definitions.  It doesn't 
matter that only one of those definitions actually is used by a server 
that needs it.  There is a server that enforces the other definition's 
order (even though it doesn't otherwise care), inn does not generally 
enforce its definition's order, and Pine complied with what worked in all 
the cases its encountered.

Of course, there will be objection from those who have to change to comply 
with the future world.  It can't be avoided.  The only course is to work 
out what will be the best choice in the long term.

> Since there was no standard for this command, it's not possible to declare
> one or the other of them broken in any formal sense, but given that INN
> introduced the MODE READER command and continues to be the only server
> that actually requires it, there is no point in implementing MODE READER
> in a client unless you're trying to interoperate with INN.

That may be true; but it conflicts with what I've been told for over 10 
years, which was to the effect that MODE READER was mandatory with all 
servers and that only a cretin would write a client that uses RFC 977 
instead of what the netnews weenies said was right.  Then I found that 
every server which had AUTHINFO did something different.

Given this particular history, I am not terribly sympathetic to one 
server's rarely-used configuration.

> I can see how an attacker could use a MITM attack to launch a denial of
> service attack, but an attacker capable of a MITM attack being able to
> deny service isn't particularly uncommon.

This particular type of attack has unbelievable costs in lost user and 
support staff time.  When you and I get a chance to split that sixpack, 
ask me about Norton Anti-Virus and SMTP.  We'll need a second sixpack.

The lesson learned is that you can't believe or trust anything that 
happens before TLS takes hold.

> IMAP and SMTP don't have this
> bizarre mode switch that NNTP does (thankfully!), so I'm not sure that I
> see how their experience implies that this is not allowed.

Well, it's arguable that SMTP has mode switches, and there are ongoing 
efforts (which I have been opposing) to put in such things into IMAP. 
It's an attractive nuisance.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

More information about the ietf-nntp mailing list