[NNTP] Draft -00 for modernizing TLS usage with NNTP
Julien ÉLIE
julien at trigofacile.com
Sat Jul 23 14:07:55 PDT 2016
Hi all,
I've just taken the time to finalize a first version of an
Internet-Draft that could update RFC 4642 (use of TLS with NNTP):
https://tools.ietf.org/html/draft-elie-nntp-tls-recommendations-00
Basically, it adds TLS best current practices to RFC 4642 (disabling
TLS-level compression, preferring strict TLS to port 563, removing RC4
cipher suites from mandatory-to-implement cipher suites) and also gives
several kinds of recommendations (in Section 2).
Thanks beforehand for your comments.
Do not hesitate to tell if something looks wrong, and also what you
think about the issues to address in Appendix D. Especially:
o Section 3.2 of [RFC7525] applied to NNTP adds the following
requirement: a client SHOULD attempt to negotiate TLS even if the
STARTTLS capability label is not advertised by the news server.
The goal is to help prevent SSL Stripping. Yet, an attacker who
can strip STARTTLS from the capability list could easily ensure
that 502 is answered to that command. So, should we all the same
keep that requirement for NNTP? (I would suggest not to keep it.)
o Regarding peering between mode-switching news servers, should
something specific be added? (e.g., as strict TLS is the
preferred way to negotiate TLS, innfeed would connect to port 563
of a news server, and innd would also listen on port 563. Or
should we ask the registration of a new port for that purpose,
NNSP over TLS, like port 433 already dedicated to NNSP? Or should
we recommend the use of stunnel with TCP wrappers, or an
equivalent mechanism, in case using a separate port is not
possible?)
--
Julien ÉLIE
« – Tu n'as rien remarqué d'étrange chez cet Arverne ?
– Oui, son accent. » (Astérix)
More information about the ietf-nntp
mailing list