Subj : Re: SSH on BBSes
To   : 2twisty
From : Warpslide
Date : Fri Apr 01 2022 11:24:55

On 01 Apr 2022, 2twisty said the following...

 2t> I thought I saw somewhere that the message packets can at least be
 2t> zipped with a password.

If you're talking Mystic to Mystic there is the encryption key option which would provide some extra protection even with a plaintext binkp session.

 2t> The very definition of echomail is public -- so someone being able to
 2t> read packets is no big deal.

Yup, I think that was the general consensus.

 2t> However, since the node<>hub connection is in plain text and there are
 2t> passwords exchanged....it would be nice if it were more secure.  

Agreed, I try and use different bink session & PKT passwords for each link I have, it would be nice to try and keep those credentials secret/safe even if the messages themselves are meant to be public.

 2t> So, for those of us who have the ability to use SSH and SSL, I think we
 2t> should, and we should actively find ways of making the network more
 2t> secure where possible.  Granted, as long as any part of the network is
 2t> unsecure, the whole network is "unsecure," but that's not an excuse to
 2t> just "toss it all" and don't even try.

Agreed there as well.  If more and more people offered encrypted options, or we made it the default/norm it could become the defacto way we do things.  Of course there will still be edge cases for those running legacy software, but you're right, we shouldn't throw the baby out with the bathwater.

 2t> So, on MY board, I plan to detect telnet users and encourage them to
 2t> switch to SSH since Mystic supports it natively.

I've logged into a couple of boards that do just that.  It looks like they've added a line or two to the PRELOGIN menu that displays some text using ACS !OS encouraging them to switch to SSH.


Jay

.... The purpose of computing is insight, not numbers.

--- Mystic BBS v1.12 A48 2022/03/26 (Raspberry Pi/32)
 * Origin: Northern Realms (21:3/110)

.