Subj : BINKP over TLS
To   : Alan Ianson
From : Alexey Fayans
Date : Tue Dec 17 2019 03:44 am

Hello Alan!

On Mon, 16 Dec 2019 at 14:29 -0800, you wrote to me:

 AF>> No it doesn't. MitM attack can only fool client into thinking
 AF>> that TLS is not supported. But you can require TLS on a client
 AF>> side and it will just disconnect, no harm done.
 AI> I believe it does.

It's not about believing. You can read on wikipedia for example about MitM and 
STARTTLS. MitM can fool client into thinking STARTTLS is not supported. 
Mitigation is requiring encryption on client side. As simple as that.

 AI> That's why STARTTLS has been depricated.

It's not deprecated globally. Deprecation is only _proposed_ for SMTP and other 
mail protocols and there are reasons for that, but that doesn't mean it is 
deprecated for everything else.

 AI> I don't think the binkd developers are going to bring STARTTLS to the
 AI> table but we need to hear from them.

Exactly.

 AI>>> Synchronet's implementation is looking good to me. Direct TLS
 AI>>> and is working in my experience.
 AF>> Still it requires modification to configurations, nodelist
 AF>> changes and probably DNS changes as well. STARTTLS would
 AF>> eliminate all of that.
 AI> It requires a binkps listener to receive and "BinkpTLS=true" in the
 AI> node section of sbbsecho.ini for nodes you want to poll with binkps.

Synhcronet is not the only software out there. And manual configuration is not 
even an option. Globally, (1) a new nodelist flag is required to indicate 
support if binkps and its port; (2) binkps must be supported on DNS level as 
well, i.e. _binkps._tcp SRV records; (3) nodelist parsers must be updated to 
understand new flag; (4) additional configuration must be introduced in mailers 
to support binkps, and for binkd it may be an issue since node records were not 
designed for multiple protocols based on different ports.

With STARTTLS none of this is a problem. Additional configuration flag to 
require TLS connection is easy to implement, nodelist flag is optional and may 
be used to tell client to require TLS when connecting to supporting node, and 
additional DNS SRV records are not needed as well.

 AF>> In fact this doesn't look like a good place to discuss technical
 AF>> stuff, BINKD seems like a better one.
 AI> I have eyes on the area so we can move the discussion there if you
 AI> like.

Sure, I'll crosspost it there.

* Originally in FIDONEWS
* Crossposted in BINKD


.... Music Station BBS | https://bbs.bsrealm.net | telnet://bbs.bsrealm.net
--- GoldED+/W32-MSVC 1.1.5-b20180707
 * Origin: Music Station | https://ms.bsrealm.net (2:5030/1997)

.