Subj : Security
To   : Tony Langdon
From : Oli
Date : Mon May 04 2020 11:50 am

Tony wrote (2020-05-04):

 AI>> It's possible to use a self signed certificate. I don't know the
 AI>> ramifications of a self signed certificate vs letsencrypt but it
 AI>> might provide the security and privacy we need.

 TL> Encryption will be fine, but self signed just means you can't trust the
 TL> other end to be who they say they are.

Works fine with SSH. Trust on first use (TOFU) works with TLS too. There is also DANE / TLSA-records to put the (hash of the) public key in DNS. You could also put it in the nodelist itself.

 TL> But that's a call the BBS networks have to make.

This is like: that's a call the Internet has to make.

 AI>> Currently I use a certificate from letsencrypt.

 TL> I'm not currently running binkps.  It's been a moving target, and as I've
 TL> said, I won't bother jumping through hoops and binkd doesn't yet support
 TL> TLS natively (that I'm aware of).

Native support in binkd would be nice, on the other hand the workarounds are not that difficult.

Outgoing connections are easy with binkd:

node 5:6/7@fidonet -pipe "gnutls-cli --logfile /dev/null --no-ca-verification --strict-tofu --disable-sni *H:24553"

Incoming connections with haproxy are three lines (works for every mailer):

listen binkps
  bind :::24553 ssl crt fidonet.pem
  server binkd 127.0.0.1:24554

Synchronet's BinkIT does support TLS already. But only jumping through hoops (with binkd) gives you TLS 1.3 connections.

---
 * Origin:  (2:280/464.47)

.