Subj : Secure binkp
To   : NuSkooler
From : Oli
Date : Tue Nov 26 2019 01:31 pm

On Mon, 25 Nov 2019 19:49:35 -0700
"NuSkooler -> Al" <[email protected]> wrote:

N> On Monday, November 25th Al was heard saying...
Al>> My understanding is that TLS 1.3 is secure and a good way to
Al>> proceed.

N> I don't mean to butt in, but the TLS 1.3 protocol is certainly
N> secure. Ensure you choose secure & modern suite(s). For example:
N> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Is it possible to choose insecure ciphersuites with TLS 1.3?

N> AES has the benefit of using AES-NI instructions on modern CPUs.
N> Without these instructions it can be up 30x slower and much more CPU
N> intensive. If you're running on very old hardware, some of this
N> becomes almost a no-go as it's just too intensive.

ChaCha20-Poly1305 is faster, if there is no support for AES in the CPU.

But how important is the support for _very_ old hardware? Is anyone still
developing Fidonet software for these computers, especially a binkp mailer?
Does binkp still compile for Amiga 68k? Is it possbile to use any secure
encryption (by todays standards) on these machines?

There are two options:
1) You just run your old software with no or weak encryption as all the other
nodes do today.
2) You do the encryption on another device.

Tor, i2p or other overlay networks would work for 2). It's also possible to
write some kind of TLS proxy for outgoing connections.

And maybe
3) use a secure encryption algorithm that works on very slow computers. Not
sure if something like this exist.

N> TLS is for PKI, which might make sense for a network op who could
N> perhaps but the Certificate Authority (CA), but I can see that
N> quickly becoming an issue when someone loses their private key/etc.

I would like to avoid this. This would open another can of worms.

N> A end-to-end encryption system might be better if you're considering
N> from scratch (but of course OpenSSL and such make TLS much easier to
N> implement).

What do you mean with e2e encryption in this context? e2e on the network level
or on the message level?

---
* Origin:  (21:1/151)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.