Subj : Binkd and TLS
To   : Alan Ianson
From : Michiel van der Vlist
Date : Tue Dec 17 2019 10:40 am

Hello Alan,

On Monday December 16 2019 14:59, you wrote to me:

MV>> 1) Don't fix it if it ain't broke. I am not convinced yet that
MV>> binkd's security is broke and needs fixing.

AI> I don't think binkd or the binkp protocol are broken and need fixing.

Then what problem ARE we trying to fix?

MV>> I am not convinced that TLS offers better protection against
MV>> snooping than what binkd alread hasy. Half of TLS is providing
MV>> authoritative identity to the server. I don't see any value for
MV>> that in Fidonet. TTBOMK there has been no case of someone
MV>> succesfully setting up a rogue node amd maskerading for someone
MV>> else. If only because there is no bussines model..

AI> This has happened in the past. nobogus comes to mind.

Apples and oranges. Nobogus solved problems created by rouge CLIENTS. TLS does
not protect against that. It only authorises the /server/, not the /client/.

AI> TLS certainly offers better security. No question.

So you say. But merely claiming it is "better" is just like claiming aluminium
is "better" than copper.

In what way is TLS "better"? A claim of "better" security has to be more
specific than just that. Better than what? Better against what threats and by
whom?

If you do not specify the threat, a claim of better security is meaningless.

MV>> 2) It violates the KISS principle. I see little or no added value
MV>> in adding TLS to Binkd. In the case of Binkd it just makes things
MV>> more complicatied and prone to misconfigutaion and other mishaps.

AI> It does require some setup. Synchronet's BinkIT mailer currently has
AI> support for a binkps listener setup like this in Synchronet's
AI> services.ini

The world of Fidonet is bigger than Synchronet (Thank god). You make it sound
like "Synchronet supports it, so it must be a good thing". Sorry, I am not of
the "Synchronet is better" club.

AI> This was all done without changing binkp. We have simply put binkp on
AI> a secure channel.

But why? I still have no answer for that. Let me put it this way:

If binkd over TLS is the solution, what is the problem?


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: http://www.vlist.eu (2:280/5555)

You are viewing proxied material from vert.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.