MSGID: 2:5030/1997@fidonet 5df82b49   
   REPLY: 1:153/757 5df807c5   
   CHRS: CP866 2   
   TZUTC: 0300   
   TID: FastEcho 1.46.1 43272   
   Hello Alan!   
      
   On Mon, 16 Dec 2019 at 14:29 -0800, you wrote to me:   
      
    AF>> No it doesn't. MitM attack can only fool client into thinking   
    AF>> that TLS is not supported. But you can require TLS on a client   
    AF>> side and it will just disconnect, no harm done.   
    AI> I believe it does.   
      
   It's not about believing. You can read on wikipedia for example about MitM and   
   STARTTLS. MitM can fool client into thinking STARTTLS is not supported.   
   Mitigation is requiring encryption on client side. As simple as that.   
      
    AI> That's why STARTTLS has been depricated.   
      
   It's not deprecated globally. Deprecation is only _proposed_ for SMTP and   
   other mail protocols and there are reasons for that, but that doesn't mean it   
   is deprecated for everything else.   
      
    AI> I don't think the binkd developers are going to bring STARTTLS to the   
    AI> table but we need to hear from them.   
      
   Exactly.   
      
    AI>>> Synchronet's implementation is looking good to me. Direct TLS   
    AI>>> and is working in my experience.   
    AF>> Still it requires modification to configurations, nodelist   
    AF>> changes and probably DNS changes as well. STARTTLS would   
    AF>> eliminate all of that.   
    AI> It requires a binkps listener to receive and "BinkpTLS=true" in the   
    AI> node section of sbbsecho.ini for nodes you want to poll with binkps.   
      
   Synhcronet is not the only software out there. And manual configuration is not   
   even an option. Globally, (1) a new nodelist flag is required to indicate   
   support if binkps and its port; (2) binkps must be supported on DNS level as   
   well, i.e. _binkps._tcp SRV records; (3) nodelist parsers must be updated to   
   understand new flag; (4) additional configuration must be introduced in   
   mailers to support binkps, and for binkd it may be an issue since node records   
   were not designed for multiple protocols based on different ports.   
      
   With STARTTLS none of this is a problem. Additional configuration flag to   
   require TLS connection is easy to implement, nodelist flag is optional and may   
   be used to tell client to require TLS when connecting to supporting node, and   
   additional DNS SRV records are not needed as well.   
      
    AF>> In fact this doesn't look like a good place to discuss technical   
    AF>> stuff, BINKD seems like a better one.   
    AI> I have eyes on the area so we can move the discussion there if you   
    AI> like.   
      
   Sure, I'll crosspost it there.   
      
   * Originally in FIDONEWS   
   * Crossposted in BINKD   
      
      
   ... Music Station BBS | https://bbs.bsrealm.net | telnet://bbs.bsrealm.net   
   --- GoldED+/W32-MSVC 1.1.5-b20180707   
    * Origin: Music Station | https://ms.bsrealm.net (2:5030/1997)   
   SEEN-BY: 1/123 50/109 90/1 103/705 154/10 203/0 221/0 6 227/114 229/101   
   SEEN-BY: 229/200 354 426 1014 240/5832 249/307 317 280/464 5003 5555   
   SEEN-BY: 292/854 310/31 342/200 396/45 423/120 451/30 452/166 463/68   
   SEEN-BY: 469/122 712/848 770/1 2452/250 5000/111 5001/100 5005/49   
   SEEN-BY: 5015/255 5019/40 42 5020/290 329 715 806 828 846 848 921   
   SEEN-BY: 5020/1042 1519 2047 2140 4441 12000 5022/128 5023/12 24 5030/1081   
   SEEN-BY: 5030/1900 1997 5034/13 5053/54 57 58 5054/8 5057/19 5060/900   
   SEEN-BY: 5064/56 5080/68 102 5083/444   
   PATH: 5030/1997 5023/24 5020/715 4441 1042 280/5555 464 229/426