... darkrealms ...

Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.

BINKD

Support for the Internet BinKD mailer

8,958 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 6,821 of 8,958

Oli to Phillip L Taylor Jr

BINKP over TLS

29 Apr 20 10:27:16

   REPLY: 1:275/201.30@fidonet 5ea905b6   
   MSGID: 2:280/464.47@fidonet 5ea93a65   
   PID: GED+LNX 1.1.5-b20180707   
   CHRS: UTF-8 4   
   TZUTC: 0200   
   TID: CrashMail II/Linux 1.7   
   28 Apr 20 22:42, you wrote to All:   
      
    PJ> On Tue 17-Dec-2019  8:33 , Oli@2:275/201.0 said to Alexey Fayans:   
    O>>  AF>>> No it doesn't. MitM attack can only fool client into   
    O>> thinking   
    O>>  AF>>> that TLS is not supported. But you can require TLS on a   
    O>> client   
    O>>  AF>>> side and it will just disconnect, no harm done.   
    O>>  AI>> I believe it does.   
      
    PJ> What is TLS and what is different about it from what we are using   
    PJ> today with the standard Binkd config?   
      
   the binkp CRYPT extension requires a session password for the encryption. With   
   TLS it's possible to use encryption without a session password.   
      
    PJ> If your a hub why would you force your clients to use it?   
      
   I think there is some context missing. IIRC correctly the discussion was about   
   opportunistic TLS:. the connection starts as plaintext and then is upgraded to   
   a TLS encrypted session. A man-in-the-middle can strip the TLS negotiation. To   
   mitigate the attack the client could insist on TLS and refuse any plaintext   
   connection. See   
   https://en.wikipedia.org/wiki/Opportunistic_TLS   
      
   There is no standard and for opportunistic TLS with binkp. We are using direct   
   TLS now. The server listens on another port and expects a TLS session on that   
   port (but still can offer plaintext sessions on the IBN port).   
      
    PJ> Some of us are using some really old operating systems.   
      
   It's possible to run a TLS proxy on another machine, like a Raspberry Pi or an   
   OpenWRT based router.   
      
   Using Tor and Tor a hidden services is much easier to setup though.   
      
    * Origin: kakistocracy (2:280/464.47)   
   SEEN-BY: 1/123 90/1 103/705 120/340 601 154/10 203/0 221/0 226/30   
   SEEN-BY: 227/114 229/101 200 426 664 1014 240/5832 249/109 307 317   
   SEEN-BY: 280/464 5003 5555 288/100 292/854 8125 310/31 342/200 396/45   
   SEEN-BY: 423/120 712/848 770/1 2452/250   
   PATH: 280/464 229/426

[ << oldest | < older | list | newer > | newest >> ]