1. Forum
  2. FidoNet
  3. BINKD

  • Re: BINKP over TLS

    From Phillip L Taylor Jr@1:275/201.30 to All on Tue Apr 28 22:42:25 2020
    On Tue 17-Dec-2019 8:33 , Oli@2:275/201.0 said to Alexey Fayans:
    No it doesn't. MitM attack can only fool client into thinking
    that TLS is not supported. But you can require TLS on a client
    side and it will just disconnect, no harm done.
    I believe it does.

    What is TLS and what is different about it from what we are using today with the standard Binkd config? If your a hub why would you force your clients to use it? Some of us are using some really old operating systems.
    --- CNet/5
    * Origin: 1:275/201.0 (1:275/201.30)
  • From Alan Ianson@1:153/757 to Phillip L Taylor Jr on Tue Apr 28 22:23:22 2020
    Hello Phillip,

    What is TLS and what is different about it from what we are using
    today with the standard Binkd config?

    TLS is Transport Layer Security. It is the successor to SSL. When you use a secure https:// website you are using TLS. It is used for security and privacy.

    If your a hub why would you force your clients to use it? Some of us
    are using some really old operating systems.

    I don't think anyone is forcing anything. You can connect to my node as always on port 24554 or using TLS on port 24553.

    Ttyl :-),
    Al

    --- GoldED+/LNX
    * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)
  • From Oli@2:280/464.47 to Phillip L Taylor Jr on Wed Apr 29 10:27:16 2020
    28 Apr 20 22:42, you wrote to All:

    On Tue 17-Dec-2019 8:33 , Oli@2:275/201.0 said to Alexey Fayans:
    No it doesn't. MitM attack can only fool client into
    thinking
    that TLS is not supported. But you can require TLS on a
    client
    side and it will just disconnect, no harm done.
    I believe it does.

    What is TLS and what is different about it from what we are using
    today with the standard Binkd config?

    the binkp CRYPT extension requires a session password for the encryption. With TLS it's possible to use encryption without a session password.

    If your a hub why would you force your clients to use it?

    I think there is some context missing. IIRC correctly the discussion was about opportunistic TLS:. the connection starts as plaintext and then is upgraded to a TLS encrypted session. A man-in-the-middle can strip the TLS negotiation. To mitigate the attack the client could insist on TLS and refuse any plaintext connection. See
    https://en.wikipedia.org/wiki/Opportunistic_TLS

    There is no standard and for opportunistic TLS with binkp. We are using direct TLS now. The server listens on another port and expects a TLS session on that port (but still can offer plaintext sessions on the IBN port).

    Some of us are using some really old operating systems.

    It's possible to run a TLS proxy on another machine, like a Raspberry Pi or an OpenWRT based router.

    Using Tor and Tor a hidden services is much easier to setup though.


    * Origin: kakistocracy (2:280/464.47)
  • From mark lewis@1:3634/12 to Oli on Wed Apr 29 09:02:06 2020
    Re: BINKP over TLS
    By: Oli to Phillip L Taylor Jr on Wed Apr 29 2020 10:27:16


    Using Tor and Tor a hidden services is much easier to setup though.

    it also isn't allowed everywhere either... try connecting to my site/system via
    Tor using any protocol you desire ;)


    )\/(ark
    --- SBBSecho 3.11-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From Oli@2:280/464.47 to mark lewis on Wed Apr 29 16:19:14 2020
    29 Apr 20 09:02, you wrote to me:

    Using Tor and Tor a hidden services is much easier to setup
    though.

    it also isn't allowed everywhere either... try connecting to my site/system via Tor using any protocol you desire ;)

    If you don't offer a Tor hidden service, I cannot connect to your node's (non existent) .onion address.

    Blocking incoming connections from Tor exit nodes doesn't prevent a hidden service from working.

    I don't recommend unencrypted binkp connections over Tor exit nodes.


    * Origin: kakistocracy (2:280/464.47)
  • From mark lewis@1:3634/12 to Oli on Wed Apr 29 13:01:51 2020
    Re: BINKP over TLS
    By: Oli to mark lewis on Wed Apr 29 2020 16:19:14


    Using Tor and Tor a hidden services is much easier to setup
    though.

    it also isn't allowed everywhere either... try connecting to my
    site/system via Tor using any protocol you desire ;)

    If you don't offer a Tor hidden service, I cannot connect to your node's
    (non existent) .onion address.

    i never said or indicated that i did run such a service... perhaps your statment was too loose or general? or perhaps i misread it? :shrug:


    Blocking incoming connections from Tor exit nodes doesn't prevent a
    hidden service from working.

    no one said it did ;)

    blocking incoming from such also blocks outgoing to such, though... my perimeter firewall does an exceptional job of performing that task :)


    I don't recommend unencrypted binkp connections over Tor exit nodes.

    why not? binkp connections carry state secrets? somehow i don't think so...


    )\/(ark
    --- SBBSecho 3.11-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)