You were saying in another area something about using binkp over TLS.
Is it possible to do that now?
I'm going to hang on for a day or three and see if Alexey has
anything to say about secure binkp and then I'll likely netmail him
and see what (if anything) he has to say about it.
In the mean time though, I don't mind just messing with it and see
what can be done around all that.
You were saying in another area something about using binkp over TLS.
Is it possible to do that now?
I'm going to hang on for a day or three and see if Alexey has
anything to say about secure binkp and then I'll likely netmail him
and see what (if anything) he has to say about it.
I was thinking about this and the posibility of a standard so
different mailers could use secure binkp.
JFYI: binkd already has this capability.
Alexey said something about secure binkp that made me curious.
Yes. We needed a method for safe and secure peer-to-peer file distribution:
0. Looking like a completely different protocol.
1. Immune to DPI (twice a fuck to Roscompozor).
2. Almost impossible to ban
(18446744073709551616 more fucks to Roscompozor).
3. Capable of connection multiplexing on a single host:port pair.
You were saying in another area something about using binkp
over TLS. Is it possible to do that now?
With binkd it is.
The easiest way is to install stunnel and ncat. You have to create
a self-signed certificate (or use the one from letsencrypt) and
configure stunnel. Just take an example for https, smtps, imaps or
pop3s and change the ports.
and then use -pipe and ncat in the node line:
node 5:4/3@fidonet -pipe "ncat --ssl-alpn binkp *H *I"
hostname:24553 - or
node 5:4/3@fidonet -pipe "ncat --ssl hostname 24553"
You were saying in another area something about using binkp
over TLS. Is it possible to do that now?
You could use my node to test outgoing binkp TLS connections. My
node might be offline at times, so first two ways of testing
connectivity from the command line:
I'm going to hang on for a day or three and see if Alexey has
anything to say about secure binkp and then I'll likely netmail
him and see what (if anything) he has to say about it.
Alexey answered to your echomail. I'm still not sure what he meant
with secure binkp. Is it the CRYPT extension? It's not really
"totally new technology", but never published by the FTSC. Or is
there a new protocol in development?
Sounds like Alexey is thinking on a new protocol. Maybe we'll end up with a binkd mailer that supports binkp as it is and another protocol for secure binkp, possibly binkps.
He made it sound like TLS was not a solution, and insecure?
node 5:4/3@fidonet -pipe "ncat --ssl-alpn binkp *H *I"
hostname:24553 - or
node 5:4/3@fidonet -pipe "ncat --ssl hostname 24553"
This can be used to connect securely to a binkd mailer listening
securely?
He made it sound like TLS was not a solution, and insecure?
I didn't quite follow what he said there.
On the one hand we have TLS 1.3 developed openly over years by the
key players in the industry and experts from the crypto community.
On the other hand we have the statement from Alexey about something something insecure without pointing to any specific vulnerability.
There is a lot to criticize about Google, Mozilla and Cloudflare,
but when it comes to encryption I think they are doing a pretty
good job. The Snowden leaks were a wake-up call and many were
pissed and angry. Since then there is a clear determination to
encrypt everything as secure as possible. If new vulnerabilities
are discovered, they will be fixed ...
Maybe someone will implement a good alternative to TLS for binkp or
a completely new protocol, but I haven't seen any announcement.
Until then TLS (1.3) could provide strong encryption and is easy to
add (the other alternative is encryption at the transport layer,
like VPN, Tor, i2p, IPsec, ...)
My understanding is that TLS 1.3 is secure and a good way to proceed.
Maybe someone will implement a good alternative to TLS for
binkp or a completely new protocol, but I haven't seen any
announcement. Until then TLS (1.3) could provide strong
encryption and is easy to add (the other alternative is
encryption at the transport layer, like VPN, Tor, i2p,
IPsec, ...)
I don't know much about these alternate transport methods. My only
presence on the web is my BBSs web site.
I have heard IPsec but don't know what that is. Something to do with
IPv6? If connected via IPv6 do I have IPsec enabled or do I need to
take extra steps for that, and does it negate the need for other
security like TLS?
My understanding is that TLS 1.3 is secure and a good way to proceed.
--- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)NuSkooler
Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic
What I forgot to mention is that QUIC will be the next big thing / encrypted protocol (HTTP/3 is based on it).
I don't mean to butt in, but the TLS 1.3 protocol is certainly
secure. Ensure you choose secure & modern suite(s). For example: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305 _SHA256
Your not butting in at all, and if you are you are welcome too.. :)
On Monday, November 25th Al was heard saying...
My understanding is that TLS 1.3 is secure and a good way to
proceed.
I don't mean to butt in, but the TLS 1.3 protocol is certainly
secure. Ensure you choose secure & modern suite(s). For example: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
AES has the benefit of using AES-NI instructions on modern CPUs.
Without these instructions it can be up 30x slower and much more CPU intensive. If you're running on very old hardware, some of this
becomes almost a no-go as it's just too intensive.
TLS is for PKI, which might make sense for a network op who could
perhaps but the Certificate Authority (CA), but I can see that
quickly becoming an issue when someone loses their private key/etc.
A end-to-end encryption system might be better if you're considering
from scratch (but of course OpenSSL and such make TLS much easier to implement).
Is it possible to choose insecure ciphersuites with TLS 1.3?
But how important is the support for _very_ old hardware? Is anyone still developing Fidonet software for these computers, especially a binkp mailer? Does binkp still compile for Amiga 68k? Is it possbile to use any secure encryption (by todays standards) on these machines?
There are two options: 1) You just run your old software with no or weak encryption as all the other nodes do today. 2) You do the encryption on another device.
I would like to avoid this. This would open another can of worms.
What do you mean with e2e encryption in this context? e2e on the network level or on the message level?
--- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)NuSkooler
Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic
I would like to avoid this. This would open another can of
worms.
Build in support for Let's Encrypt :)
I have mail for you, please poll my node to get it< Okay
cu, byeor
[files]or
done, bye
whatever, bye
For testing we can use self-signed certs.
What is still missing is some authentication of incoming connections if no session password is configured. On the TLS level we could use client certificates, but it would make everything more complicated and less flexible.
--- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)NuSkooler
Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic
On Wednesday, November 27th Oli said...
What is still missing is some authentication of incoming
connections if no session password is configured. On the TLS
level we could use client certificates, but it would make
everything more complicated and less flexible.
I've used client authentication many times over the years, what are
you concerns over compliexity/less flexible here? As for passwords,
they are now OK to send as they don't go over the wire unless the TLS handshake completes (or maybe I'm misunderstanding what you're saying
here)
Sysop: | Eric Oulashin |
---|---|
Location: | Beaverton, Oregon, USA |
Users: | 94 |
Nodes: | 16 (0 / 16) |
Uptime: | 06:53:03 |
Calls: | 5,136 |
Calls today: | 3 |
Files: | 8,491 |
D/L today: |
1 files (279K bytes) |
Messages: | 352,528 |