Am 17.02.22 schrieb Joachim Probst@2:240/6309 in FTSC_PUBLIC:

Hallo Joachim,

Just going along that line, but without rewriting FTS-1, or using the idea as a gating method from the new FTS to FTS-1:

We do have mails and we do have files. [...]

I like that idea. What do the software developers, like Rob or Tim,
think of that?

Regards,
Anna

--- OpenXP 5.0.51
* Origin: Imzadi Box Point (2:240/5824.1)

Am 17.02.22 schrieb Ward Dossche@2:292/854 in FTSC_PUBLIC:

Hallo Ward,

[...]

Change/evolution in Fidonet has only happened when "someone did it". So, are you available to work on this, not just propose it, take all the blame and see marc lewis take all the credit?

I know that 'someone has to do it'. And I'm no good software developer (concerning FTN software, I only added some functions to HatchIT, the hatching software of Synchronet), so I'm not available for such big
projects.

I thought that while the people who do write good software (like Rob
or Tim) are currently talking about this topic, I could add an idea to
that topic.

But as it doesn't seem to be appropriate to take part in such a
conversation without developing myself, I will leave this discussion
now.
Thank you for your reminder that this network is not the most
welcoming one.

Regards,
Anna

--- OpenXP 5.0.51
* Origin: Imzadi Box Point (2:240/5824.1)

Hello Anna,

Change/evolution in Fidonet has only happened when "someone did it". AC>WD> So, are you available to work on this, not just propose it, take all AC>WD> the blame and see marc lewis take all the credit?

Thank you for your reminder that this network is not the most
welcoming one.

Where have you read something negative in my words above? It's just an absolute fact without any negative connotation ... Change only happens because someone makes it happen ... if something's good, it will be picked-up by others; if it sucks...well...then it sucks.

If you read something else in there, you will need to make clear what you "interpreted" what I wrote because my text is |absolute|.

Take care,

\%/@rd

--- DB4 - Feb 20 2022
* Origin: Hou het veilig, hou vol. Het komt allemaal weer goed (2:292/854)

Re: Re: Directly include binary data in messages
By: Anna Christina Nass to Joachim Probst on Tue Feb 22 2022 12:18 pm

Am 17.02.22 schrieb Joachim Probst@2:240/6309 in FTSC_PUBLIC:

Hallo Joachim,

Just going along that line, but without rewriting FTS-1, or using the idea as a gating method from the new FTS to FTS-1:

We do have mails and we do have files. [...]

I like that idea. What do the software developers, like Rob or Tim,
think of that?

Pretty trivial. In fact, any echomail program that supports multiple packet formats (e.g. SBBSecho supports packet types 2.0, 2+, 2e, and 2.2) can be used as a gateway between old and even older technology systems. :-)
--
digital man (rob)

Synchronet/BBS Terminology Definition #6:
BBS = Bulletin Board System
Norco, CA WX: 54.7°F, 57.0% humidity, 2 mph ESE wind, 0.00 inches rain/24hrs --- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

//Hello Maurice,//

on *23.02.2022* at *9:37:29* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Re^2: Directly include binary data in messages"*.

WHY is there any need for a new packet format?

There isn't and wasn't.

Ok, seems we all agree here.

So while I enjoy the discussion, it seems really more benefitial to talk about actually advancing the functionality of fidonet to keep it sort of relevant compared to other platforms. IMHO, fidonet eventually has to some extent to compare to social media platforms and particularly to reddit, as reddit seems to do for a lot of people what fido did for them in the past. And no, I certainly see no way of competing with such platforms and surely thats not the intent here. Still, each user compares the provided capabilites and that is where I see fundamental technical shortcomings.

It is my belief (in line with some of the points brought up recently), that the fidonet infratstucture should be improved (also on the software side) to
- make large messages (in the order of magnitude of up to a few MB) a non-issue for most users,
- enable embedding of images and (small) binary data in messages in a compatible way,

and later on

- enable private communication between endpoints (i.e., encrypted authenticated netmail)
- maybe support (well-defined?) HTML mail (quite debateable) or the like

Regards,
Tim

--- WinPoint 400.3
* Origin: Original WinPoint Origin! (2:240/1120.29)

Hi Tim,

On 2022-02-24 13:15:02, you wrote to Maurice Kinal:

It is my belief (in line with some of the points brought up recently), that the fidonet infratstucture should be improved (also on the
software side) to

- make large messages (in the order of magnitude of up to a few MB) a non-issue for most users,

- enable embedding of images and (small) binary data in messages in a compatible way,

and later on

- enable private communication between endpoints (i.e., encrypted authenticated netmail)

- maybe support (well-defined?) HTML mail (quite debateable) or the
like

This already exists. It's called email. ;)

Bye, Wilfred.

--- FMail-lnx64 2.1.0.18-B20170815
* Origin: FMail development HQ (2:280/464)

Hi Tim!

24 Feb 2022 13:15, from Tim Schattkowsky -> Maurice Kinal:

- enable private communication between endpoints (i.e., encrypted authenticated netmail)

That can be done by the use of GPG (or PGP).

This is for example the way used by the big german E-Mail provider gmx.de

Golded supports this by using GPG externally:

EXTERNOPTIONS -pauseonerror -nokeepctrl -wipe
EXTERNUTIL 1 gpg +force -sa @tmpfile -u "@oname" -o @file ;sign
EXTERNUTIL 2 gpg +force -ea @tmpfile "@dname" -u "@oname" -o @file ;encrypt
EXTERNUTIL 3 gpg +force -eas @tmpfile "@dname" -u "@oname" -o @file ;enc & sign
EXTERNUTIL 4 -pause gpg +force @tmpfile -o @file -u "@dname" ;decrypt
EXTERNUTIL 5 -noreload gpg +force -ka @file -u "@dname" ;add key
EXTERNUTIL 6 c:\fido\golded\mykey.bat @file ;add mykey

EDITSAVEUTIL 1 "S PGP Sign the msg"
EDITSAVEUTIL 2 "E PGP Encrypt the msg"
EDITSAVEUTIL 3 "Y PGP EncrYpt & Sign the msg"
EDITSAVEUTIL 6 "M add My PGP key"

CU, Ricsi

... In its natural state, tofu is good for minor driveway repairs.
--- GoldED+/LNX
* Origin: Don't use time or words carelessly! (2:310/31)

//Hello Wilfred,//

on *24.02.2022* at *12:32:20* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Re^3: Directly include binary data in messages"*.

It is my belief (in line with some of the points brought up recently),
that the fidonet infratstucture should be improved (also on the software
side) to

- make large messages (in the order of magnitude of up to a few MB) a
non-issue for most users,

- enable embedding of images and (small) binary data in messages in a
compatible way,

and later on

- enable private communication between endpoints (i.e., encrypted
authenticated netmail)

- maybe support (well-defined?) HTML mail (quite debateable) or the
like

This already exists. It's called email. ;)

Fully agree, but that probably wont help fidonet users (other than moving them away). It might make sense to consistently apply exactly these technologies (MIME messages with HTML text, encryption ...) also for fidonet, in particular also for improving echo mail capabilities.

For private messages, there is little sense in competing with email. Surely fidonet netmail is not going to replace email during the next 5 years. However, it makes a lot of sense to provide comparable capabilities just to enable users to make consistent use of netmail and echomail while having basic capabilities that are just not worse than email 20 years ago. Currently thats not remotely the case.

Regards,
Tim

--- WinPoint 400.3
* Origin: Original WinPoint Origin! (2:240/1120.29)

Tim,

It is my belief (in line with some of the points brought up recently),
that the fidonet infratstucture should be improved (also on the software side) to
- make large messages (in the order of magnitude of up to a few MB) a non-issue for most users,
- enable embedding of images and (small) binary data in messages in a compatible way,

Hmmmmm ... would a totally different zone help? Even just as a test-platform?

\%/@rd

--- DB4 - 20220222
* Origin: Hou het veilig, hou vol. Het komt allemaal weer goed (2:292/854)

Hey Tim!

Ok, seems we all agree here.

That isn't the problem. The problem is getting things done.

Anyhow you have interesting ideas that probably don't require many, if any, changes to existing standards in order to be successful.

Life is good,
Maurice

... Eþel byþ oferleof æghwylcum men.
Home is very dear to every man.
--- GNU bash, version 5.1.16(1)-release (x86_64-moosile-linux-gnu)
* Origin: Little Mikey's Brain - Ladysmith BC, Canada (1:153/7001)

Hey Ward!

Hmmmmm ... would a totally different zone help? Even just as a test-platform?

I seem to recall something like that being proposed back in the late 1990's in order to facillitate the new-fangled ip based nodes. Later the idea was to give all ip nodes their own zone. To be honest I am glad that never happened. A test zone might be something worth investigation but given the numbers I think it would be wise to stick together as much as possible.

Life is good,
Maurice

... It comes in, it must go out.
- Teslacle's Deviant to Fudd's Law.
--- GNU bash, version 5.1.16(1)-release (x86_64-moosile-linux-gnu)
* Origin: Little Mikey's Brain - Ladysmith BC, Canada (1:153/7001)

Maurice,

Hmmmmm ... would a totally different zone help? Even just as a
test-platform?

I seem to recall something like that being proposed back in the late
1990's in order to facillitate the new-fangled ip based nodes.

I don't think I was involved in that...

\%/@rd

--- DB4 - 20220222
* Origin: Hou het veilig, hou vol. Het komt allemaal weer goed (2:292/854)

//Hello Maurice,//

on *24.02.22* at *16:06:18* You wrote in Area *FTSC_PUBLIC*
to *Ward Dossche* about *"Re^3: Directly include binary data in messages"*.

A test zone might be something worth investigation
but given the numbers I think it would be wise to stick together as much as possible.

That is a valid point at least when actually introducing that technology in the field. It might still be of value to have a small test zone for validation before. But that is something that can be seen clearer, when we know how the system works.

Regards,
Tim

--- WinPoint 400.3
* Origin: Original WinPoint Origin! (2:240/1120.29)

For private messages, there is little sense in competing with email. Surely fidonet netmail is not going to replace email during the next 5 years. However, it makes a lot of sense to provide comparable
capabilities just to enable users to make consistent use of netmail and echomail while having basic capabilities that are just not worse than email 20 years ago. Currently thats not remotely the case.

We do have some additional security being used today, some of which could be refined and adopted. Between you, Rob, and I we have a substancial user base that gives us the power to create positive change.

Synchronet and Mystic support direct BINKP over SSL natively which is a good start to securing transmission. At one point I had a opportunistic SSL version of BinkP as well.

Of course SSL doesn't stop routed netmail from being read by a SysOp in the middle though, so in this case Mystic does AES-256 encrypted netmail if its setup with an encryption key for the address being netmailed.

... Kilometers are shorter than miles. Save gas, take your trip in kilometers

--- Mystic BBS v1.12 A48 2022/02/17 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Hello Tim!

24 Feb 22 15:19, you wrote to Wilfred van Velzen:

For private messages, there is little sense in competing with email. Surely fidonet netmail is not going to replace email during the next 5 years. However, it makes a lot of sense to provide comparable capabilities just to enable users to make consistent use of netmail and echomail while having basic capabilities that are just not worse than email 20 years ago. Currently thats not remotely the case.

E-mail has not changed either in te last 20 years. The only thing that has
changed are the user clients that can now display mime encapsulated messages.

Designing a different way of encapsulation for fidonet is hardly productive.
Mime encapsulation is not hostile to the content section of fidonet messages.

No changes have to have to be made to Fidonet. The only changes
are at the presentation layer, wich is not subject to fidonet standards.

Kees

--- GoldED+/LNX 1.1.5--b20180707
* Origin: As for me, all I know is that, I know nothing. (2:280/5003.4)

Hey Ward!

I don't think I was involved in that...

I forget now who spearheaded the ip fidonet stuff but he was definetly European with a Zone 2 address. mark might have a better memory of this.

Life is good,
Maurice

... Getreowan freond... deorweorðeste ðyng eallra þissa woruldgesælþa.
True friends are the most precious of all this world's joys.
--- GNU bash, version 5.1.16(1)-release (x86_64-moosile-linux-gnu)
* Origin: Little Mikey's Brain - Ladysmith BC, Canada (1:153/7001)

Maurice,

I don't think I was involved in that...

I forget now who spearheaded the ip fidonet stuff but he was definetly European with a Zone 2 address.

That seems to be correct, someone (but I forgot who) briefed me on discussions that were had in an ad-hoc workgroup and IP-flags were introduced on Nov 11 1998.

Somewhere on the internet you can read a text by David Moufarrege, and I really can't believe he actually wrote it himself:

"My thanks go to Bob Satti and Ward Dossche - for having the vision to
permit and promote the use of IP - Mailers, Flags and Nodelist entries in
their respective zones."

Bob was actually against it and wanted Fido to remain PSTN-only. He was pretty pissed when I facilitated those flags in the nodelist and had no option but jump on the bandwagon.

\%/@rd

--- DB4 - 20220222
* Origin: Hou het veilig, hou vol. Het komt allemaal weer goed (2:292/854)

Hey Ward!

an ad-hoc workgroup and IP-flags were introduced on Nov 11 1998.

That all sounds familiar.

He was pretty pissed when I facilitated those flags in the
nodelist

Them were the days. You were such a badass. What happened?

Life is good,
Maurice

... Seoc se biþ þe to seldan ieteð.
The one who eats too seldom will be sick.
--- GNU bash, version 5.1.16(1)-release (x86_64-moosile-linux-gnu)
* Origin: Little Mikey's Brain - Ladysmith BC, Canada (1:153/7001)

Good ${greeting_time}, James!

24 Feb 2022 12:01:32, you wrote to Tim Schattkowsky:

Synchronet and Mystic support direct BINKP over SSL natively which
is a good start to securing transmission.

It's the most stupid thing that could be done.

The SSL was good 15...20 years ago, but now it doesn't conform to modern requirements. Also, it is almost useless in a peer-to-peer environment.

Of course SSL doesn't stop routed netmail from being read by a SysOp
in the middle though, so in this case Mystic does AES-256 encrypted

Rijndael? Bwa-ha-ha-ha...

Using the artifically weakened cryptography is a very, very unwise idea.

netmail if its setup with an encryption key for the address being netmailed.

If you want to secure the messages, use GPG: although it also has similar problems with cryptographic strength, the bundle of RSA-4096, SHA2-256 and Twofish-256 still may be considered safe enough.

For securing the communications (binkd does that for years, and only my resignment from FTSC had stopped promoting that to a standard) some other techniques had been invented and implemented. And the most funny thing is implementing your "binkp+SSL" setup with binkd would require just a small editing of the config file.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... :wq!
--- /bin/vi
* Origin: ::1 (2:5020/545)

Synchronet and Mystic support direct BINKP over SSL natively which
is a good start to securing transmission.

It's the most stupid thing that could be done.

The SSL was good 15...20 years ago, but now it doesn't conform to modern

Okay so tell me what is better than TLS 1.3 then since you seem to think you know more about security than the entire security industry. Every enterprise on the planet uses an iteration of secure socket layer most commonly TLS 1.2 in 2022.

Of course SSL doesn't stop routed netmail from being read by a SysOp in the middle though, so in this case Mystic does AES-256 encrypted

Using the artifically weakened cryptography is a very, very unwise idea.

If the widespread enterprise-level adoption of AES-256 is inferior and very very unwise for two-way encryption, then please let us (and the rest of the security world) know what should be used instead?

How will be ever protect our highly classified FidoNet netmail with the never-been-compromised AES-256? lolol

Assuming there is no future flaw discovered in the algorithm, it would take every single computer on the planet thousands of years to brute force a single AES key.

I don't think you could have possibly missed the mark any more than you did with this post lol.

... Some people have no idea what they're doing, and are really good at it!

--- Mystic BBS v1.12 A48 2022/02/17 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Re: Re: Directly include binary data in messages
By: James Coyle to Alexey Vissarionov on Fri Feb 25 2022 01:10 am

Synchronet and Mystic support direct BINKP over SSL natively which is a good start to securing transmission.

It's the most stupid thing that could be done.

The SSL was good 15...20 years ago, but now it doesn't conform to modern

Okay so tell me what is better than TLS 1.3 then since you seem to think you know more about security than the entire security industry.

You both mentioned SSL, not TLS.
--
digital man (rob)

Synchronet "Real Fact" #91:
Captured chat with Wayne Bell: http://wiki.synchro.net/history:waynebell_chat Norco, CA WX: 42.9°F, 64.0% humidity, 0 mph N wind, 0.00 inches rain/24hrs
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Good ${greeting_time}, James!

25 Feb 2022 01:10:58, you wrote to me:

Synchronet and Mystic support direct BINKP over SSL natively

Your software fails to quote the text correctly. For example, this word:

which

^^^^^
wasn't written by me.

When quoting, the correctly written software should add one '>' character to _the_ _tail_ of existing quote prefix, so /^ XY>>/ should become /^ XY>>>/

It's the most stupid thing that could be done.
The SSL was good 15...20 years ago, but now it doesn't conform to
modern

Okay so tell me what is better than TLS 1.3 then

SSH is a really good example.

since you seem to think you know more about security than the entire security industry.

I'm _in_ that industry.

Every enterprise on the planet uses an iteration of secure socket
layer most commonly TLS 1.2 in 2022.

Here you said "enterprise"... Most of them have no other option than HTTPS.

Of course SSL doesn't stop routed netmail from being read by a

SysOp

in the middle though, so in this case Mystic does AES-256

encrypted

Using the artifically weakened cryptography is a very, very unwise
idea.

If the widespread enterprise-level adoption of AES-256 is inferior
and very very unwise for two-way encryption, then please let us (and
the rest of the security world) know what should be used instead?

For the standard: second finalist and the real winner - Twofish.
For the practical purposes: Twofish, Threefish or Grasshopper.

That's about the symmetric ciphers. Also there are hash functions much more efficient and stronger than SHA family (Skein, Streebog). And finally, the public-key algorithms I can recommend are the old good RSA (with at least 8192-bit keys, of course) and the elegant ED25519 (based on Edwards curve).

How will be ever protect our highly classified FidoNet netmail with
the never-been-compromised AES-256? lolol

AES is the standard (what a shame... american standard is based on a foreign development) prescribing the use of Rijndael algorithm.

Also, what mode do you prefer for it? CBC, CFB, CTR, ECB, GCM, XTS, or?

Assuming there is no future flaw discovered in the algorithm, it
would take every single computer on the planet thousands of years to
brute force a single AES key.

You mean the 20-years-old SP-net with fixed non-random S-blocks? I have some really bad forecast for you...

I don't think you could have possibly missed the mark any more than
you did with this post lol.

"é« Γπ»««⌐..."


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... that's why I really dislike fools.
--- /bin/vi
* Origin: ::1 (2:5020/545)

You both mentioned SSL, not TLS.

They are used interchangably in the security industry as TLS is an interation of SSL. I've worked in cyber security for decades and never once heard anyone refer to a "TLS certificate" even though technically thats what they are.

https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-https

The post he made was a "pass it around the office of cyber security exports so everyone can get a laugh" moment.

... This virus requires Microsoft Windows 3.x

--- Mystic BBS v1.12 A48 2022/02/17 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Synchronet and Mystic support direct BINKP over SSL natively

When quoting, the correctly written software should add one '>'
character to _the_ _tail_ of existing quote prefix, so /^ XY>>/ should become /^ XY>>>/

Can you show me where the committee for BBS standards made this law? Because I can show you a massive history of 30 years of BBS software that disagree with you.

You can show me that right after you tell me why TLS 1.3 is unsafe to use to secure transmission via sockets which you seemed to ignore. Or why AES-256 is unsafe to use to secure FidoNet netmail despite it literally being the current recommended standard that has never been compromised.

A bogus complaint about quote format is what people do when they jump into something and are horribly off the mark. They refer with childish tactics like this because what their comments on the actual subject are complete nonsense.

... Why is the man who invests all your money called a broker?

--- Mystic BBS v1.12 A48 2022/02/17 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Your software fails to quote the text correctly. For example, this word:

which

^^^^^
wasn't written by me.

Even more hilarious than your out of nowhere uninformed combative posts is that its YOUR software that quoted wrong despite you trying to be petty about a quote.

My message was properly associated to the proper initials followed by a linefeed as you can see here:

https://postimg.cc/Vdbf6GpN

I can clearly see why FTN isn't getting anywhere taking itself out of the stoneage with the posts here lol

... I know a good tagline when I steal one!

--- Mystic BBS v1.12 A48 2022/02/17 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Good ${greeting_time}, James!

25 Feb 2022 12:13:30, you wrote to me:

When quoting, the correctly written software should add one '>'
character to _the_ _tail_ of existing quote prefix, so /^ XY>>/
should become /^ XY>>>/

Can you show me where the committee for BBS standards made this law?

As we are in FTSC_PUBLIC echoarea, the FTSC publication should be enough: http://ftsc.org/docs/fsc-0032.001


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... god@universe:~ # cvs up && make world
--- /bin/vi
* Origin: ::1 (2:5020/545)

//Hello James,//

on *24.02.22* at *17:01:33* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Re: Re^4: Directly include binary data in messages"*.

Synchronet and Mystic support direct BINKP over SSL natively which is a good start to securing transmission. At one point I had a opportunistic SSL version of BinkP as well.

That already helps a lot. Have to add this. However, this in the end requires some additional information for the clients to connect to be aware of SSL/TLS support !?

Of course SSL doesn't stop routed netmail from being read by a SysOp in

Thats the point. Still, it keeps the direct listeners away.

the middle though, so in this case Mystic does AES-256 encrypted netmail if its setup with an encryption key for the address being netmailed.

The key distribution is the interesting part. Also, probably one should probably employ a combination of asym/sym (e.g., RSA+AES) as usal, so the symmetric keys are used only once.

Regards,
Tim

--- WinPoint 401.1
* Origin: Original WinPoint Origin! (2:240/1120.29)

//Hello Kees,//

on *24.02.22* at *14:41:38* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Directly include binary data in messages"*.

Hello Tim!

24 Feb 22 15:19, you wrote to Wilfred van Velzen:

For private messages, there is little sense in competing with email.
Surely fidonet netmail is not going to replace email during the next 5
years. However, it makes a lot of sense to provide comparable
capabilities just to enable users to make consistent use of netmail and
echomail while having basic capabilities that are just not worse than
email 20 years ago. Currently thats not remotely the case.

E-mail has not changed either in te last 20 years. The only thing that has changed are the user clients that can now display mime encapsulated messages.

Designing a different way of encapsulation for fidonet is hardly productive. Mime encapsulation is not hostile to the content section of fidonet messages.

No changes have to have to be made to Fidonet. The only changes are at the presentation layer, wich is not subject to fidonet standards.

Kees

--- GoldED+/LNX 1.1.5--b20180707
* Origin: As for me, all I know is that, I know nothing. (2:280/5003.4)

Regards,
Tim

--- WinPoint 401.1
* Origin: Original WinPoint Origin! (2:240/1120.29)

That already helps a lot. Have to add this. However, this in the end requires some additional information for the clients to connect to be aware of SSL/TLS support !?

Yes you are right for direct SSL connections there would need to be some way for a node to know if the connection is compatible with SSL when transmitting netmail via unsecure connections.

Maybe a nodelist flag, or if not then just "trial and error" by attempting to connect to a default SSL port first before falling back to the standard BINKP port.

For these reasons, I was experimenting with opportunistic SSL for BINKP. With opportunistic SSL the connection is always on the same port and if both clients support SSL it will convert the connection prior to any authentication.

It also gives us the capability to decide if a connection should be accepted in real-time. For example, if unsecure node then maybe SSL is required otherwise known nodes can use cleartext. BINKP would be able to make decisions as to what it will and won't allow in "real-time" and then gracefully accept or refuse connections with a proper error message.

We would not require any broader changes (nodelist flags, etc) outside of BINKP client that supports opportunistic SSL extension and it is fully backwards compatible with BINKP that does not support the extension.

A nodelist flag that states that a node may require SSL would still be ideal in the long run, but we would not depend on it for this to work well.

The key distribution is the interesting part. Also, probably one should probably employ a combination of asym/sym (e.g., RSA+AES) as usal, so the symmetric keys are used only once.

I agree this would be where the challenge is for unsecure transfer. The AES in Mystic was done a while back and is a bit outdated. It does not have any way to circulate a keystore in a peer-to-peer way so it only works for known nodes.

One thing I found is that many end users didn't really seem to grasp the SSL keystores/certs/keys concepts all that well, so in Mystic I present an "Encryption password" and when that is set for a known node, Mystic will AES256 encrypt.

Behind the scenes it takes that password and then uses SHA256 to create the actual 256-bit key that is used. It uses AES256-CBC which today isn't as ideal, but it does use a randomized IV and it does have authentication of the decrypted data to help secure tampering. In 2022 a GCM version would be better though instead of using proprietary means to secure CBC.

One benefit of using this approach is that there is a lot of AES256 code available for just about any language that people can leverage, and I think that would be highly important for adoption.

... Condense soup, not books!

--- Mystic BBS v1.12 A48 2022/02/17 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

//Hello James,//

on *28.02.22* at *15:15:12* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Re: Re^2: Re^4: Directly include binary data in messages"*.

That already helps a lot. Have to add this. However, this in the end
requires some additional information for the clients to connect to be
aware of SSL/TLS support !?

Yes you are right for direct SSL connections there would need to be some way for a node to know if the connection is compatible with SSL when transmitting netmail via unsecure connections.

Maybe a nodelist flag,

That was my first thought as well.

or if not then just "trial and error" by attempting to connect to a default SSL port first before falling back to the standard BINKP port.

Better than the nodelist flag. Should be another "unused" port ...

For these reasons, I was experimenting with opportunistic SSL for BINKP. With opportunistic SSL the connection is always on the same port and if both clients support SSL it will convert the connection prior to any authentication.

Before it comes up (there is always a troll): probably TLS rather than SSL, but admittedly I also someimes keep talkin about SSL when referring whatever session layer protocol is actually in charge. Educated people know what its about ...

It also gives us the capability to decide if a connection should be accepted in real-time. For example, if unsecure node then maybe SSL is required otherwise known nodes can use cleartext.

I am not sure if this makes sense. So you want to use an unsecured connection to have the session password transmitted? ;)

BINKP would be able to make decisions as to what it will and won't allow in "real-time" and then gracefully accept or refuse connections with a proper error message.

This brings us to a potential integration into BinkP itself. That would server the above issues, but overall it is more compliated to implement and does not hide the nature of the communication itself, which maybe a point. (I already see VPN arguments coming up ...)

We would not require any broader changes (nodelist flags, etc) outside of BINKP client that supports opportunistic SSL extension and it is fully backwards compatible with BINKP that does not support the extension.

Not relying on the nodelist would be a big plus. I also think, it is more desirable to have something that works out-of-the-box if both systems are compatible without any additional infrastructure/metadata/explicit configuration.

A nodelist flag that states that a node may require SSL would still be ideal in the long run, but we would not depend on it for this to work well.

Having it for information purpose is fine.

The key distribution is the interesting part. Also, probably one should
probably employ a combination of asym/sym (e.g., RSA+AES) as usal, so
the symmetric keys are used only once.

I agree this would be where the challenge is for unsecure transfer. The AES in Mystic was done a while back and is a bit outdated. It does not have any way to circulate a keystore in a peer-to-peer way so it only works for known nodes.

One thing I found is that many end users didn't really seem to grasp the SSL keystores/certs/keys concepts all that well, so in Mystic I present
an "Encryption password" and when that is set for a known node, Mystic will AES256 encrypt.

Behind the scenes it takes that password and then uses SHA256 to create the actual 256-bit key that is used. It uses AES256-CBC which today
isn't as ideal, but it does use a randomized IV and it does have authentication of the decrypted data to help secure tampering. In 2022 a GCM version would be better though instead of using proprietary means to secure CBC.

One benefit of using this approach is that there is a lot of AES256 code available for just about any language that people can leverage, and I think that would be highly important for adoption.

Jep, straightforward. However, it is not ideal from a security and usability perspective. (No, I have no better proposal at hand for now).

Regards,
Tim

--- WinPoint 401.1
* Origin: Original WinPoint Origin! (2:240/1120.29)

Hello Tim!

28 Feb 22 17:54, you wrote to James Coyle:

A nodelist flag that states that a node may require SSL would
still be ideal in the long run, but we would not depend on it for
this to work well.

Having it for information purpose is fine.

You could use an oportunistic approach and use the nodelist flag to (if you with your system want to) enforce the use of SSL on a system, that claims to support it on outgoing calls.

Regards,
Tim

Regards,
Joachim


--- GoldED+/LNX 1.1.5--b20170303
* Origin: ----> FidoPI (2:240/6309)

or if not then just "trial and error" by attempting to connect to a default SSL port first before falling back to the standard BINKP TS> JC> TS> JC> TS> JC> port

Better than the nodelist flag. Should be another "unused" port ...

Agreed! Current Mystic defaults to port 24553 for direct SSL. I believe Synchronet may use the same default but Rob could probably clarify.

Before it comes up (there is always a troll): probably TLS rather than SSL, but admittedly I also someimes keep talkin about SSL when referring whatever session layer protocol is actually in charge. Educated people know what its about ...

Fair enough. To be clearer Mystic only supports TLS 1.2 in its SSL BINKP implementation and it should be the minimum version allowed as per current security recommendations.

I am not sure if this makes sense. So you want to use an unsecured connection to have the session password transmitted? ;)

I was just making an example, but what I meant was you could configure if you accept non-SSL connections for unknown (unsecured) echomail nodes vs known (secured) echomail nodes. This would not be something we could do with a direct SSL connection.

Just trying to outline some of the benefits of the opportunistic approach :)

This brings us to a potential integration into BinkP itself. That would server the above issues, but overall it is more compliated to implement and does not hide the nature of the communication itself, which maybe a point. (I already see VPN arguments coming up ...)

True it does not hide the initial nature of the communication as you have said, and this I would agree is probably its only real flaw. But I feel the trade off is that it will work without user awareness or configuration.

Even with direct-connection TLS 1.2 BINKP in Mystic many people still do not use it. Realistically if we want the network to be more secure, then making it opportunistic and automatic may be the best compromise?

I think we may have to decide if we care about hiding the fact that a FidoNet node even exists, or if (instead) we want widely adopted better security within the network.

Jep, straightforward. However, it is not ideal from a security and usability perspective. (No, I have no better proposal at hand for now).

Can you expand on why you think AES-256 is not ideal from a security perspective? Or did you just mean the CBC + random IV + authentication workaround?

There are alternatives but none of them have had huge enterprise adoption and decades of scruinty from the best cryptographers in the world. There is something to be said about anything in the security industry that has had that type of exposure and is still regarded as safe.

Newer things may in theory be technically better, but its only theoretical. These do not have the adoption or decades of scrutiny and could be exposed at any time. It is risky to assume newer is better when the "old" hasn't been broken.

Similar arguements could be made for using hashes like SHA256 vs others, for example. Mystic uses a PBKDF2 with SHA512 for user passwords for example and I still question if using SHA512 was a mistake for those reasons.

In terms of Netmail the subject line in a Mystic encrypted netmail contains version levels, flags, and some verification data which could be used to support multiple types of encryption in the future while still being backwards compatible.

... If you choose not to decide, you still have made a choice

--- Mystic BBS v1.12 A48 2022/02/28 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Re: Re: Re^2: Re^4: Directly include binary data in messages
By: James Coyle to Tim Schattkowsky on Mon Feb 28 2022 10:15 am

For these reasons, I was experimenting with opportunistic SSL for BINKP. With opportunistic SSL the connection is always on the same port and if both clients support SSL it will convert the connection prior to any authentication.

FYI, a few years ago, I applied for an IANA sanctioned TCP port number assignment for BINKPS (BINKP over implicit TLS, e.t port 24553). After a few back-and-forths, this was their final answer:
-=-=-=-=-=-
We have a response from the expert:

The reviews for port assignments is subject to RFCs 6335 and 7605. We have provided advice according to those docs.

The way forward that has been chosen and deployed is not consistent with those docs; we therefore do not recommend approval of the request.
-=-=-=-=-=-

So it looks like explicit/opportunistic TLS (e.g. STARTTLS) is the future for BINKP if it's going to become any kind of Internet standard.
--
digital man (rob)

Synchronet "Real Fact" #86:
Stephen and Rob have a fledgling podcast at http://techdorks.net (also iTunes) Norco, CA WX: 78.8°F, 11.0% humidity, 8 mph W wind, 0.00 inches rain/24hrs
--- SBBSecho 3.15-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: Re^2: Re^2: Re^4: Directly include binary data in messages
By: Tim Schattkowsky to James Coyle on Mon Feb 28 2022 05:54 pm

That was my first thought as well.

or if not then just "trial and error" by attempting to connect to a default SSL port first before falling back to the standard BINKP port.

Better than the nodelist flag. Should be another "unused" port ...

That method is called "implicit TLS" and is frowned upon by the Internet-powers-that-be, likely because of the finite number of available TCP ports. See my previous post on this topic. :-(
--
digital man (rob)

Synchronet/BBS Terminology Definition #87:
XJS = External JavaScript (SSJS embedded within HTML/CSS)
Norco, CA WX: 78.8°F, 11.0% humidity, 8 mph W wind, 0.00 inches rain/24hrs
--- SBBSecho 3.15-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

FYI, a few years ago, I applied for an IANA sanctioned TCP port number assignment for BINKPS (BINKP over implicit TLS, e.t port 24553). After a few back-and-forths, this was their final answer:

Well the answer sucks, but your foresight in this issue was awesome :)

So it looks like explicit/opportunistic TLS (e.g. STARTTLS) is the
future for BINKP if it's going to become any kind of Internet standard.

I hadn't considered the IANA aspect of this. I have no experience with that stuff so naturally I yield to those who do. Is it a dead end to try again?

I can see BINKPS not having a large enough use-case to warrant a port. But if they did give us BINKP port then I feel there is a case to be made that they must also support the secure version of it.

If you are still willing to support a STARTTLS BINKP I am down to pick that up again and work on something together (and with whoever else wants to join in). I can look for a backup of the code that did it (this weekend) and send something your way, or we can start from scratch... Whatever works for you.

... Just another prisoner of gravity!

--- Mystic BBS v1.12 A48 2022/02/28 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Good ${greeting_time}, Rob!

28 Feb 2022 12:58:50, you wrote to James Coyle:

FYI, a few years ago, I applied for an IANA sanctioned TCP port
number assignment for BINKPS (BINKP over implicit TLS, e.t port
24553). After a few back-and-forths, this was their final answer:

The reviews for port assignments is subject to RFCs 6335 and 7605.
We have provided advice according to those docs. The way forward
that has been chosen and deployed is not consistent with those
docs; we therefore do not recommend approval of the request.

Very predictable. There are only 65534 ports, and reserving them to some specific applications is very unwise.

That's why SRV NS RRs were invented (and documented by FTSC since 2013).

So it looks like explicit/opportunistic TLS (e.g. STARTTLS) is
the future for BINKP if it's going to become any kind of Internet standard.

For now, we have two working implementations for encrypted connection - SSH, supported by binkd since version 1.1a-22 released in 2013, and SSL/TLS, supported by binkd since the same version (requires a companion software to accept incoming connections, but may run on HTTPS port in conjunction with nginx) and Mystic (as JC wrote earlier).

The use of SSH and HTTPS ports has an advantage of multiplexing the incoming connections among different applications.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... that's why I really dislike fools.
--- /bin/vi
* Origin: ::1 (2:5020/545)

Re: Re: Re^2: Re^4: Directly include binary data in messages
By: James Coyle to Rob Swindell on Mon Feb 28 2022 05:05 pm

FYI, a few years ago, I applied for an IANA sanctioned TCP port number assignment for BINKPS (BINKP over implicit TLS, e.t port 24553). After a few back-and-forths, this was their final answer:

Well the answer sucks, but your foresight in this issue was awesome :)

It was worth a try. :-)

So it looks like explicit/opportunistic TLS (e.g. STARTTLS) is the future for BINKP if it's going to become any kind of Internet standard.

I hadn't considered the IANA aspect of this. I have no experience with that stuff so naturally I yield to those who do. Is it a dead end to try again?

Yeah, I think so. Their protecting the assigned port numbers like they're Fort Knox and their ammunition is RFCs 6335 and 7605. :-)

I can see BINKPS not having a large enough use-case to warrant a port. But if they did give us BINKP port then I feel there is a case to be made that they must also support the secure version of it.

That's the case I was trying to make (along with all the other "prior art" of insecure Internet protocols that have an alternate/secure port for implicit TLS connections, e.g. telnets) - but they weren't buying it.

If you are still willing to support a STARTTLS BINKP I am down to pick that up again and work on something together (and with whoever else wants to join in). I can look for a backup of the code that did it (this weekend) and send something your way, or we can start from scratch... Whatever works for you.

Yeah, we should do that. :-) I have a number of STARTTLS implementations in Synchronet already (e.g. SMTPS, FTPS), so I don't expect it'd be much different, thought I suppose this would be the first one I'd do in JavaScript (since BinkIT is written in JS).
--
digital man (rob)

Synchronet/BBS Terminology Definition #90:
UTF-8 = 8-bit Unicode Transformation Format
Norco, CA WX: 72.2°F, 13.0% humidity, 0 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.15-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

That's the case I was trying to make (along with all the other "prior
art" of insecure Internet protocols that have an alternate/secure port
for implicit TLS connections, e.g. telnets) - but they weren't buying it.

Sounds like you gave them really the only legs we had to stand on and it failed. Thats a shame, but at least we know.

Yeah, we should do that. :-) I have a number of STARTTLS implementations in Synchronet already (e.g. SMTPS, FTPS), so I don't expect it'd be much different, thought I suppose this would be the first one I'd do in JavaScript (since BinkIT is written in JS).

Yep it shouldn't be too difficult. I also have it working for some protocols like POP3/SMTP in Mystic. I don't think my FTP does it though so maybe I can look into that after this since it'd also probably benefit DoveNet security.

I have a document with an outline and some requirements/notes for TLS BINKP that I can e-mail you. It might save us a little time not having to reinvent the entire wheel, assuming you think its usable of course :)

Maybe once we agree on what we want to do and have it working then we can clean it up and circulate it or make a proposal or whatever?

Is there a preferred e-mail you like to use? Or I could Netmail whatever works best.

... The person who snores the loudest will fall asleep first

--- Mystic BBS v1.12 A48 2022/02/28 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Re: Re: Re^2: Re^4: Directly include binary data in messages
By: James Coyle to Rob Swindell on Tue Mar 01 2022 05:53 pm

Yeah, we should do that. :-) I have a number of STARTTLS implementations in Synchronet already (e.g. SMTPS, FTPS), so I don't expect it'd be much different, thought I suppose this would be the first one I'd do in JavaScript (since BinkIT is written in JS).

Yep it shouldn't be too difficult. I also have it working for some protocols like POP3/SMTP in Mystic. I don't think my FTP does it though so maybe I can look into that after this since it'd also probably benefit DoveNet security.

I never bothered with FTPS in my ftp client modules (e.g. for QWK packet transfers) that's a thought for a future enhancement though.

I have a document with an outline and some requirements/notes for TLS BINKP that I can e-mail you. It might save us a little time not having to reinvent the entire wheel, assuming you think its usable of course :)

Yeah, absolutely.

Maybe once we agree on what we want to do and have it working then we can clean it up and circulate it or make a proposal or whatever?

Yeah, I think that's what this FTSC thing is all about. :-)

Is there a preferred e-mail you like to use? Or I could Netmail whatever works best.

Sure, either way. rob at synchro dot net or FTN netmail. They end up in the same inbox.
--
digital man (rob)

Sling Blade quote #1:
Karl: I've killed Doyle with a lawn mower blade. Yes, I'm right sure of it. Norco, CA WX: 70.5°F, 25.0% humidity, 10 mph SE wind, 0.00 inches rain/24hrs --- SBBSecho 3.15-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Sure, either way. rob at synchro dot net or FTN netmail. They end up in the same inbox.

Cool deal I will send it along.

I ended up having a backup of the code and the document so I put it all back into Mystic this evening. I am in the process of putting up a build for anyone to test that supports the STARTTLS implementation of the document I will send.

I haven't tested it much though just enough to see it actually work once between a Mystic client/server.

The documentation is a bit sloppy, not really intended to be anything formal.

... This virus requires Microsoft Windows 3.x

--- Mystic BBS v1.12 A48 2022/03/01 (Windows/32)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

Re: Re: Directly include binary data in messages
By: James Coyle to Alexey Vissarionov on Fri Feb 25 2022 12:13 pm

Synchronet and Mystic support direct BINKP over SSL natively

When quoting, the correctly written software should add one '>' character to _the_ _tail_ of existing quote prefix, so /^ XY>>/ should become /^ XY>>>/

Can you show me where the committee for BBS standards made this law? Because can show you a massive history of 30 years of BBS software that disagree wit you.

You can show me that right after you tell me why TLS 1.3 is unsafe to use to secure transmission via sockets which you seemed to ignore. Or why AES-256 unsafe to use to secure FidoNet netmail despite it literally being the curre recommended standard that has never been compromised.

A bogus complaint about quote format is what people do when they jump into something and are horribly off the mark. They refer with childish tactics l this because what their comments on the actual subject are complete nonsense

... Why is the man who invests all your money called a broker?

OH NO! Not the quoting police again!

xxcarol
--- SBBSecho 2.11-Win32
* Origin: SHENK'S EXPRESS telnet://shenks.synchro.net (1:275/100)

//Hello James,//

on *02.03.22* at *4:36:01* You wrote in Area *FTSC_PUBLIC*
to *Rob Swindell* about *"Re: Re^2: Re^4: Directly include binary data in messages"*.

Sure, either way. rob at synchro dot net or FTN netmail. They end up in
the same inbox.

Cool deal I will send it along.

I ended up having a backup of the code and the document so I put it all back into Mystic this evening. I am in the process of putting up a build for anyone to test that supports the STARTTLS implementation of the document I will send.

I haven't tested it much though just enough to see it actually work once between a Mystic client/server.

The documentation is a bit sloppy, not really intended to be anything formal.

So is there now any implementation BinkP implementation using STARTTLS and what are the details?

BTW: RFC8314 suggests already in the introduction that for email, implicit TLS should be preferred over STARTTLS :)

Regards,
Tim

--- WinPoint 407.1
* Origin: Original WinPoint Origin! (2:240/1120.29)

So is there now any implementation BinkP implementation using STARTTLS
and what are the details?

BTW: RFC8314 suggests already in the introduction that for email,
implicit TLS should be preferred over STARTTLS :)

I've been following this thread for some time, and I don't understand how it concerns our FTN network.

Isn't it a simple matter of how the FTN editors can handle it?

More and more of us are using e.g. Thunderbird as the editor of choice, the only editor I know that has thousands of people still working to perfect it.

I can easily copy an image into a message of mine here, and so can you when you reply to an email from your friend. The only reason I'll not demonstrate how easy it is here, is I don't want to cause any problems for all those still using archaic BBS FTN editors, often BASIC based creations by teenagers from the Fidonet heydays.

Methinks that you are trying to fix an FTN problem from 30+ years ago, and that'll only concern those who insist on using editors from that time. Why would we concern ourselves with that, rather than looking into the future?

..

--- Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.1.16) Gecko/20101125
* Origin: news://eljaco.se:4119 (2:203/2)

So is there now any implementation BinkP implementation using STARTTLS
and what are the details?

BTW: RFC8314 suggests already in the introduction that for email,
implicit TLS should be preferred over STARTTLS :)

Yes there is. I did a STARTTLS-enabled BINKP a few years ago and its currently available in Mystic that you can download here:

http://www.mysticbbs.com/downloads/prealpha/

I have sent the documentation over to Rob for implementation and/or feedback but I didn't want to post it here yet to avoid trolling. I'd be happy to e-mail it along to you as well if you're interested in supporting it!

BTW: RFC8314 suggests already in the introduction that for email,
implicit TLS should be preferred over STARTTLS :)

Implicit would be great (and Mystic actually implements both implicit and opportunistic TLS v1.2 with BINKP), but the problem with implicit is two-fold:

1) For mass adoption, having a self-upgrading connection is probably the most realistic to be used. In other words, existing setups wouldn't have to be changed in order to support it. No additional nodelist flags, etc, would be needed. It wouldn't break any existing systems while those that support it would simply just work.

2) The IANA has denied officially giving us a port for BINKPS, which means that implicit SSL can never be an official standard unless they were to some how be persuaded to change their mind.

Mostly due to #2 it seems to me like the best approach for us to move forward would be to adopt Mystic's opportunistic TLS or some variation of it. Or to support both, ideally?

... That's not a bug, it's an undocumented feature

--- Mystic BBS v1.12 A48 2022/03/14 (Windows/64)
* Origin: Sector 7 * Mystic WHQ (1:129/215)

//Hello Bjoern,//

on *21.03.22* at *19:04:14* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Directly include binary data in messages"*.

So is there now any implementation BinkP implementation using STARTTLS
and what are the details?

BTW: RFC8314 suggests already in the introduction that for email,
implicit TLS should be preferred over STARTTLS :)

I've been following this thread for some time, and I don't understand how it concerns our FTN network.

You probably missed that we (no matter what the subject says) actually discussed, how BinkP connections can be secured by TLS?

Unless I missed something, the messages people write are currently mostly transported using BinkP, which makes this sort of relevant.

Regards,
Tim

--- WinPoint 408.0
* Origin: Original WinPoint Origin! (2:240/1120.29)

You probably missed that we (no matter what the subject says) actually discussed, how BinkP connections can be secured by TLS?

The conversation in here has bounced back and forth between secure transport and embedding things like images. So I can see how he replied to something different than the message he actually replied to.

I'm still baffled by the "more and more of us are using Thunderbird."


- Andre
--- SBBSecho 3.15-Linux
* Origin: Radio Mentor BBS - bbs.radiomentor.org (1:154/70)

Good ${greeting_time}, Tim!

21 Mar 2022 22:33:52, you wrote to Björn Felten:

BTW: RFC8314 suggests already in the introduction that for
email, implicit TLS should be preferred over STARTTLS :)

I've been following this thread for some time, and I don't
understand how it concerns our FTN network.

You probably missed that we (no matter what the subject says)
actually discussed, how BinkP connections can be secured by TLS?

TLS is not about the security - it is (really "was") mostly about the mutual authentification. It could work as designed (in the era of SSL 2.0 and before), but the emerge of HTTPS killed some key features of it.

Unless I missed something, the messages people write are currently
mostly transported using BinkP, which makes this sort of relevant.

You appear to be missing the key point: binkp is defined by its' reference implementation (binkd), and the FTS-1026 plays the secondary role.

#include <FTA-1006>

Yes, it _may_ support SSL/TLS.
Yes, it _may_ even share the inbound port with HTTPS.
Yes, it _may_ be set up to circumvent most barriers in the modern Internet.

But if you want to implement some of these features somewhere else, you _must_ know how that's implemented in binkd.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... :wq!
--- /bin/vi
* Origin: ::1 (2:5020/545)

//Hello Alexey,//

on *21.03.22* at *22:55:50* You wrote in Area *FTSC_PUBLIC*
to *Tim Schattkowsky* about *"Directly include binary data in messages"*.

TLS is not about the security - it is (really "was") mostly about the mutual authentification. It could work as designed (in the era of SSL 2.0 and before), but the emerge of HTTPS killed some key features of it.

- TLS (Transport Layer *Security*) is besides authentication about establishing an encrypted connection between endpoints, just like its predecessor SSL (*Secure* Socket Layers)
- HTTPS (Hypertext Transfer Protocol *Secure*) is HTTP over a secured connection (SSL or TLS)

Unless I missed something, the messages people write are currently
mostly transported using BinkP, which makes this sort of relevant.

You appear to be missing the key point: binkp is defined by its'
reference implementation (binkd), and the FTS-1026 plays the secondary role.

Totally not helpful comment ;)

Regards,
Tim

--- WinPoint 408.0
* Origin: Original WinPoint Origin! (2:240/1120.29)

Re: Re: Re^8: Directly include binary data in messages
By: James Coyle to Tim Schattkowsky on Mon Mar 21 2022 03:16 pm

So is there now any implementation BinkP implementation using STARTTLS and what are the details?

BTW: RFC8314 suggests already in the introduction that for email, implicit TLS should be preferred over STARTTLS :)

Yes there is. I did a STARTTLS-enabled BINKP a few years ago and its currently available in Mystic that you can download here:

http://www.mysticbbs.com/downloads/prealpha/

I have sent the documentation over to Rob for implementation and/or feedback but I didn't want to post it here yet to avoid trolling. I'd be happy to e-mail it along to you as well if you're interested in supporting it!

I haven't made the time to experiment with STARTTLS support in Synchronet's BinkIT yet. I will and get back to you.

BTW: RFC8314 suggests already in the introduction that for email, implicit TLS should be preferred over STARTTLS :)

Implicit would be great (and Mystic actually implements both implicit and opportunistic TLS v1.2 with BINKP), but the problem with implicit is two-fold:

1) For mass adoption, having a self-upgrading connection is probably the most realistic to be used. In other words, existing setups wouldn't have to be changed in order to support it. No additional nodelist flags, etc, would be needed. It wouldn't break any existing systems while those that support it would simply just work.

2) The IANA has denied officially giving us a port for BINKPS, which means that implicit SSL can never be an official standard unless they were to some how be persuaded to change their mind.

Mostly due to #2 it seems to me like the best approach for us to move forward would be to adopt Mystic's opportunistic TLS or some variation of it. Or to support both, ideally?

Yeah, there's really no downside to supporting both, unless the STARTTLS implementation is somehow determined to be less secure. But we'll work to make sure that's not the case.
--
digital man (rob)

Synchronet/BBS Terminology Definition #67:
SCFG = Synchronet Configuration Utility
Norco, CA WX: 85.7°F, 21.0% humidity, 12 mph SE wind, 0.00 inches rain/24hrs --- SBBSecho 3.15-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)