Hello Alan,

On Sunday May 03 2020 02:43, you wrote to me:

Even more: I say binkds is an overkill.

Binkp over TLS is secure and provides privacy in a new and robust way.

Security against what threats and privacy against which snooping eyes?

The biggest potential invasion of privacy in Fidonet are sysops snooping om in transit mail. TLS does not protect against that. The best strategy against snooping governments is to not be of interest. I doubt TLS is safe against the resources of governments.

It's a natural movement forward.

Binkd already has build in encryption. I do not think the added value of TLS is worth the effort and overhead. Not for Fidonet...

It's not easy to do in all mailers, but if it was and it was supported
and available by your links and your own mailer would you use it?

I don't know. If I'd have to go through the hassle of getting a certificate and pay for it and renew it every tweo years, probably not. And I do not trust LetsEncrypt.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: http://www.vlist.eu (2:280/5555)

Hello Michiel,

Binkp over TLS is secure and provides privacy in a new and robust
way.

Security against what threats and privacy against which snooping eyes?

Actually, TLS is not really new. It started as SSL from a bygone era and TLS is what we have today. It has and continues to evolve.

Snooping eyes are everywhere. They are unseen doing I don't know what. We have the technology and I suggest we use it. It already exists so we don't have to develop anything at all, we just need to support it.

The biggest potential invasion of privacy in Fidonet are sysops
snooping om in transit mail. TLS does not protect against that.

That is true. We could (and I'm surprised we haven't) develop a way to encrypt tansit mail if we wanted too.

Mystic does this. It has support for this by using an AES256 encryption key between links. If Mystic operators use this feature netmail between nodes is encrypted. I think this all happens when tossing so it (or something like it) could be used in Fidonet generally if the software supports it. I'm not sure if that would be better implemeted in the mailer or tosser. Probably the tosser.

The best strategy against snooping governments is to not be of
interest. I doubt TLS is safe against the resources of governments.

TLS is open source. Governments could outlaw it if they wanted to raise the ire of the people but I don't think that is going to happen.

It's a natural movement forward.

Binkd already has build in encryption. I do not think the added value
of TLS is worth the effort and overhead. Not for Fidonet...

That was a very good addition that the binkd developers added to binkd at the time. It was powerful and ahead of it's time. That must have been twenty years ago when SSL was not largely known or easy to implement.

That algorithm was also cracked about 20 years ago. It's still better than nothing but TLS would be a good addition today. The crypt option does not provide security today.

It's not easy to do in all mailers, but if it was and it was
supported and available by your links and your own mailer would
you use it?

I don't know. If I'd have to go through the hassle of getting a certificate and pay for it and renew it every tweo years, probably
not. And I do not trust LetsEncrypt.

It's possible to use a self signed certificate. I don't know the ramifications of a self signed certificate vs letsencrypt but it might provide the security and privacy we need.

Currently I use a certificate from letsencrypt.

Ttyl :-),
Al

--- GoldED+/LNX
* Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)

Re: Security
By: Michiel van der Vlist to Alan Ianson on Sun May 03 2020 03:52 pm

Hello Alan,

On Sunday May 03 2020 02:43, you wrote to me:

Even more: I say binkds is an overkill.

Binkp over TLS is secure and provides privacy in a new and robust way.

Security against what threats and privacy against which snooping eyes?

If the threats/snooping-eyes announced their presence and intentions, they wouldn't be very effective, now would they?

The biggest potential invasion of privacy in Fidonet are sysops snooping om in transit mail. TLS does not protect against that.

The second sentence is true.

The best strategy
against snooping governments is to not be of interest.

False. You're *already* being snooped on by governments and you're not interesting at all. You seem to be a very trusting person.

I doubt TLS is safe against the resources of governments.

It seems to be effective enough for data in-flight that they (resources of governments) usually go after the persistent data on either end of the transport instead.

It's a natural movement forward.

Binkd already has build in encryption.

... which is terrible.

I do not think the added value of TL is worth the effort and overhead.

It was very little effort and unnoticeable overhead.

Not for Fidonet...

For Fidonet proper, possibly true (though that depends on the content of your netmail messages). For FTN, likely false.

It's not easy to do in all mailers, but if it was and it was supported and available by your links and your own mailer would you use it?

I don't know. If I'd have to go through the hassle of getting a certificate and pay for it and renew it every tweo years, probably not.

Free certs are available.

And I do not trust LetsEncrypt.

Now you don't sound like a very trusting person. That was a quick turn around.


digital man

Synchronet "Real Fact" #56:
Synchronet Terminal Server introduced SecureShell (SSH) support w/v3.14a (2006).
Norco, CA WX: 74.9°F, 50.0% humidity, 11 mph ESE wind, 0.00 inches rain/24hrs

On 05-03-20 11:39, Alan Ianson wrote to Michiel van der Vlist <=-

It's possible to use a self signed certificate. I don't know the ramifications of a self signed certificate vs letsencrypt but it might provide the security and privacy we need.

Encryption will be fine, but self signed just means you can't trust the other end to be who they say they are. But that's a call the BBS networks have to make.

Currently I use a certificate from letsencrypt.

I'm not currently running binkps. It's been a moving target, and as I've said, I won't bother jumping through hoops and binkd doesn't yet support TLS natively (that I'm aware of).


... Skating away on the thin ice of a new day...
=== MultiMail/Win v0.51
--- SBBSecho 3.10-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Tony wrote (2020-05-04):

It's possible to use a self signed certificate. I don't know the
ramifications of a self signed certificate vs letsencrypt but it
might provide the security and privacy we need.

Encryption will be fine, but self signed just means you can't trust the other end to be who they say they are.

Works fine with SSH. Trust on first use (TOFU) works with TLS too. There is also DANE / TLSA-records to put the (hash of the) public key in DNS. You could also put it in the nodelist itself.

But that's a call the BBS networks have to make.

This is like: that's a call the Internet has to make.

Currently I use a certificate from letsencrypt.

I'm not currently running binkps. It's been a moving target, and as I've said, I won't bother jumping through hoops and binkd doesn't yet support TLS natively (that I'm aware of).

Native support in binkd would be nice, on the other hand the workarounds are not that difficult.

Outgoing connections are easy with binkd:

node 5:6/7@fidonet -pipe "gnutls-cli --logfile /dev/null --no-ca-verification --strict-tofu --disable-sni *H:24553"

Incoming connections with haproxy are three lines (works for every mailer):

listen binkps
bind :::24553 ssl crt fidonet.pem
server binkd 127.0.0.1:24554

Synchronet's BinkIT does support TLS already. But only jumping through hoops (with binkd) gives you TLS 1.3 connections.

---
* Origin: (2:280/464.47)

On 05-04-20 11:50, Oli wrote to Tony Langdon <=-

Works fine with SSH. Trust on first use (TOFU) works with TLS too.
There is also DANE / TLSA-records to put the (hash of the) public key
in DNS. You could also put it in the nodelist itself.

Yep, I can see that working.

node 5:6/7@fidonet -pipe "gnutls-cli --logfile /dev/null --no-ca-verification --strict-tofu --disable-sni *H:24553"

Incoming connections with haproxy are three lines (works for every mailer):

listen binkps
bind :::24553 ssl crt fidonet.pem
server binkd 127.0.0.1:24554

Will need tweaking, because binkd doesn't listen on 127.0.0.1 (or ::1). :) I'll use the LAN IP binkd listens on. I assume all those tools support IPv6 these days too.

Synchronet's BinkIT does support TLS already. But only jumping through hoops (with binkd) gives you TLS 1.3 connections.

Fair enough. I may look into it further.


... It's people like you who make people like me above average.
=== MultiMail/Win v0.51
--- SBBSecho 3.10-Linux
* Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)

Hello Alan,

On Sunday May 03 2020 11:39, you wrote to me:

Security against what threats and privacy against which snooping
eyes?

Actually, TLS is not really new. It started as SSL from a bygone era
and TLS is what we have today. It has and continues to evolve.

I know TLS is not new.

Snooping eyes are everywhere. They are unseen doing I don't know what.
We have the technology

Do we? Or do we just think we have? If you do not know against what or who you are protecting, how do you know the defence is effective. Or if it is working at all?

The biggest potential invasion of privacy in Fidonet are sysops
snooping om in transit mail. TLS does not protect against that.

That is true. We could (and I'm surprised we haven't) develop a way to encrypt tansit mail if we wanted too.

We already have that for 25 years. I aleady used PGP to encrypt netmail in the mid nineties. I wrote a utility for it that scanned *.msg for cerain strings and call PGP to encrypt the text. The problem was that few sysops would route encrypted mail....

Mystic does this. It has support for this by using an AES256
encryption key between links. If Mystic operators use this feature
netmail between nodes is encrypted. I think this all happens when
tossing so it (or something like it) could be used in Fidonet
generally if the software supports it. I'm not sure if that would be better implemeted in the mailer or tosser. Probably the tosser.

Probably a dedicated utility like my IMCRYPT.

The best strategy against snooping governments is to not be of
interest. I doubt TLS is safe against the resources of governments.

TLS is open source.

These days open source is no guarantee that you know exactly what is going on. There is too much under the hood...

Governments could outlaw it if they wanted to

But they don't. so I suspect they heve already cracked it or have other ways to circumvent.

raise the ire of the people but I don't think that is going to happen.

It's a natural movement forward.

Binkd already has build in encryption. I do not think the added
value of TLS is worth the effort and overhead. Not for Fidonet...

That was a very good addition that the binkd developers added to binkd
at the time. It was powerful and ahead of it's time.

[..]

That algorithm was also cracked about 20 years ago. It's still better
than nothing but TLS would be a good addition today. The crypt option
does not provide security today.

I know it is not perfect. But so are the locks on my house. They are not perfect. They will not stop a sufficiently equiped and determined intruder. But it will stop enough.

It's not easy to do in all mailers, but if it was and it was
supported and available by your links and your own mailer would
you use it?

I don't know. If I'd have to go through the hassle of getting a
certificate and pay for it and renew it every tweo years,
probably not. And I do not trust LetsEncrypt.

It's possible to use a self signed certificate.

That is the equivalent of someone saying "trust me". I never trust people who say that.

I don't know the ramifications of a self signed certificate vs
letsencrypt but it might provide the security and privacy we need.

Currently I use a certificate from letsencrypt.

I don't trust LetsEncrypt. For a variety of reasons. What is their bussines model? If ot sounds to good to be true it usually isn't. Plus that it is a US compamy, subject to the Patriot Act.

A couple of years ago a Dutch company issuing certaificates was hacked. All the cerificates were compromised. Google for DigiNotar.

Anyway, binkd over TLS is not on mt wish list. I'd prefer it if the developers spend theiir time and energy on other issues.

Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: http://www.vlist.eu (2:280/5555)

Hello Rob,

On Sunday May 03 2020 13:13, you wrote to me:

Binkp over TLS is secure and provides privacy in a new and robust
way.

Security against what threats and privacy against which snooping
eyes?

If the threats/snooping-eyes announced their presence and intentions,
they wouldn't be very effective, now would they?

If you do not know who or what you are defending against, how do you know the defence is working at all?

The biggest potential invasion of privacy in Fidonet are sysops
snooping om in transit mail. TLS does not protect against that.

The second sentence is true.

We have had PGP to end to end encrypt mail for 25 years. We hardly used it because most sysops would not route encrypted mail.

The best strategy against snooping governments is to not be of
interest.

False. You're *already* being snooped on by governments and you're not interesting at all. You seem to be a very trusting person.

Things are not always what they seem. You conclusion is false.

I doubt TLS is safe against the resources of governments.

It seems to be effective enough for data in-flight that they
(resources of governments) usually go after the persistent data on
either end of the transport instead.

So it is not effective against governments.

It's a natural movement forward.

Binkd already has build in encryption.

... which is terrible.

So is the lock on my bathroom. It nevertheless serves a purpose.

I do not think the added value of TL is worth the effort and
overhead.

It was very little effort and unnoticeable overhead.

Not for Fidonet...

For Fidonet proper, possibly true (though that depends on the content
of your netmail messages). For FTN, likely false.

I only use FTN for Fidonet.

I don't know. If I'd have to go through the hassle of getting a
certificate and pay for it and renew it every tweo years, probably
not.

Free certs are available.

If it sounds to good to be true, it usually isn't.

And I do not trust LetsEncrypt.

Now you don't sound like a very trusting person. That was a quick turn around.

No turn around, I have a very suspicious mind. A;ways had.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20170303
* Origin: http://www.vlist.eu (2:280/5555)