Re: "file:" URLs?

From: Brian Stafford <brian stafford uklinux net>
To: Albrecht Dreß <albrecht dress arcormail de>
Cc: Brian Stafford <brian stafford uklinux net>,Toralf Lund <toralf kscanners com>,Balsa Mailing List <balsa-list gnome org>
Subject: Re: "file:" URLs?
Date: Mon, 20 Aug 2001 17:56:55 +0100

On Mon, 20 August 17:15 Albrecht Dreß wrote:
> Am 20.08.2001 12:03:59 schrieb(en) Brian Stafford:
> > as is desired.  I think the functionality as it stands is about right.
> 
> Thanks, but I still need to support news/nntp URI's... 

Oh right, I hadn't noticed because I havent got any mails with them in.

> > Well, that's a little unfair on telnet.  The STARTTLS command is defined
> > for telnet.  A properly configured server will implement it and refuse
> > to continue without negotiating the TLS connection.  This avoids the need
> > for extra ports etc and preserves the huge raft of options and functionality
> > that telnet provides.  The blame belongs with the implementation, not the
> > protocol.
> 
> Well, I've seen *so* many hacks by password snooping, hijacking connections,
> ... with telnet, rsh, rlogin and friends that I decided to deactivate it.

Telnet is an IETF protocol.  Rsh, rlogin &c are BSD hacks.

> Please don't get me wrong, I know that telnet servers *could* do better.

Here I agree fully.  Given that most telnet servers (and clients) are as flaky
as hell it would be nice if someone wrote a nice modern implementation designed
from the start to be secure.  (No, I'm not volunteering :)

> But
> for some strange reason users tend to still use these insecure methods and
> just refuse to use ssh, even if it simplifies a lot of things (setting
> DISPLAY, ...).

I saw a chilling demo of user stupidity at the open plenary at the Pittsburg
IETF.  One of the security people used tcpdump on a laptop with a radio lan
card for about 30 minutes.  During that time he sniffed a few dozen plain text
passwords.  He put the passwords up on the screen.  As a courtesy he didn't
list the associated user names, saying "you know who you are".  However two of
the passwords were presented as "?".  This was because not only did they reveal
the host name but the name of the user account!

> BTW, pop3 and imap are also vulnerable by password snooping (use a tcp sniffer
> at that port and just look into the logs to see what I mean!), so the
> pop3s/imaps implementation is really important. Unfortunately, not every
> provider does support them.
> 
> > > Maybe, later, ssh will be in the RFC's...
> > 
> > IIRC, there is an effort under way to do just this.
> 
> So this should go into balsa 1.3 ;-))

Check out the secsh working group at www.ietf.org

Brian

References:
- Re: "file:" URLs?
  - From: Brian Stafford
- Re: "file:" URLs?
  - From: Albrecht Dreß

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]