Subj : Is binkp/d's security model kaputt?
To   : Satchmo
From : Oli
Date : Wed Sep 08 2021 12:56 pm

Satchmo wrote (2021-09-08):

 S> On 09/02/21, Oli said the following...

 Ol>> I'm trying to figure out how to configure binkd for reliable
 Ol>> security. I see sev eral problems. Part design flaw of the binkp
 Ol>> protocol (and FTN tradition), part implementation.

 Ol>> 1) Passwords stored in clear text
 Ol>> It's not ideal, but I can live with that. At least it allows
 Ol>> MD5-CRAM, which is not very secure, but better than clear plaintext
 Ol>> over the wire.

 S>   [snip]

 S> Hey Oli, I was wondering if any of these bugs/issues have been raised with
 S> the developers?

Maybe these issues have been discussed in the past, I don't know. It's not that a new unknown vulnerability has been discovered. These are problems that are baked in the binkp (protocol) and the Binkleyterm-Style-Outbound. This is what you get, if standardization means documenting stuff that has been in use for a long time (instead of creating well designed standards in working groups and having a back and forth between specification and implementation).

Most of the problems are not binkd specific, but exist also for other binkp mailers.

 S> It's open source right?

Right. And I'm trying to figure out how hard it is to implement some workarounds.

---
 * Origin: 1995| Invention of the Cookie. The End. (21:3/102)

.