jdev - 2021-02-14


  1. love

    hello

  2. love

    Stefan

  3. moparisthebest

    > if the server offers a method that simply does not work, i tend to think admin should get informed by user reports right away > and not we fall silently back and problem is not discovered for eternety > same story with direct and start tls

  4. moparisthebest

    lovetox: that's not at all the same story though

  5. moparisthebest

    With sasl mechanisms, you have a secure and authenticated connection to your trusted server

  6. moparisthebest

    If a network attacker blocks 1 of many connection methods and you don't try the rest, that's letting the attacker win

  7. moparisthebest

    No user ever wants to not connect when they could connect, right?

  8. Sam Whited

    moparisthebest: if an attacker blocks one method that could also be a downgrade attack; I'm all for preventing DOS's, but in the case of auth I'd say it's probably worth failing fast (depending on the mechanisms, their security levels, etc.)

  9. Zash

    If an attacker blocks one SASL method? You're already on pretty thin ice then.

  10. moparisthebest

    No I'm talking about connecting, not auth methods, I'm saying they are very different, not the same

  11. Sam Whited

    oh gotcha, yah, I tend to agree