NNPS / TCP port 433

Russ Allbery eagle at eyrie.org
Tue Nov 23 23:21:39 UTC 2021


Grant Taylor <gtaylor at tnetconsulting.net> writes:

> The powers that be ~> industry seems to keep waffling back and forth on
> explicit vs implicit port encryption.  As I understand it, it started
> with separate implicit ports (a port was either encrypted exclusive or
> not) because STARTTLS was not yet a thing.  Then it went to combined
> explicit ports (because you explicitly stated if you wanted encryption).
> And now we seem to be going back to separate implicit ports in an
> attempt to avoid downgrade attacks on explicit ports.

The tension is between folks with a security focus and folks who were
worried about running out of assigned ports if every protocol got two port
assignments.  Currently, the security perspective is in ascendence again,
in part because implementing STARTTLS securely turns out to be
surprisingly difficult.  See, for example:

https://www.usenix.org/conference/usenixsecurity21/presentation/poddebniak

(And indeed INN may well be vulnerable to many of those problems.  I
haven't checked and the researchers limited their investigation primarily
to email.)

> I would expect that the NNSP port 433 could be explicit encrypted via
> STARTTLS much like NNTP port 119.

It certainly could be, although I don't know how many implementations
support this.  (innd does not.)

> I'm of the mind that we as the NNTP using community make a server rule
> -- a la. "house rule" -- that the NNSP port 433 be implicitly TLS
> protected much like NNTPS port 563 is.  -- I say this because the
> current industry best practices are to use implicit encryption.  So if
> the NNSP port 433 is largely unused and we want to start making use of
> it, why not impose implicit encryption.

Unfortunately, there is quite substantial existing use of 433 unencrypted
and innd among others doesn't support TLS on that port right now.  So I
think there's some work ahead of us before we could get to that point.
The flag day of switching port 433 from unencrypted to encrypted is a bit
tricky to navigate.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list