Re: Filezilla a security risk

To: debian-user@lists.debian.org
Subject: Re: Filezilla a security risk
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 8 Jul 2012 13:26:46 -0300
Message-id: <[🔎] 20120708162646.GB15477@khazad-dum.debian.net>
In-reply-to: <[🔎] 4FF99C27.5050509@list-post.mks-mail.de>
References: <CA+AKB6E1FfRCNbV6PimAvdvUfoBKuo7rgLsbaCR_7tgtuZdw5A@mail.gmail.com> <jskgm9$68h$11@dough.gmane.org> <[🔎] 20120701190852.6ac28c32.celejar@gmail.com> <[🔎] 201207072127.38523.lisi.reisz@gmail.com> <[🔎] 20120708000433.372b2be0.celejar@gmail.com> <[🔎] 20120708085515.183aa860@bonifac.skk> <[🔎] jtbsnm$s8h$7@dough.gmane.org> <[🔎] 4FF99C27.5050509@list-post.mks-mail.de>

On Sun, 08 Jul 2012, Markus Schönhaber wrote:
> 08.07.2012 13:59, Camaleón:
> > While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of 
> 
> smtps was defined as 465/tcp. 587/tcp is message submission which does
> not provide encryption on the transport layer.

Yeah, and 465/tcp use for SMTP over SSL was dropped in ~1998[1], and
IANA eventually assigned 465/tcp and 465/udp to other services.  465/tcp
is assigned to URD SSM, and 465/udp to igmpv3lite over UDP.

As usual in things like this, it was a bad move in hindsight: giving up
on port 465 became a drawback about five years later, when the world
started moving past the SSL crap and single-domain-constrained X.509
that existed in 1998 [2], to (still broken) TLSv1.0 and RFC3546, and
later to TLS v1.1+ and RFC 4366.

The same reasoning works for imap and imaps.  Fortunately, nobody gave
up on the 993/tcp imaps port, so it remains assigned to imaps by IANA.
pop3s never had any starttls alternative, and 995/tcp remains assigned
to pop3s.

Now, if ops people were more active on the relevant IETF workgroups, we
might have a TLS port for the submission service, which would help
deployments of hardware TLS endpoints (which is probably the only good
reason to still support port 465 for smtps, actually).

[1] http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html
[2]
http://www.carbonwind.net/blog/post/A-quickie-for-a-Friday-e28093-a-SSLTLS-timeline.aspx

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Filezilla a security risk
  - From: Erwan David <erwan@rail.eu.org>

References:
- Re: Filezilla a security risk
  - From: Celejar <celejar@gmail.com>
- Re: Filezilla a security risk
  - From: Lisi <lisi.reisz@gmail.com>
- Re: Filezilla a security risk
  - From: Celejar <celejar@gmail.com>
- Re: Filezilla a security risk
  - From: Slavko <linux@slavino.sk>
- Re: Filezilla a security risk
  - From: Camaleón <noelamac@gmail.com>
- Re: Filezilla a security risk
  - From: Markus Schönhaber <debian-user@list-post.mks-mail.de>

Prev by Date: Re: [OT] Alcatel OT-800A + Wheezy
Next by Date: Re: Filezilla a security risk
Previous by thread: Re: Filezilla a security risk
Next by thread: Re: Filezilla a security risk
Index(es):
- Date
- Thread