Is anyone interested in testing binkp connections over Tor (hidden service) and/or direct TLS*?

My node supports both for incoming and outgoing connections. Are there other nodes in fsxnet that are reachable with a .onion address or offer direct TLS?

I also would like to standardize Tor and TLS for binkp.

* as in cleartext considered obsolete**
** https://tools.ietf.org/html/rfc8314


* Origin: 🌈 (21:1/151)

Is anyone interested in testing binkp connections over Tor (hidden service) and/or direct TLS*?

The TLS option is intersting.

My node supports both for incoming and outgoing connections. Are there other nodes in fsxnet that are reachable with a .onion address or offer direct TLS?

How do you setup your binkp for TLS?

Ttyl :-),
Al

--- MagickaBBS v0.12alpha (Linux/x86_64)
* Origin: Equinox BBS - Penticton, BC Canada (21:3/107.1)

How do you setup your binkp for TLS?

i'm using haproxy for incoming connections, stunnel should also work

in the binkd nodelist:
node 5:6/7 -pipe "ncat --ssl-alpn binkp *H *I" example.com:24553


* Origin: 🌈 (21:1/151)

Re: Tor hidden services / TLS for binkp
By: Oli to All on Thu Oct 10 2019 10:03 pm

Is anyone interested in testing binkp connections over Tor (hidden

service) and/or direct TLS*?

I might have a play with onion - I see opnsense supports it - so that's probably where I'll start.

Now sure how the BBS will route to it, but I'll figure that bit out. (Know nothing about tor - except how to spell it...)
...δεσπ

... Among economists, the real world is considered to be a special case.
--- SBBSecho 3.10-Linux
* Origin: Alterant | An SBBS in Docker on Pi! (21:2/116)

Is anyone interested in testing binkp connections over Tor
(hiddenservice) and/or direct TLS*?

I might have a play with onion - I see opnsense supports it - so
that's probably where I'll start.

:)
I never used opnsense, but it looks like it's easy to configure a hidden service. If you will post the created onion address, I'll try to send you a netmail over Tor.

Now sure how the BBS will route to it, but I'll figure that bit out.
(Know nothing about tor - except how to spell it...)
...ëîåã

If this doesn't explain everything, just ask. https://wiki.opnsense.org/manual/how-tos/tor.html#hidden-services

Good luck!


* Origin: 🌈 (21:1/151)

How do you setup your binkp for TLS?

i'm using haproxy for incoming connections, stunnel should also work

in the binkd nodelist:
node 5:6/7 -pipe "ncat --ssl-alpn binkp *H *I" example.com:24553

My reply could have been a little bit longer, I'm trying again with some more details, even stuff many already know ... :)

Preface: TLS and SSL are often used synonymously. SSL is the older standard that is deprecated and replaced by TLS. Many applications still use SSL in their name, with command line paramaters, configuration options or in the documentation. They always use TLS by default (there might be some rare exceptions). So if you read SSL it means TLS most of the time (the last SSL version 3.0 is from 1996, TLS 1.0 from 1999, 1.2 from 2008, 1.3 from 2018). For
some aesthetic or habitual reasons I also like "SSL" better than "TLS".


There are basically two ways to start a TLS session:

1) Implicit (or direct) TLS: client and server directly start the TLS session, after the connection has been established.

2) Opportunistic TLS: client and server start with an unencrypted cleartest connection and after some chit chat, they agree to upgrade the connection to TLS. (For SMTP, IMAP, NNTP, XMPP, IRC and other protocols it is know as STARTTLS).
https://en.wikipedia.org/wiki/Opportunistic_TLS

Until recently STARTTLS was the prefered method to enable smooth transitions from unencrypted to TLS encrypted connections without any involvement from the user. Since the Snowden leaks in 2013 a lot has changed and the IETF is pushing
towards implicit TLS now ("Cleartext Considered Obsolete": https://tools.ietf.org/html/rfc6409).

As far as I know (and I might be wrong, please correct me), the only binkp mailer that supports TLS is MysticBBS. It's not documented, but the wiki states
that it is "opportunistic SSL (TLS v1.2+) using a proprietary extension of the
BINKP protocol". I guess it would not be very hard to reverse engineer the binkp extension, if you capture the data of a binkp session between two MysticBBS instances. Or wait until the author releases a documentation. Then support for the opportunistic TLS extension could be added to other mailers too.

Honestly, I think we should forget about opportunistic TLS for binkp. Implicit TLS is simpler to implement, does not have the weaknesses of opportunistic encryption and can be added to servers that don't support TLS natively.

To add TLS support to a binkp server you need a so called TLS termination proxy
for TCP connections. Servers that offer that functionality are stunnel, nginx and haproxy. The proxy server listens on another port (let's say 24555) for incoming TLS connections from the internet and forwards them in cleartext to your local binkp server on port 24554.

Setting up TLS for the server side is quite straight-forward and should work with any binkp server. I would recommend stunnel, it is easy to configure. The most powerful is haproxy, but it has a million configuration parameters you'll never use and a weird config syntax. Nginx might be interesting, if you're already using it (I haven't tried the tcp proxy in nginx).

Maybe a step-by-step howto would be useful.

And then there is the other side: how to make a TLS connection from a binkp client? That is a post for another day ...





* Origin: 🌈 (21:1/151)

Re: Tor hidden services / TLS for binkp
By: Oli to Oli on Sun Oct 13 2019 12:48 pm

configure. The most powerful is haproxy, but it has a million configuration parameters you'll never use and a weird config syntax. Nginx might be interesting, if you're already using it (I haven't tried the tcp proxy in nginx).

Nginx is fast becoming my favorite; I grew up on Apache but just set up a reverse proxy with Nginx - the synax and the config file layout is nice, and it
didn't take very long to set up the reverse proxy.
--- SBBSecho 3.09-Win32
* Origin: http://realitycheckbbs.org (21:4/122)

Nginx is fast becoming my favorite; I grew up on Apache but just set
up a reverse proxy with Nginx - the synax and the config file layout
is nice, and it didn't take very long to set up the reverse proxy.

you mean a http reverse proxy? or one for binkp?


* Origin: 🌈 (21:1/151)

Nginx is fast becoming my favorite; I grew up on Apache but just set up a reverse proxy with Nginx - the synax and the config file layout is nice, and it didn't take very long to set up the reverse proxy.

IMO, nginx offers performance benefits over apache that make it a no brainer.

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: monterey bbs (21:1/168)

Re: Tor hidden services / TLS for binkp
By: Oli to poindexter FORTRAN on Sun Oct 13 2019 05:33 pm

Nginx is fast becoming my favorite; I grew up on Apache but just set
up a reverse proxy with Nginx - the synax and the config file layout
is nice, and it didn't take very long to set up the reverse proxy.

you mean a http reverse proxy? or one for binkp?

I'm setting up a reverse proxy for some web apps at work - separate from Binkp.
My comment was just that Nginx is a nice platform and was easy to config. It opens up lots of possibilities for me; I'm considering a move to Linux.
--- SBBSecho 3.09-Win32
* Origin: http://realitycheckbbs.org (21:4/122)

Re: Re: Tor hidden services / TLS for binkp
By: ryan to poindexter FORTRAN on Sun Oct 13 2019 09:56 am

IMO, nginx offers performance benefits over apache that make it a no brainer.

Sounds like it. Apache's a sentimental favorite, I suppose.
--- SBBSecho 3.09-Win32
* Origin: http://realitycheckbbs.org (21:4/122)

On 13 Oct 2019, poindexter FORTRAN said the following...

Re: Tor hidden services / TLS for binkp
By: Oli to Oli on Sun Oct 13 2019 12:48 pm

configure. The most powerful is haproxy, but it has a million configur parameters you'll never use and a weird config syntax. Nginx might be interesting, if you're already using it (I haven't tried the tcp proxy nginx).

Nginx is fast becoming my favorite; I grew up on Apache but just set up a reverse proxy with Nginx - the synax and the config file layout is nice, and it didn't take very long to set up the reverse proxy.

Isn't it though? I've stayed with Apache on Slackware, coz I know it
backwards and forwards, but I do love Nginx and run it on other Unices.

Stunnel is really straight-forward too, and perhaps the easiest to implement TLS for things like Gopher over standard ports and other things that don't actually have support for TLS.

haproxy is the old standby, and arguably the most powerful, but it's a royal biotch to config.

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
* Origin: Vger.Cloud - NOMAD Internetwork (21:2/104)

On 13 Oct 2019, poindexter FORTRAN said the following...

Re: Tor hidden services / TLS for binkp
By: Oli to Oli on Sun Oct 13 2019 12:48 pm

configure. The most powerful is haproxy, but it has a million configu

r

parameters you'll never use and a weird config syntax. Nginx might be

interesting, if you're already using it (I haven't tried the tcp prox

y

nginx).

Nginx is fast becoming my favorite; I grew up on Apache but just set up a

reverse proxy with Nginx - the synax and the config file layout is nice,
and it didn't take very long to set up the reverse proxy.

Isn't it though? I've stayed with Apache on Slackware, coz I know it backwards and forwards, but I do love Nginx and run it on other
Unices.

Stunnel is really straight-forward too, and perhaps the easiest to implement
TLS for things like Gopher over standard ports and other things that
don't
actually have support for TLS.

haproxy is the old standby, and arguably the most powerful, but it's a royal
biotch to config.

Weeeeell. I agree to disagree. There are * a lot * of good howto's and documentation on Haproxy. I've used it myself for years with six Apache web servers as backend except for a few weeks here and there when I tried to use Nginx as a reverse proxy and the same amount of web servers as backend. Nginx is, no doubt, very powerful but there are situations and configurations where it just doesn't work properly (hello Wordpress...) at all times. I always end up going back and maintaining my Haproxy / Apache combo and it's been nothing but rock solid for years. I can't say it's that much slower either to be honest.



--- NiKom v2.5.0
* Origin: Delta City (deltacity.se, Vallentuna, Sweden) (21:2/130.0)

Re: Re: Tor hidden services / TLS for binkp
By: tallship to poindexter FORTRAN on Tue Oct 15 2019 03:17 am

Isn't it though? I've stayed with Apache on Slackware, coz I know it backwards and forwards, but I do love Nginx and run it on other Unices.

Apache and Slackware, that's probably an iconic combination from the mid 90s. I've heard about those two since I started using the internet in 1995. And I think I had heard about Slackware even earlier, when my dad started messing around with Linux on his PC at home. I imagine Apache and Slackware were (and maybe still are) the backbone of many sites on the internet.

Nightfox
--- SBBSecho 3.10-Win32
* Origin: Digital Distortion: digdist.synchro.net (21:1/137)

Nightfox wrote to tallship <=-

I imagine
Apache and Slackware were (and maybe still are) the backbone of many
sites on the internet.

You are defiantly right about Apache being the backbone of the internet.
Apache is said to run about 46% of all websites online, something like that.

-Zoo

___ MultiMail/Linux v0.49

--- Mystic BBS/QWK v1.12 A43 2019/03/03 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Re: Re: Tor hidden services / TLS for binkp
By: Zoohouse to Nightfox on Wed Oct 16 2019 12:37 pm

You are defiantly right about Apache being the backbone of the internet. Apache is said to run about 46% of all websites online, something like that.

I think Apache usage was quite a bit higher at one point. There is other server software that has been released in more recent years that has given Apache some copmetition.

Nightfox
--- SBBSecho 3.10-Win32
* Origin: Digital Distortion: digdist.synchro.net (21:1/137)

You are defiantly right about Apache being the backbone of the
internet. Apache is said to run about 46% of all websites online, something like that.

If you include every single low-traffic website, this number might be more or less accurate. If you count bytes served, you get very different numbers. Apache is not that important anymore and it's market share is constantly declining. https://w3techs.com/technologies/comparison/ws-apache,ws-microsoftiis,ws-nginx

As Apache is not a TCP proxy this is also a bit off-topic, so back to TLS ... ;)
for testing purposes you can also use ncat to create a proxy.

invoking binkd in inetd mode:
ncat -l 24555 -k --ssl --ssl-cert test-cert.pem --ssl-key test-key.pem -c "binkd -i /etc/binkd/binkd.cfg"

or forwarding incoming connections to any binkp server on port 24554:
ncat -l 24555 -k --ssl --ssl-cert test-cert.pem --ssl-key test-key.pem -c "ncat
localhost 24554"

this command creates a self-signed certificate and key:
openssl req -nodes -new -x509 -keyout test-key.pem -out test-cert.pem



* Origin: 🌈 (21:1/151)

Re: Re: Tor hidden services / TLS for binkp
By: Zoohouse to Nightfox on Wed Oct 16 2019 12:37 pm

You are defiantly right about Apache being the backbone of the internet. Apache is said to run about 46% of all websites online, something like

that.

I dont know how authorative this is - but I've refered to it for years:

https://news.netcraft.com/archives/2019/09/27/september-2019-web-server-survey. html
...δεσπ

... Send in competition answers with your name, age and how old you are.
--- SBBSecho 3.10-Linux
* Origin: Alterant | An SBBS in Docker on Pi! (21:2/116)

more or less accurate. If you count bytes served, you get very different numbers. Apache is not that important anymore and it's market share is

If you count bytes served, aren't we basically talking about Netflix? Perhaps with a side of Youtube and Amazon prime video?

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/64)
* Origin: Storm BBS (21:2/108)

https://news.netcraft.com/archives/2019/09/27/september-2019-web-server-su html

I had not realize how steep the drop off has been since a few years ago. wow.

-Zoo

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)