rsalz@bbn.com (Rich Salz) (02/07/91)
What verification should be done on cancel messages? C-news does no checking. Geoff says that since you can't securely validate, you shouldn't provide the illusion that you can, so you can cancel the article. B news and the RFC both say that you should check the sender (or from if sender is blank) and make sure that the cancel message matches the article being cancelled. The C-news method leaves people a little uneasy. It's biggest advantage is that it lets the cancel message arrive before the article does. The B news method follows the standard. However, it not only shouldn't process cancels that arrive first, it shouldn't pass them along. It should also not pass along cancels that failed the verification. The B news method has also caused problems for people who like to hid behind one site name (e.g., using rn's C command on a workstation when GENERICFROM is defined). It seems like it would be very difficult to accept early cancel messages, but then reject them if the article comes in and you the cancel fails... Anyhow, which method seems better? Comments to me will be summarized, but a public discussion might not be a bad thing. /r$ -- Please send comp.sources.unix-related mail to rsalz@uunet.uu.net. Use a domain-based address or give alternate paths, or you may lose out.
henry@zoo.toronto.edu (Henry Spencer) (02/07/91)
In article <3258@litchi.bbn.com> rsalz@bbn.com (Rich Salz) writes: >Anyhow, which method seems better? Comments to me will be summarized, but a >public discussion might not be a bad thing. Persons discussing this might want to read notebook/rfcerrata in the C News distribution, which has a section on cancel propagation that bears on this. A section on cancel authentication will probably join it in the next patch. -- "Maybe we should tell the truth?" | Henry Spencer at U of Toronto Zoology "Surely we aren't that desperate yet." | henry@zoo.toronto.edu utzoo!henry
rickert@mp.cs.niu.edu (Neil Rickert) (02/07/91)
In article <3258@litchi.bbn.com> rsalz@bbn.com (Rich Salz) writes: >What verification should be done on cancel messages? > >Anyhow, which method seems better? Comments to me will be summarized, but a >public discussion might not be a bad thing. > /r$ I tend to support Geoff's philosophy. Many newsreaders already make it hard to cancel if you are not the originator of the message. Anyone who knows enough to bypass those checks also knows enough to bypass the other checks. Given recent events, I think I would favor a 'cancel' philosophy whereby cancellation of article 'nnn' simply renamed the article ',nnn' instead of removing it. (For a cross-posted article, it would remove from all but the first newsgroup, and rename in the first news group). The actual removal of cancelled articles would then be done during the nightly expire run, either by 'expire' itself, or by a script run at about the same time. Paranoid administrators could delay the physical removal of cancelled articles for a day or two if they wished. -------------- Thought for the day: What if all news administrators set up their systems to add 'tygra!' to the beginning of the 'Path: ' string of all news passing through their sites? Would the problems we have been seeing then dry up? -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
chk@alias.UUCP (C. Harald Koch) (02/08/91)
In <3258@litchi.bbn.com> rsalz@bbn.com (Rich Salz) writes: >B news and the RFC both say that you should check the sender (or from if sender is >blank) and make sure that the cancel message matches the article being cancelled. Well, this is trivially insecure; when posting via NNTP, the Sender is always news@host.dom.ain; this allows anyone on that machine to cancel articles that were generated on that machine. If you have hostname hiding in your NNTP routines, then this becomes merely news@dom.ain, allowing anyone at your organization to cancel anyone else's articles. I agree with Henry Spencer: It's better to not check than it is to pretend to have a level of security that you don't have. I can see a denial-of-service problem with the propogation technique used in CNews, but that's a whole other can of worms... -- C. Harald Koch VE3TLA Alias Research, Inc., Toronto ON Canada chk%alias@csri.utoronto.ca chk@gpu.utcs.toronto.edu chk@chk.mef.org "I think you curdled my Pepsi!"-Gerry Smit, in response to sickening cuteness
merce@iguana.uucp (Jim Mercer) (02/08/91)
In article <1991Feb6.195500.21409@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: > Thought for the day: What if all news administrators set up their systems >to add 'tygra!' to the beginning of the 'Path: ' string of all news passing >through their sites? Would the problems we have been seeing then dry up? isn't this how the USENET Death Penalty (TM) is implemented? -- [ Jim Mercer work: jim@lsuc.on.ca home: merce@iguana.uucp +1 519 570-3467 ] [ "I am pro-military. I am not pro-war. There is a big difference" ] [ -- Louise Mandrell (Toronto Sun) ]