[HamWAN PSDR] Newbie

Tue Mar 16 08:21:15 PDT 2021

SSL (more properly SSL/TLS) is an umbrella term. There are many ciphers and
protocol versions that the client and server negotiate. To comply with the
FCC requirements of no encryption you would use a NULL Cipher, meaning no
encryption. Because nearly nothing supports this you'd need an SSL/TLS
proxy with compatible certificates installed on the clients.

See attached for winlink specific analysis of 'SSL'.

>From Stack overflow: "Yes, TLS and SSL support "no-encryption" modes.
Whether the particular client and server in question are configured to
enable is a separate issue.

It's possible, though unlikely, that a server could enable one of these
cipher suites by default. What is more likely is that a server would enable
weak cipher suites (like the "export"-grade DES-based suites) by default.
That's why you should carefully review the server's whitelist of cipher
suites, and leave only a few trusted, widely-supported algorithms.

You can use the TLS_RSA_WITH_NULL_SHA cipher suite, among others, to
protect the authenticity and integrity of traffic, without encryption.

The "RSA" in this case refers to the key exchange algorithm, while "SHA"
refers to the message authentication algorithm used to protect the traffic
from being altered. "NULL" is the encryption algorithm, or, in this case,
the lack of encryption.

It's important to realize that the traffic, though it's not encrypted, is
bundled up in SSL records. The client and server must be SSL-enabled.

If you are looking for a step-down solution where some data is exchanged
over SSL, then SSL is turned off but the application traffic continues,
that's possible too, but keep in mind that it offers absolutely no security
for the cleartext traffic; it can be tampered with by an attacker. So, for
example, authenticating with SSL, then stepping down to an "in-the-clear"
protocol to receive commands that use the authentication negotiated via SSL
would unsafe."

And if you're really bored check out this SSL/TLS analysis:
http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session/

On Tue, Mar 16, 2021, 7:58 AM Scott Currie <scott.d.currie at gmail.com> wrote:

> Here is my, probably incomplete, understanding of things. Originally,
> connections to the CMS from either clients (Winlink Express) or gateways
> (RMS Packet, RMS Trimode) were on port 8772 using telnet. About a year ago
> they introduced port 8773 which uses SSL. For the WDT products, this is now
> the preferred port and is tried first. If the connection fails, they will
> try port 8772, and today this will still work. At some point port 8772 will
> be turned off. Non-WDT clients and servers (BPQ, Pat, Outpost) can still
> use port 8772 today, but will need to switch to port 8773 eventually. I do
> not know what the traffic looks like on port 8773. They say it is still
> telnet, so I don't know if they are using SSL for authentication, and then
> switching to plain text, or if they are establishing an encrypted tunnel
> and then sending telnet through the tunnel. I'll have to trace it and see
> what is going on.
>
> Client and gateway connections to RMS Relay go over port 8772 using
> telnet, and this will not change. P2P telnet connections will continue to
> be unencrypted (the port default is 8772 but can be changed). RMS Relay
> connections to the CMS will be over port 8773 SSL.
>
> I'm not smart enough to interpret FCC rules to know if encrypted
> authentication is OK, as long as the actual traffic is plain text.
>
> -Scott, NS7C
>
> On Tue, Mar 16, 2021 at 6:32 AM Steve - WA7PTM <psdr-list at aberle.net>
> wrote:
>
>> If we separate Winlink (the system) from Winlink Express (the client
>> program), is a SSL connection also the case with the other six clients
>> listed on the https://winlink.org/ClientSoftware page when used in
>> telnet mode?
>>
>> Steve
>>
>>
>> Scott Currie wrote on 3/15/21 10:06 PM:
>> > Yeah, I discussed this with the WDT, and the issue with using HamWAN or
>> > ARDEN. I had asked if we could force a non-SSL connection to the CMS.
>> They
>> > have been under pressure from AWS to switch to all SSL connections, so
>> they
>> > had to make the change. They did commit to leaving the client or gateway
>> > connection to RMS Relay as non-SSL, so that is why we have suggested
>> having
>> > a regional instance of RMS Relay on HamWAN that the RMS Gateways and
>> > clients could point to. Backend of the RMS Relay would then connect to
>> the
>> > CMS over SSL on a hardened Internet connection (like at a county EOC or
>> the
>> > State EOC), or even HF forwarding if the Internet is down.
>> >
>> > -Scott
>> >
>> > On Mon, Mar 15, 2021 at 9:41 PM Stephen Kangas <stephen at kangas.com>
>> wrote:
>> >
>> >> Scott, thanks for that update, interesting.  “Telnet” is a misnomer in
>> >> this WinLink instance, as that port 22 protocol is historically and
>> >> normally unencrypted, and widely understood in the industry as such
>> >> (whereas SSH is encrypted).   It looks like the email client is
>> connecting
>> >> locally to an RMS Relay in that mode, which then connects to the CMS
>> on the
>> >> internet.
>> >>
>> >>
>> >>
>> >> --Stephen W9SK
>> >>
>> >>
>> >>
>> >> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Scott Currie
>> >> *Sent:* Monday, March 15, 2021 5:56 PM
>> >> *To:* Puget Sound Data Ring <psdr at hamwan.org>
>> >> *Subject:* Re: [HamWAN PSDR] Newbie
>> >>
>> >>
>> >>
>> >> This is not entirely true. Winlink does use TLS/SSL connections for
>> some
>> >> things. The normal telnet connection is now SSL (will fallback to
>> non-SSL
>> >> if the connection fails). Also, RMS Gateway to the CMS is now SSL.
>> Telnet
>> >> P2P and telnet to RMS Relay is not SSL. I believe updates are also SSL
>> now.
>> >>
>> >>
>> >>
>> >> Winlink Express Link Test:
>> >>
>> >> Test started 2021/03/16 00:52 UTC
>> >>
>> >> Testing CMS telnet connection to cms.winlink.org through port 8772...
>> >>    Successfully connected to a CMS through port 8772 in 253
>> Milliseconds
>> >>
>> >> Testing CMS SSL telnet connection to cms.winlink.org through port
>> 8773...
>> >>    Successfully connected to a CMS through port 8773 in 311
>> Milliseconds
>> >>
>> >> Testing API service access through port 443 to api.winlink.org...
>> >>    Successfully performed API service to api.winlink.org through port
>> 443
>> >> in 756 Milliseconds
>> >>
>> >> Testing Autoupdate server access through port 443 to
>> >> autoupdate2.winlink.org...
>> >>    Successfully checked autoupdate server through port 443 in 439
>> >> Milliseconds
>> >>
>> >> Testing connection to web site - www.winlink.org:443
>> >>    Successfully connected to www.winlink.org through port 443 in 47
>> >> Milliseconds
>> >>
>> >> Testing FTP connection to SFI site -
>> >> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
>> >>    Successfully connected to
>> ftp://ftp.swpc.noaa.gov/pub/latest/SGAS.txt
>> >> through port 20/21 in 1522 Milliseconds
>> >>
>> >> Test completed successfully.
>> >>
>> >> -Scott, NS7C
>> >>
>> >>
>> >>
>> >> On Mon, Mar 15, 2021 at 5:45 PM Stephen Kangas <stephen at kangas.com>
>> wrote:
>> >>
>> >> Phil, an example of the ham band traffic that Kenny mentioned is not
>> >> permitted by the FCC is encrypted communications traffic…this means the
>> >> majority of websites your visit today and many email hosters, since
>> >> websites commonly use TLS/SSL encryption (indicated by “https” in
>> front of
>> >> the URL in your browser address bar) or encrypted settings in your
>> email
>> >> hoster & client.  Winlink does NOT use encryption, thus is legal, and
>> is
>> >> the primary application for my ARES team using HamWAN.  As Kenny points
>> >> out, certain routers (not inexpensive home models) can be used to split
>> >> that traffic appropriately, but it is not an easy setup unless you
>> have a
>> >> background in data networks or cybersecurity…so it’s far easier to
>> either
>> >> use HamWAN just for your dedicated ARES laptop use or switch a cable
>> back
>> >> and forth using one pipe at a time.
>> >>
>> >>
>> >>
>> >> FWIW, Stephen W9SK
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Kenny Richards
>> >> *Sent:* Monday, March 15, 2021 12:49 PM
>> >> *To:* Puget Sound Data Ring <psdr at hamwan.org>
>> >> *Subject:* Re: [HamWAN PSDR] Newbie
>> >>
>> >>
>> >>
>> >> Just want to add two things to what Carl said already.
>> >>
>> >>
>> >>
>> >> 1) Line of sight means you can actually 'see' the HamWAN node, or at
>> least
>> >> you can with something like a pair of binoculars.
>> >>
>> >>
>> >>
>> >> 2) Remember that HamWAN is not meant to be a replacement for your home
>> >> internet. Be very conscious of what traffic you are putting over
>> HamWAN. I
>> >> don't recommend connecting it to your home network unless you are
>> familiar
>> >> enough with routing rules to limit what traffic goes out the HamWAN
>> link.
>> >>
>> >>
>> >>
>> >> Good luck,
>> >>
>> >> Kenny, KU7M
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Mon, Mar 15, 2021 at 12:40 PM <carl at n7kuw.com> wrote:
>> >>
>> >> Hi Phil,
>> >>
>> >> You can do all of the configuration while on the ground, but obviously
>> you
>> >> won’t have any signal. You don’t indicate what specific equipment you
>> have,
>> >> but if you have the mAnt30 dish and separate router/modem, make sure
>> you
>> >> have the antenna connected before powering it up.
>> >>
>> >>
>> >>
>> >> As to trees, they are an absolute show stopper. You must have clear,
>> >> visual, line of sight to the HamWAN site you are shooting to.
>> Hopefully you
>> >> will have that, or can achieve that, from where you plan to mount the
>> >> dish.  As to “just over them”, a microwave shot consists of the direct,
>> >> pure line of sight, but also what is referred to as the Fresnel zone –
>> a
>> >> cigar shaped “balloon” around the pure line of sight.  Items in the
>> Fresnel
>> >> zone (including trees) can reduce the amount of signal you have, so
>> you may
>> >> not get optimum performance, but some.
>> >>
>> >>
>> >>
>> >> In your initial post you commented about how to balance between your
>> >> regular internet and HamWAN for a Winlink node.  My suggestion would
>> be to
>> >> just leave it on one (whichever one) as the norm, and only switch to
>> the
>> >> other if the one goes down.  You can also acquire routers that include
>> >> failover capability to automatically make that switch.  You can go more
>> >> advanced with load sharing and such between multiple connections, but
>> that
>> >> requires much better understanding of internet routing, and for a
>> winlink
>> >> node basic failover will serve your purpose.
>> >>
>> >>
>> >>
>> >> Good luck, let us know how things turn out.
>> >>
>> >> Carl, N7KUW
>> >>
>> >>
>> >>
>> >> *From:* PSDR <psdr-bounces at hamwan.org> *On Behalf Of *Phil Cornell via
>> >> PSDR
>> >> *Sent:* Monday, March 15, 2021 12:11 PM
>> >> *To:* psdr at hamwan.org
>> >> *Subject:* [HamWAN PSDR] Newbie
>> >>
>> >>
>> >>
>> >> OK, I figured out my problem and I now have Winbox talking to the radio
>> >> and reporting status.  I's not linking to anything since the antenna is
>> >> still on the ground.  How much configuration can I do before mounting
>> it on
>> >> my roof.  The only question in my sight path may be some trees but I
>> think
>> >> I can aim just over them and get a signal.  My friend Bruce/WA7BAM
>> will be
>> >> helping with the antenna installation on Wed afternoon.  Making
>> progress...
>> >>
>> >>
>> >>
>> >> *Phil Cornell  *
>> >>
>> >> *W7PLC *
>> >>
>> >> *SHARES NCS590*
>> >>
>> >> *Hybrid Gateway W7PLC*
>> >>
>> >> *TCARES  VP*
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> PSDR mailing list
>> >> PSDR at hamwan.org
>> >> http://mail.hamwan.net/mailman/listinfo/psdr
>> >>
>> >> _______________________________________________
>> >> PSDR mailing list
>> >> PSDR at hamwan.org
>> >> http://mail.hamwan.net/mailman/listinfo/psdr
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >> *-Scott*
>> >> _______________________________________________
>> >> PSDR mailing list
>> >> PSDR at hamwan.org
>> >> http://mail.hamwan.net/mailman/listinfo/psdr
>> >>
>> >
>> >
>> >
>> > _______________________________________________
>> > PSDR mailing list
>> > PSDR at hamwan.org
>> > http://mail.hamwan.net/mailman/listinfo/psdr
>> >
>> _______________________________________________
>> PSDR mailing list
>> PSDR at hamwan.org
>> http://mail.hamwan.net/mailman/listinfo/psdr
>>
>
>
> --
> *-Scott*
> _______________________________________________
> PSDR mailing list
> PSDR at hamwan.org
> http://mail.hamwan.net/mailman/listinfo/psdr
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20210316/8ab5e6c0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SpyingOnWINLINKV2.pdf
Type: application/pdf
Size: 4314219 bytes
Desc: not available
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20210316/8ab5e6c0/attachment.pdf>