Usenet Explorer

Hello!!! I am in the process of trying to setup Stunnel via the instructions from my usenet provider. I've been able to change the settings so far without a problem except for

"Change the server address in the client settings to "127.0.0.1" or "localhost" "

I feel like a bit of an idiot here, but I have been unable to find exactly where I make that change. I double clicked on my server to bring up the "properties" window, but didn't see anything where I could make this change. Any help would be greatly appreciated. ERH

Never mind...

Figured it out...

Hi Blurr,

but I do mind....

Please, dond let me die stupid. I would like to know, how you set up this setting.

I also would like to know, to which usenetprovider you have subscribed. There are not no many out there, who uses a different port for tunnelling.

Thanks for getting back - hopefully!

netfan

configuring stunnel to do unsecure ssl is easy, but to do it properly and to have communication truly encrypted you also need to configure certificate validation, to do that in part you need to download the root certificate of the certificate authority from which the news server bought its certificate. to my knowledge only outlook express does it properly, other custom implementations are not correct, thus man in the middle attack is a possibility (e.g. your isp or your network admin can pose as your news server).

if not to do it properly maybe it doesn't make sense to use ssl at all since there is price in bandwidth overhead and in processor usage while estabilishing connections.

Hey netfan!!! Sorry about the delay getting back to you. I was away...
I use Giganews. I followed the instructions for my particular service:

Stunnel setup (Windows)

1) Download the latest Windows Binaries from www.stunnel.org/download/binaries.html and install the program.

2) After installing, go to "Start>Programs>Stunnel>Install Service". You should receive confirmation that the service is installed.

3) Next, go to "Start>Programs>Stunnel>Edit stunnel.conf"

Stunnel.conf is a plaintext file with all of Stunnel's options.

Make these changes:

" Find the line ";client = yes" and remove the semicolon (;). A semicolon at the start of a line causes it to be ignored, which you want to override.
" Add the following lines to the bottom of the file:
[nntp]
accept = 119
connect = news.giganews.com:563

The service name in [brackets] can be anything.
The "accept =" field is the port your Usenet client connects to, generally 119.
The "connect =" field is the IP/domain and port of the secure server you are forwarding traffic to. Depending on your location, you may want to use news-europe.giganews.com instead.

4) Save these changes and close stunnel.conf.

5) Go to "Start>Programs>Stunnel>Service Start" or "Run Stunnel". The program's icon should appear in the taskbar.

News Client Setup

These steps are not particular to any news client and should be simple changes in most clients.

1) Change the server address in the client settings to "127.0.0.1" or "localhost".

2) Make sure the client is set to connect to the same port used in the "accept =" field in stunnel.conf. This will almost always be port 119.

3) Save these changes. Test settings by updating headers or downloading an article. When you hover your mouse over the Stunnel icon, it should display "x session(s) active" where x is the number of connections you have configured in your client.

The news client is now connecting to Stunnel on your local machine, which STunnel detects and forwards to our secure server. There may be a detectable, but slight, decline in speed when using STunnel.


Under the news client setup, when you click to setup a new server, enter the IP address instead of the "www" address. You would type 127.0.0.1 instead of www.giganews.com or whatever news service you use. Hope this helps...

Thanks a lot for such a nice "how to".

netfan

but in that setup there is no certificate verification, so strictly speaking the connection is not secure.

certificate is a file which allows the server to verify that the other side is genuine and e.g. someone is not posing as the server as in fact it sits in the middle.

a server buys a certicate from a certificate authority, it is like a company which is trusted, also it is a very good business since to generate a certificate costs nothing, i can prepare all necessary software in a matter of a week and generate certificates on 100MHZ pentium I, i remember the president of thawte (it is one of such companies) paid $20M for a trip to the space station. the main trick is to get the microsoft to put your root certicicate into internet explorer root certicificate depository.

internet explorer has all those root certificates somewhere in options, but if you use stunnel you need to download the root certificate at the relevant certificate authority site) or to export it from internet explorer, i think there is an option there.

but in short if you want connection secure given the low probability someone is spying on you (e.g. in nntp userid/password go as open text and they didn't have any problem with it), for connection to be secure you need to configure those things, in formal terms without certificate checks the connection is not secure.

maybe i'll add ssl into the program after i finish with the non-related mess in a few weeks, in internet explorer root certificates are installed with the program, with newsreaders there are only rude implementations which don't do it at all, probably i would add a warning with the link to the certificate authority site (it is in the certificate which is bought by news providers, so just show certificate fields), then it will be up to user to download the root certificate (it is just a small file) and put it into the certificate directory.

checking certificates though also takes processor time, so there will be even more impact on performance if to add that.

in the meantime i'm interested whether one feels significant performance impact from someone who used it, also in practical terms how much slower downloads are (if you download some big file with or without stunnel the time to download through ssl connection even if the server saturates the connection will be different since ssl has overhead as to the bandwidth, it is in additon to the processor time overhead).

as i mentioned there is a very simple way to make connections secure without any overhead using the news server control panel to share the key but there was no precedent a news provider would change the protocol, all changes like yEnc or nzb were not related to news server side which is ultra conservative, i remember only newsfeeds had or has something custom probably to optimize for performance (maybe i should try talk to them but they are not responsive as well).

I've been using SSL(Stunnel) with UE with high speed connection to download large files for the past week or so. I haven't "noticed" any significant performance impact , although I'm not positive. Would there be any accurate way of accurately checking this? I use SSL with Giganews so my ISP does not lower my bandwidth cape(currently average saturation around 725KB/s(is this with a 5Mbps connection?)) after I reach my 100 Gigs/Month Cap. Does anyone have any estimate as to what percentage of CPU usage SSL uses, in addition to the bandwidth?

heavy rains here i had only sporadic connection and couldn't answer right away.

if you download through stunnel or without stunnel does UE show the same bandwidth or the value is different?

if the connection is saturated in both cases the difference in UE bandwidth meter would give the losses due to SSL overhead, in short the amount of data which fed into stunnel will be more than UE will get so UE should show slower speed.

if it is difficult to verify the connection is saturated (the speed of incoming data is the same) maybe to use some kind of netlimiter to limit bandwidth fed into stunnel and when not using SSL to limit the bandwidth fed into ue without stunnel to the same value.

alex wrote: maybe i'll add ssl into the program after i finish with the non-related mess in a few weeks, in internet explorer root certificates are installed with the program, with newsreaders there are only rude implementations which don't do it at all, probably i would add a warning with the link to the certificate authority site (it is in the certificate which is bought by news providers, so just show certificate fields), then it will be up to user to download the root certificate (it is just a small file) and put it into the certificate directory.

checking certificates though also takes processor time, so there will be even more impact on performance if to add that.

A possible option for this is:
have two subsets of servers. one secure and one unsecure. in the right-click context menu the user can choose either Secure download and save or unsecure download and save. Just a thought.

Are you still considering adding SLL encryption to UE? I hope you add it, as I would like to move up to SSL from SSH through secure-tunnel.

Thanks

as some more decent providers added ssl, it is now higher in the list of priorities.

i'm not sure though it will come first i'm checking now some potential features, if they prove to take too long i may choose to add ssl soon.

you can also use stunnel, to use it is straightforward (same as ssh? - the ssh tunnel program is listening like stunnel) and shouldn't bear performance impact comparing to the built-in solution, essentially implementing ssl means only compiling the same code as stunnel uses (openssl package) with the program, so the "overhead" is pumping data through a socket connection but it shouldn't bring any noticeable overhead.

Kudos to Blurr for the walkthrough.

Native SSL would be appreciated

Still downloading at 64Mb even with SSL on, am running on an old AMD 4400 X2 CPU with 1Gb RAM. SSL does not seem to be slowing things down for me at all...

ok maybe i'll add it, anyway there should be another small release soon, i could include it there.

i tested some rudimentary code here, only about 10 lines of code - mostly calls to openssl library - does all what we need - it connects ok and reads the server welcome message.

the executable though is 30% larger - from 1M to about 1.3M at least because of employing the library.