[ircd-ratbox] Request For Feature: IRCS (IRC-over-SSL)

Ralf S. Engelschall rse at engelschall.com
Tue May 17 09:34:29 EDT 2005


On Tue, May 17, 2005, Lee H wrote:

> [...]
> I think most people are misguided about just what SSL offers.  If you need
> conversations to be secure, then there are two main choices.  Either youre
> on a public network, or youre on a private network.
>
> A public network is not secure and it never will be, because the server
> itself can perform MITM attacks.  If its a private network, access control
> isnt a problem, because you need to be restricting who can connect anyway.
> [...]

What if you're running a private stand-alone IRC server on a public
network as we do?

> [...]
> Personally, I dont see any real benefits to it.  The illusion that IRC can
> ever be secure is just that, an illusion.

Fully agreed. For full security nobody evers should consider IRC. But
just because full security is not possible on IRC shouldn't have to mean
no security is considered at all, shouldn't it?

IMHO sending authentication credentials in plaintext over a public
network is (from a security point of view) equal to not requiring any
authentication credentials at all.

Or to be somewhat heretic this topic: IRCd-Ratbox is for mainly large
public networks, its companion Ratbox Services is for IRCd-Ratbox
(only), Ratbox Services provides UserServ, and UserServ provides no way
to allow the authentication passwords to be transmitted not in plaintext
over a large public network. So, why UserServ at all? ;-)

I at least would like to see a way (something perhaps like CRAM-MD5 or
the RSA challenge/response feature, etc) to send UserServ authentication
credentials not in plaintext over the public network. SSL/TLS I prefer
here not because I'm biased on OpenSSL, but mainly because it is one
option which is out-of-the-box supported by most IRC clients and fully
transparent in use while the other special autentication methods require
client-side addon tools (for calculating the response first).

                                       Ralf S. Engelschall
                                       rse at engelschall.com
                                       www.engelschall.com



More information about the ircd-ratbox mailing list