[ircd-ratbox] Request For Feature: IRCS (IRC-over-SSL)

Paul-Andrew Joseph Miseiko esoteric at teardrop.ca
Tue May 17 14:32:48 EDT 2005 

The argument that an SSL IRC session will be forwarded through unencrypted 
channels is the fault of the network configuration or the client you are 
communicating with, and not the protocol or the IRC daemon.  If a network 
only permits SSL clients, and all server to server transit is secured 
cryptographically then no clear text mediums exist to be viewed by third 
parties.  If the administrator of each hop in the IRC network can view my 
messages... that is still a major improvement over clear text.

SSL, like SSH, has protection against man-in-the-middle attacks by storing 
the public key locally.  In the event that the key has changed it can be 
regarded as a man-in-the-middle attack unless you have prior knowledge 
that the public key really has changed.  Also, SSH and SSL both suffer a 
man-in-the-middle attack if the public key is not initially known.

Using SSL with IRC is not about securing data... it's about reducing 
exposure.

--
  .-------------------------------------.
( Biggest security gap -- an open mouth )
  `-------------------------------------'
--
Paul-Andrew Joseph Miseiko

On Tue, 17 May 2005, Lee H wrote:

> On Tue, May 17, 2005 at 11:52:17AM -0400, Paul-Andrew Joseph Miseiko wrote:
>> Do you use telnet instead of SSH?  If you truly believe what you wrote
>> below then I imagine you do... since SSH suffers the same fates that SSL
>> incurs on a public network.
>
> Lets use your analogy.  To compare it with irc, when you want to ssh
> anywhere, you would first need to ssh to a public ssh server, run on a
> network you dont know, by someone you dont know, who is providing you
> with access for free.  Then once you are logged into that machine, you
> can ssh out to where you need to go.  Secure?  Hardly.
>
> SSL makes no guarantees about how secure the data is once it reaches the end
> point.  In normal cases, this is fine because the end point is actually
> where your data is going.  This isnt the case in IRC, the server is going to
> forward your message on for you, possibly through multiple other servers.
>
> If you want your data to be secure, you would not be sending it in a form
> thats unencryptable to a public server whose security you cannot trust --
> you would be using *real* end-to-end communication.
>
> -- 
> -                 Lee H // anfl
> -        I code, therefore I break things.
>

More information about the ircd-ratbox mailing list