[KirinDave]

> Care to elaborate? It solves authentication for us and we are using it for 10+ years like this

If "we use plaintext passwords communicated to a faux user" is your idea of "solved" then we have very different standards.

> Let me check my current znc IRC session signon: Wed Jul 18 07:43:12

Congrats on being rich and lucky I guess? That's not a thing most folks can replicate at scale. I have had more than one IP address in the duration of writing this post.

[lossolo]

> If "we use plaintext passwords communicated to a faux user" is your idea of "solved" then we have very different standards.

plaintext? In our use case TLS usage is mandatory and passwords are not stored in plaintext. I think your knowledge about how IRC is used now is a little outdated.

> Congrats on being rich and lucky I guess? That's not a thing most folks can replicate at scale. I have had more than one IP address in the duration of writing this post.

VPN -> znc -> IRC

You don't need to be rich and lucky to replicate this. Signon time was from znc to irc, not from my home connection to irc.

[KirinDave]

> plaintext? TLS usage is mandatory and passwords are not stored in plaintext. I think your knowledge about how IRC is used now is a little outdated.

Actually I wondered if that might be the case so I checked TFM: https://freenode.net/kb/answer/registration

Plaintext negotiation is my complaint. I doubt we'd be discussing this if it was plaintext storage. Not even the most fanatical IRC proponent would be okay with that.

> TLS usage is mandatory and passwords are not stored in it plaintext. I think your knowledge about how IRC is used now is a little outdated.

> VPN -> znc -> IRC

Where is your znc hosted? How much does it cost? Are you paying for a VPN service (please no)?

Even having a decent in-home internet connection, a way to route traffic back into your network, and a raspberry pi to host it on is a tall order.

[tastroder]

> Actually I wondered if that might be the case so I checked TFM: https://freenode.net/kb/answer/registration

You can do all that over an encrypted connection [1] if you like. All this protocol nitpicking kind of ignores that IRC is a stack that is a) open to a multitude of clients and thus use cases (vs. all those fancy web-things that offer me either lockin and emojis or a lack of user base) and b) proven over decades. Yeah, it has it's inherited edge cases and downsides but this thread makes it seem like it's a stupid idea somebody came up with in 2 hours, which it is absolutely not.

[1] https://freenode.net/kb/answer/chat

[KirinDave]

It's not that it's stupid. It's that it's antiquated in a bad way. The network architecture of server networks is similarly ridiculous by modern standards.

[tastroder]

Yeah, sorry, I guess I just don't get this animosity towards a protocol that, to me, still has a bunch of upsides over other alternatives that actually have a userbase (again, userbase that's relevant to me). IRC and the associated ecosystem might be ancient but it feels like it adopts (slowly but surely) and puts me more in control than the weird commercial alternatives that crop up every few years. With the added bonus of still running after decades instead of going under and burrying my data (or putting workload on me).

The network architecture was ridiculous 20 years ago, it still works. That's one of those things where I feel like "cool, if it's really broken enough, write a new backend and maintain compatbility to my stuff. I'm a user and don't care about your architecture". I'll gladly admit that there's a non-trivial amount of nostalgia in that logic though. :)

[KirinDave]

You can run your own matrix servers and they address most of the issues you can find with IRC. It's true that for a short while Matrix had some privacy concerns, and I'm relieved that they're being answered within a reasonable timeframe.

IRC's network architecture only survives because people tolerate it. Even slightly animosity from the community brings it down hard every time.

I think what's valuable is the chatroom model, which is largely dead outside of Telegram (which is, I agree, unusable from a user privacy and control standpoint). Part of the reason I'm passionate about this is that I want the model to be robust and well-maintained. I am nostalgic for the model, but I view the underlying legacy implementation as an obstacle to the preservation of that model.

[lossolo]

> Actually I wondered if that might be the case so I checked TFM: https://freenode.net/kb/answer/registration Plaintext negotiation is my complaint. I doubt we'd be discussing this if it was plaintext storage. Not even the most fanatical IRC proponent would be okay with that.

We are running our own IRC servers and you can't connect without using TLS, I still don't know what's your issue is with the registration ? You would need to have access to the machines that are running IRC servers to use that information. It's like saying that none of the standard authentication over the internet (login + password to your bank, your slack account, google cloud etc) using encrypted connection is not secure because you are entering password in plaintext.

> Where is your znc hosted? How much does it cost? Are you paying for a VPN service (please no)?

It's hosted at one of the largest datacenters in Europe. We are not using cloud. Cost is low, very low, compared to Google cloud/AWS we are paying around 50x times less for our whole infrastructure. But we digress now from the main discussion.

> Are you paying for a VPN service (please no)?

We are running our own VPN servers on dedicated hardware.

[aidenn0]

I agree with you on persistent logs, but I authenticate with an SSL client certificate, not a password. This is supported by several networks. Also, what do you mean by "plaintext"? Good id services will store a hashed password and the irc connection can be over SSL. That's no more plaintext than any web service login.

[KirinDave]

The difference being that there are absolutely no better options. Everyone agrees the login form model is insufficient and that's why anyone who takes personal security seriously now introduces a lot of infrastructure around their logins.

But aside, it seems like not all networks support TLS logins?

As it stands, I have no IRC equivalent of a 2FA key. I present a plaintext token and hope that it's all handled properly and that I'm not a victim of a password reuse attack.

Any web based solution is light years ahead on this.

[tastroder]

> As it stands, I have no IRC equivalent of a 2FA key. I present a plaintext token and hope that it's all handled properly and that I'm not a victim of a password reuse attack. > Any web based solution is light years ahead on this.

That's also the case for 99% of authentication in the web context. 2FA adoption is on the rise but by no means the standard. If it was a thing users asked for, there's no protocol reason a nickserv service and clients couldn't adopt a 2FA flow, even without breaking backwards-compatibility.