Hacker News new | ask | show | jobs
by blibble 4512 days ago
we believe it's better to not have it than to do it badly.

the other way to do it would be like freenode: do it quickly without understanding the risks... they used the same SSL cert for every ircd, then they got hacked, and with no PFS, all their past SSL'ed IRC is now effectively in the clear.

we are now actively working on the problem for server links, but ultimately believe that having ssl for client connections at this moment in time adds little value: https://www.quakenet.org/articles/99-trust-is-not-transitive...
4 comments
skwirl 4512 days ago
Since anyone can look over your shoulder and see your screen, and also anyone can torture you into giving up your passwords and log files, all encryption is worthless, and actually worse than no encryption at all since it gives you a false sense of security.

This is essentially the line of reasoning I'm seeing employed in this blog post.

SSL is valuable on IRC solely for letting you authorize with NickServ. If you are at a developer conference on the conference wifi, you would be foolish to connect to IRC sans-SSL and authorize with NickServ, especially if you owned any channels. If you blindly accept an unverified cert, that's your problem, but don't take SSL away from me because some people don't understand certificates.

link
ahf 4512 days ago
I'm sorry, but said article have already been brought up multiple times in #dev and people are starting to understand how it doesn't hold water anymore.

I break into any discussion I see on IRC where someone posts a link to this article as an argument against SSL on IRC simply because it's not an argument against SSL.

Of course, it takes two to tango. We, the client authors, have started enhancing our SSL support and so should the network operators that hosts the servers on the larger networks.

Also, I think we agree on how Freenode stores the same certificate on every sever is... not ideal...

link
SudoAlex 4512 days ago
There's still some value.

I'd love to be able to connect to a QuakeNet IRC server which is SSL/TLS protected to help guard against anyone sniffing on the local network, or along the route to the specific IRC server.

Yes, there are problems to solve. Clients need to validate the servers certificate properly. Users need to understand that whatever they send may still be logged by the network, other users on the channel, etc.

Saying that IRC doesn't need SSL is like saying that other IM applications such as Skype don't need it either. Anything which helps prevent eavesdropping should be done.

link
jlgaddis 4512 days ago
Does QuakeNet runs services such as Freenode's ChanServ, NickServ, etc.?

At the very least, SSL helps protects a user's credentials when using such services.

link
ahf 4512 days ago
Not the same as Freenode does, but Quakenet does have services, yes.
link