Secure IRC? 130
priikone writes: "IRC has had a lot of problems related to security and network scalability in the past, and
recently as well. However, there is an alternative -- secure alternative to IRC; the Secure Internet Live Conferencing (SILC), which has all the same features IRC has, with addition of superior security, and hopefully more scalable and powerful network topology. It is for all those who cares who's listening. It works, and is of course all Open Source." We posted an article about another secure IRC system last year.
Great! (Score:3, Interesting)
We where just talking about setting up something like this for our private core developer mettings. Nothing that secret happens there, but be had a small problem a few weeks ago. We had someone hijack someone elses connection. We are still tring to figure out what and how it happened.
Using encryption will prevent this. Not only sniffing, but connection hijacking. (At least I would think :)
I think a secure IRC network is needed and has been needed for a long time. Too many people tring to pretent there someone else. If you know there key finger print, you can compiar them.
Time to download it and give it a try :)
Re:IRC doesn't need security.. (Score:3, Interesting)
The IRC protocol is a badly designed protocol. Permitting DCC connections is a security risk to your computer or network, because DCC is even stupider than active ftp.
It *is* broken and *should* be fixed.
Re:IRC can be fixed easily. (Score:3, Interesting)
The only issue I can see, is how would DCC Chat establish a connection then? If you make it depend on the server, then you could still trivially get the IP address by faking a DCC initiation. I guess the server would have to stand in the middle and only hand out the IP to each end after each end agreed to the communication. Major change in the protocol.
IRC doesn't need security.. (Score:2, Interesting)
An improvement in the way the servers communicate, resulting in better stability and availability, would however be very welcome.. It's rather ridicolous that networks like openprojects are so incredibly unstable - and afaik that's not even due to attacks, but simply that people don't understand one basic rule: "If it's not broken, don't fix it!"
br
You're basically correct, but you have it reversed (Score:5, Interesting)
It's basically a network effect, much like that which allows MS to continue to produce relatively mediocre products. In other words, you won't use method XXX, because your friends won't be there. Your friends won't because you (and others) won't be there. Unless a substantial portion of the given social groups actually agrees to coordinate a movement, the entrenched users will stay and put up with the crap (to a point).
The bottom line is that IRC, in and of itself, has very little going for it as an open forum: it's harder to learn and use; it's laggy; its service is poor; it's insecure; and so on. It's continuing use owes largely to its users, not to the technology itself.
Public IRC should be extinct by all rights. That said, the fact that is easy to setup a server and free, means that it still has a role for private/commericial uses.
I'm sceptic (Score:5, Interesting)
I am not talking about the embarrasing mutilation of the english language, but the fact that you can tell from the wording that the person who wrote it is neither a cryptographer by profession or someone who seems to have digested any significant amount of litterature related to cryptography or security in general. If you've read a good deal of scientific papers on cryptography and related areas, perhaps digested a couple of books you can spot this quickly. People who understand cryptography express themselves quite differently. They strive to be precise and they are much more reluctant to call anything safe without at the same time either giving some measure of what they mean by "safe" or pointing out limiting factors. And God forbid: they'd never point their finger at a complex system and say that it was provably safe unless they could actually prove it.
I doubt you'll ever se any formal proof that SILC is secure.
I know most people would say "so what?". A lot of people would even say "well, you don't need a Ph.D to write a crypto app" -- and they would be right. you don't. however you still have to know a bit about cryptography and a LOT about how you avoid basing conclusions on assumptions.
(Just ask Bruce Schneier if his book "Applied Cryptography" [counterpane.com] suddenly lead to more quality crypto software being written. Tip: it didn't. It lead to more inept people writing even more bad crypto software). But you do need to understand what you are doing to make any kind of valid statement about what one should expect.
In any case, my point is that it takes a certain kind of mindset to design and implement anything having to do with security. The aforementioned white paper was apparently written by someone who understands some of the mechanics involved, but who doesn't seem to have absorbed any of the intellectual discipline good cryptographers convey in their writings.
I was thinking about downloading the thing and possibly install it, but if the white paper is that naive, what is the actual system going to be like? Probably not worth the bother from a security point of view, although one might actually learn other things from such a system (for instance their approach to message routing etc. I don't know I never got that far once it became obvious to me that this was the wrong place to look for a *secure* system)
So why am I writing this? To slam SILC?
Definitively not.
I'm writing it because most people are too ignorant, or to arrogant about their ignorance, to realize that they probably wouldn't be able to tell a more secure system from a less secure system. Also, because I think it is important that people try to make an effort to understand what type of security something provides -- ie. exactly what does the system prevent and what doesn't it prevent. I'd like people to *think* instead of choosing their security solutions the way most consumers choose toothpaste.