AlexMax » Sat Oct 14, 2017 5:36 pm

mifu wrote:
Sat Oct 14, 2017 3:33 am
Another concern that was raised actually when I was asking some people how they felt if we moved to quakenet was the (allegedly) lack of SSL connectivity.
That is correct. Quakenet has taken their time on implementing SSL support because they were not convinced of SSL's upsides specifically for IRC. The whole "relay" part of Internet Relay Chat kind of throws a few wrenches into the mix that don't exist in protocols like HTTPS.
  • Implementing SSL correctly for a distributed network is incredibly difficult and easy to get wrong. Freenode for years shared their private key between servers, which meant that when a single server on the network was compromised, the entire thing was rendered compromised and pointless. One of the networks I'm connected to right now offers SSL, but only over self-signed or expired certificates.
  • There is no protection against clicking past certificate warnings. Any certificate warning is a potential MITM, which means that there is no way to guarantee the security of...say...a channel that only allows users using SSL into it. A single user in that channel could ruin the whole thing.
  • Q (their NickServ bot) has support for a special challenge-response authentication protocol that does not transmit passwords over cleartext. Thus, they don't need SSL to protect nickserv passwords.
However, I understand where fans of SSL are coming from, as it is effective against passive network traffic sniffing - so your ISP or people on a public Wifi hotspot have no idea what's going on in any of the channels you're in, and are likely not interested enough to do any sort of active compromise. I just think that putting the positives and negatives on the table is useful for when we return to the discussion.
