View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005041 | unreal | ircd | public | 2017-12-26 16:17 | 2017-12-26 17:08 |
| Reporter | HeXiLeD | Assigned To | syzop | ||
| Priority | high | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | wont fix | ||
| Platform | Linux | OS | Any: | OS Version | Latest stable |
| Product Version | 4.0.17 | ||||
| Summary | 0005041: WebIrc pseudo secure implementation | ||||
| Description | WebIrc secure implementations and it's fails https://forums.unrealircd.org/viewtopic.php?f=46&t=8776 | ||||
| Steps To Reproduce | Run every other webirc client that is able to to execute and run itself without loading it's own secure certificates and have it running on http:// while sending the pseudo : secure string to bypass this new implementation and still access SSL login and channels. Run qwebirc (or similar) loading it's own secure certificates running on https:// by default and connecting to a secure ssl/tls port on unrealircd and although it can connect on ssl/tls ports on unrealircd, it cannot join ssl channels (while being fully and realistically secured) The current unrealircd implementation breaks proper usage and setup of secure webirc login with clients that are executed and served on https:// by default. Sending 7 or so characters to the ircd (:secure) to deceive it is not security. | ||||
| Additional Information | Proposed solution is quite simple for people fully and realistically interested in security by default. Have the ircd by default (hardcoded) banning any client who does not run on https:// by default This is how it should be done and how I have my setup in the config and not by using strings that can be spoofed, forged or faked to trick the ircd to think that the client is actually secure. On my network clients that have security bugs, holes, exploits, do not support secure features, share their info with third party entities are not able to connect and are banned and i have been doing it for over a decade because security matters first. I know it annoys people. | ||||
| Tags | channel, CHMODE, qwebirc, secure, security, webirc | ||||
| 3rd party modules | |||||
|
|
"Have the ircd by default (hardcoded) banning any client who does not run on https:// by default" This is not possible. The IRCd cannot know how the client connected on the WEBIRC. That is why the whole "secure" thing was invented. Anyway, I'm not going to do the entire forums discussion here again. We are not going to maintain some kind of IRC client blacklist. Not to mention that this is a flawed method. You say on your network you ban clients for security reasons, well, good for you. If you want this, do this. But we are not going to do that. We just give you the (albeit flawed) option to do it via ban version and such. |
|
|
Closing, as this won't be done. And the rest is touched in the forum thread and ircv3 discussion already. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-12-26 16:17 | HeXiLeD | New Issue | |
| 2017-12-26 16:17 | HeXiLeD | Tag Attached: channel | |
| 2017-12-26 16:17 | HeXiLeD | Tag Attached: CHMODE | |
| 2017-12-26 16:17 | HeXiLeD | Tag Attached: security | |
| 2017-12-26 16:17 | HeXiLeD | Tag Attached: qwebirc | |
| 2017-12-26 16:17 | HeXiLeD | Tag Attached: secure | |
| 2017-12-26 16:17 | HeXiLeD | Tag Attached: webirc | |
| 2017-12-26 17:04 | syzop | Note Added: 0020003 | |
| 2017-12-26 17:05 | syzop | Note Edited: 0020003 | |
| 2017-12-26 17:08 | syzop | Assigned To | => syzop |
| 2017-12-26 17:08 | syzop | Status | new => closed |
| 2017-12-26 17:08 | syzop | Resolution | open => wont fix |
| 2017-12-26 17:08 | syzop | Note Added: 0020004 |
