View Issue Details

IDProjectCategoryView StatusLast Update
0005041unrealircdpublic2017-12-26 17:08
ReporterHeXiLeDAssigned Tosyzop 
PriorityhighSeverityfeatureReproducibilityalways
Status closedResolutionwon't fix 
PlatformLinuxOSAny:OS VersionLatest stable
Product Version4.0.17 
Target VersionFixed in Version 
Summary0005041: WebIrc pseudo secure implementation
DescriptionWebIrc secure implementations and it's fails
https://forums.unrealircd.org/viewtopic.php?f=46&t=8776
Steps To ReproduceRun every other webirc client that is able to to execute and run itself without loading it's own secure certificates and have it running on http:// while sending the pseudo : secure string to bypass
this new implementation and still access SSL login and channels.

Run qwebirc (or similar) loading it's own secure certificates running on https:// by default and connecting to a secure ssl/tls port on unrealircd and although it can connect on ssl/tls ports on
unrealircd, it cannot join ssl channels (while being fully and realistically secured)

The current unrealircd implementation breaks proper usage and setup of secure webirc login with clients that are executed and served on https:// by default.

Sending 7 or so characters to the ircd (:secure) to deceive it is not security.
Additional InformationProposed solution is quite simple for people fully and realistically interested in security by default.

Have the ircd by default (hardcoded) banning any client who does not run on https:// by default

This is how it should be done and how I have my setup in the config and not by using strings that can be spoofed, forged or faked to trick the ircd to think that the client is actually secure.

On my network clients that have security bugs, holes, exploits, do not support secure features, share their info with third party entities are not able to connect and are banned and i have been doing
it for over a decade because security matters first.

I know it annoys people.
Tagschannel, CHMODE, qwebirc, secure, security, webirc
3rd party modules

Activities

syzop

2017-12-26 17:04

administrator   ~0020003

Last edited: 2017-12-26 17:05

View 2 revisions

"Have the ircd by default (hardcoded) banning any client who does not run on https:// by default"

This is not possible. The IRCd cannot know how the client connected on the WEBIRC. That is why the whole "secure" thing was invented.

Anyway, I'm not going to do the entire forums discussion here again.

We are not going to maintain some kind of IRC client blacklist. Not to mention that this is a flawed method. You say on your network you ban clients for security reasons, well, good for you. If you want this, do this.
But we are not going to do that. We just give you the (albeit flawed) option to do it via ban version and such.

syzop

2017-12-26 17:08

administrator   ~0020004

Closing, as this won't be done. And the rest is touched in the forum thread and ircv3 discussion already.

Issue History

Date Modified Username Field Change
2017-12-26 16:17 HeXiLeD New Issue
2017-12-26 16:17 HeXiLeD Tag Attached: channel
2017-12-26 16:17 HeXiLeD Tag Attached: CHMODE
2017-12-26 16:17 HeXiLeD Tag Attached: security
2017-12-26 16:17 HeXiLeD Tag Attached: qwebirc
2017-12-26 16:17 HeXiLeD Tag Attached: secure
2017-12-26 16:17 HeXiLeD Tag Attached: webirc
2017-12-26 17:04 syzop Note Added: 0020003
2017-12-26 17:05 syzop Note Edited: 0020003 View Revisions
2017-12-26 17:08 syzop Assigned To => syzop
2017-12-26 17:08 syzop Status new => closed
2017-12-26 17:08 syzop Resolution open => won't fix
2017-12-26 17:08 syzop Note Added: 0020004