View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006314 | unreal | ircd | public | 2023-07-17 05:33 | 2023-07-23 19:33 |
| Reporter | Assigned To | ||||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | new | Resolution | open | ||
| Summary | 0006314: Support passing cert fingerprints via a WebIRC Gateway | ||||
| Description | The WebIRC protocol allows the gateway to send the certificate fingerprint hash to the IRCd so the user can login. If implemented, oper blocks should NOT be allowed to oper up when using a WebIRC gateway. It would also be recommended to hide the certfp output on WHOIS which this appears to be a supported option already. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
Hiding fingerprints is just security by obscurity. We are talking about public certificates / public fingerprints here, they are never meant to be secret. As I told you on IRC, in TLSv1.2 and earlier they even travel unencrypted over the wire. More to the point, do you have an actual use case for this? I have only heard theoretical ones (I know of exactly 1), but for like webchats this feature makes no sense: think about it, the user connects with a browser to a certain machine, which then uses WEBIRC to communicate to UnrealIRCd. Where does the user provide his certificate? Not via their browser, I can tell you that, nobody does that. And for other software, like long-standing connections like from a BNC, it is just like IRCCloud, they don't use WEBIRC at all, they are just long-standing / persistent connections. |
