Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Secure IRC?

michael posted more than 13 years ago | from the /join-#security dept.

News 130

priikone writes: "IRC has had a lot of problems related to security and network scalability in the past, and recently as well. However, there is an alternative -- secure alternative to IRC; the Secure Internet Live Conferencing (SILC), which has all the same features IRC has, with addition of superior security, and hopefully more scalable and powerful network topology. It is for all those who cares who's listening. It works, and is of course all Open Source." We posted an article about another secure IRC system last year.

cancel ×

130 comments

Sorry! There are no comments related to the filter you selected.

old 2600 article (1)

dsaljurator (40058) | more than 13 years ago | (#2109872)

I seem to recall an old 2600 that had an article about running a secure, non-public IRC server for friends or whatever. bascially, what it amounted to was a box running no public service except ssh, that people logged into. or it was a dual homed host that was attached to another network (non-internet) running ircd.

It obviously wasn't an open system, and you have to trust the people you are giving accounts to.

secure irc (1)

Loconut1389 (455297) | more than 13 years ago | (#2112032)

at one point I wrote a special irc client that used existing irc protocols but encrypted text using your key into a viewable ascii range so that it could be successfully passed over irc. no special mods, and of course the message was encrypted all the way through the network. so even though the underlying protocol wasnt secure. secure messages could be sent with a minor loss in performance due to extra characters as a result of the encryption scheme. clients who didn't know your key would see garbage. unencrypted messages would show up as normal. It was pretty cool, it worked for several years before I left irc. getting people to switch to a new protocol/network is difficult. people a) don't like change and b) are afraid to lose the connections they have on irc. So unless you convinced EFNet to shutdown its irc services and switch to SILC or something, nobody would want to take the risk and sit around on empty channels until everybody filtered over. I think a much better solution is like the one I had. Just use some extra functionality on clients without changing the RFC for IRC.

Re:secure irc (0)

Anonymous Coward | more than 13 years ago | (#2124835)

clients who didn't know your key would see garbage...Just use some extra functionality on clients without changing the RFC for IRC.

Microsoft tried this sort of thing with Cool Chat. Very easy to spot a CC user, as they would send CC commands into the channel along the lines of:

#346373 appears as lamer(Paraphrased)

Guess how quickly people using CC got banned?

Re:secure irc (1)

Loconut1389 (455297) | more than 13 years ago | (#2136179)

yeah thats the problem, people aren't responsible enough in general to reserve their encrypted chatter or other formatted chatter to a channel where everyone else is using that. i only used my protocol with friends in private messages or in private channels. not everybody is that nice

Not a bad idea (1)

the_ph0x` (170740) | more than 13 years ago | (#2113669)

Sounds like a good idea for the most part... I wouldn't think that the general public would be very interested in somthing like that, just sounds like a bit more of a hassle. However, this would be a great thing for large networks and Corp. intranets for real-time discussions or online classrooms yadda-yadda, the list can go on.

My point is for private group use sure - looks great... for public personal use for the masses... ehhhhh ill stick to my BX - if i want something secure I'll send a pgp encrypted e-mail.

.ph0x

IRC Clients can be relatively secure (2)

SCHecklerX (229973) | more than 13 years ago | (#2114362)

You could write public key encryption into the client itself, or easily script it in. Of course other folks in a channel would see only gibberish, but you could do it on a /msg by /msg basis by user as well.

I was actually thinking of implementing IKE in an XChat script awhile ago. It just wasn't worth the time for me to pursue, however.

Re:IRC Clients can be relatively secure (1)

zur (37151) | more than 13 years ago | (#2124670)

IDEA-encryption is actually already implemented on many clients: irssi [inside.org] , irchat [people.ssh.fi] and ircii too (can't find a link though). This is technically far more better than SSL-encryption to the server since it encrypts end-point to end-point.

This is not news: it will continue forever: (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2114363)

JERUSALEM (CNN) -- At least 19
people were killed, including five or
six infants, and scores injured in an
explosion at a busy pizzeria in
central Jerusalem on Thursday,
medical and police sources said.
The Palestinian group Islamic Jihad
claimed responsibility for the explosion
in a suicide bomb attack, which
authorities said injured 70 people, many
severely.

"The Jerusalem Brigades -- the military
wing of Islamic Jihad of Palestine --
declares its responsibility for the heroic
martyrdom operation in Jerusalem
today at about 12:00 noon. The
operation was carried out by Hussein
Omar Abu Naaseh, 23," a statement
faxed to Reuters news agency in Beirut
said.

A government spokesman said he had no doubt the blast, which injured more
than 70 people -- at least 13 seriously -- was a Palestinian attack and said the
Palestinian Authority would have to accept responsibility for it.
"We see (Palestinian Authority President Yasser)
Arafat and the Palestinian Authority responsible
for this terrible attack in Jerusalem today," Israeli
Cabinet minister Danni Naveh told CNN. "Arafat
is the one that gave the green light to Islamic
Jihad to commit such bombings. He has released
from jail terrorists with blood on their hands."
Naveh said that Israel would respond to the
blast, as they have in the past when attacks have
struck at Israeli civilians.
"Our only target is to prevent further terrible
attacks," he said. "We will do whatever we can
in order to stop terrorists from coming into our
towns."
The Palestinians, however, blame Israel for the
continuation of violence in the region, saying their policies provoke the
Palestinians, and that Palestinian officials cannot control the violence.
Israeli Prime Minister Ariel Sharon has said he will not negotiate with the
Palestinians until the violence ends; the Palestinians say the violence will not end
until there is a political solution to the long-standing Mideast conflict.
'Absolute shambles'
Thursday's blast rocked the Sbarro restaurant -- at the intersection of King
Georges Street and the Jaffa Road, a major artery going into central Jerusalem
-- during the busy lunch hour. At least 13 of the injured people were seriously
hurt, according to police and hospital authorities.
Television pictures from the scene
showed a a scene of devastation, panic
and confusion. A woman covered with
blood held a cloth to her face as she
stood in front of the restaurant. Other
injured people lay bleeding on the street;
others were led away screaming as the
severely injured were being loaded into
the back of ambulances and carried on
stretchers.
In the aftermath of the explosion,
ambulances, fire engines and police
vehicles converged on the area around
the pizzeria, cordoning off the streets.
The inside of the restaurant was destroyed, with broken plaster, fixtures, and
furniture.
"All the windows have been blown out, absolute shambles inside this
restaurant," CNN's Jerrold Kessel said from the scene.

That bombing led to a cease-fire between the Israelis and Palestinians, which
went into effect on June 13. But violence in the West Bank and Gaza has
continued virtually unabated regardless of the ceasefire.
-- CNN Jerusalem Bureau Chief Mike Hanna contributed to this report.

Re:This is not news: it will continue forever: (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2145240)

Yup, soon we'll see some rocket attack on a village or something. But I think Arafat has very little control over the extremists, just as the ordinary people of Israel have very little control about ending the war.

Great! (3, Interesting)

SnapperHead (178050) | more than 13 years ago | (#2116806)

We where just talking about setting up something like this for our private core developer mettings. Nothing that secret happens there, but be had a small problem a few weeks ago. We had someone hijack someone elses connection. We are still tring to figure out what and how it happened.

Using encryption will prevent this. Not only sniffing, but connection hijacking. (At least I would think :)

I think a secure IRC network is needed and has been needed for a long time. Too many people tring to pretent there someone else. If you know there key finger print, you can compiar them.

Time to download it and give it a try :)

Re:Great! (2)

SCHecklerX (229973) | more than 13 years ago | (#2136570)

So run your own IRC server on an IPSec network. Problem solved.

There already IS secure IRC (1)

BuBu_ (72690) | more than 13 years ago | (#2118660)

I currently have a pretty secure IRC setup, when I connect to IRC, I pass my connection through my NetBSD gateway, well as the IRC related packets are passed, they are sent through a program called "Stunnel" Stunnel provides SSL encyrted connections to IRC, thusly my connection/text is always pretty damn secure.

Re:There already IS secure IRC (1)

zhobson (22730) | more than 13 years ago | (#2152174)

I currently have a pretty secure IRC setup, when I connect to IRC, I pass my connection through my NetBSD gateway, well as the IRC related packets are passed, they are sent through a program called "Stunnel" Stunnel provides SSL encyrted connections to IRC, thusly my connection/text is always pretty damn secure.

Hee hee. Right, until it gets to the server and is sent (unencrypted) to everyoen on the channel. IRC will never be end-to-end secure unless we build some sort of PGP-style layer on top of it. Or we could just use SILC...

-zack

A bit misleading subject (2, Informative)

Anonymous Coward | more than 13 years ago | (#2119140)

Well, the subject (edited by Slashdot) is a bit misleading. SILC is NOT IRC and is NOT IRC compatible. SILC is independent protocol. I guess the subject was first "A Secure Alternative To IRC?".

You cannot secure IRC (1, Flamebait)

duffbeer703 (177751) | more than 13 years ago | (#2121003)

IRC is a denzien of hackers, pirates and kiddieporn scum.

Maybe you are one of the 500 people who actually chat on IRC, good for you. 90% of the traffic is warez and porn. These people could care less about security and prefer anonyminity for obvious reasons.

Sorry to burst the bubble.

Re:You cannot secure IRC (5, Insightful)

RedX (71326) | more than 13 years ago | (#2136103)

IRC is a denzien of hackers, pirates and kiddieporn scum.

Sounds just like just about every ignorant Internet critic, RIAA or MPAA member, government official when trying to justify DMCA or some other piece of legislature/censorship. Get a clue, troll. Just like every other area of the Internet, IRC does have its "hackers, pirates, and kiddieporn scum", but it also has a great array of technical resources and general chat areas. I don't know of many other places where I can drop in and get real-time support from peers when trying to chase down a network or OS problem. Hate to burst your bubble, but many people might think of IRC and Usenet to be the bottom of the Internet barrel, I find them to be two of the most useful technical resources I have at my disposal.

Re:You cannot secure IRC (2)

RevAaron (125240) | more than 13 years ago | (#2151698)

IRC is a denzien of hackers, pirates and kiddieporn scum.

Did you mean denizen? Denzien doesn't appear to be an english word. Assuming you did mean denizen, you still used it incorrectly- your sentence should be "IRC's denizens are hackers, pirates, and kiddieporn scum." Denizens are the things which inhabit, not that environment which is inhabited.

And yes, some people do actually chat on IRC. Over in #smokedot on Slashnet.

Re:You cannot secure IRC (0)

Anonymous Coward | more than 13 years ago | (#2152523)

Huh? Were you born without brains or did you just inhale too much industrial chemicals?

People trading porn and/or warez could/do actually care a great deal about both security and anonymity. And anonymity is closely related to security (privacy). Do you think mr. KiddiePornWarez cares not if anyone can see both data he's xferring and his contact (ip#) information???

SSL IRC Connections (3, Informative)

OpCode42 (253084) | more than 13 years ago | (#2121181)

I thought UnrealIRCD already had ssl connections, and XChat 1.6.4+ have an option to connect in ssl mode.

RTFF (0)

Anonymous Coward | more than 13 years ago | (#2136368)

Especially Question 2.3 [silcnet.org] . SILC goes waay beyond just "encrypted IRC".

i want my mtv (0)

cyraena (466578) | more than 13 years ago | (#2121182)

this is great and all.. but i doubt many hard core ircers are going to give up dalnet and efnet in order to be secure. is there any information i missed on how long that would take? the popularity of this program isnt going to be widespread until theres support for most of the major communities.

yes, script kiddiez are l4m3 and getting flooded or bomed or anything else from your favorite server is annoying, but its not bad enough to make me leave my 7 year home of #phreak

IRC (-1, Flamebait)

Anonymous Coward | more than 13 years ago | (#2121457)

IRC is for goat-fucking sons of gunts (fat cunts)

Re:IRC (1)

pope1 (40057) | more than 13 years ago | (#2151046)

..and thats why we have irc.darkaxis.com =)~

hmm... (-1, Troll)

Anonymous Coward | more than 13 years ago | (#2121459)

first post!

Finally! (0)

Raging Idiot (457985) | more than 13 years ago | (#2122668)

At last the script kiddies can curse and trade illegal software with eachother over a completely secure network. It's about damn time.

IRC can be fixed easily. (4, Insightful)

Lumpy (12016) | more than 13 years ago | (#2123195)

1. add an authenticate system like slashdot, but does not release any info - I.E. bubbles is your nick? well then you are bubbles and that is all that is released.

2. BLOCK ip address discovery. The Irc servers you are connected to dont have to tell everyone that you are at 192.168.1.1 and if you dont release what IP you are at then the script kiddies and other tripe cant attack.

IRC was a great idea, when people on the net had a maturity level higher than that of an 8 year old. Today we have to give up those niceiteies of yesteryear to give a nice big thump on the head of the idiots and morons.... but the coolest thing is that the above ideas would bring back registered nicks.

Re:IRC can be fixed easily. (3, Informative)

qwaszx (8209) | more than 13 years ago | (#2117196)

Those two points have already been implemented on IRC in some servers.

1) An authentication system exists in the form of nickserv (although optional, can be made to prevent other users from using your nick), and no other information would be released if the user does not provide it. The only information released would be the hostname/ip, which is solved by point 2...

2) I can't remember which ircd does it now (one of the dalnet/undernet ircd's?), but there is a hostname cloaking feature, which removes the last 2 parts of a persons ip, or the first part of their hostname, while leaving enough information to determine what ISP a person is using (useful for legitimate reasons, such as finding out what country a person is connecting from without needing to ask), it prevents script kiddies from obtaining enough information to DoS a user. However it is still possible (even with any ip address blocking) to determine a users address by using netstat on a shell. (This has been done an servers where public shell access is given on the same machine as the ircd)

The problems not solved by those two methods are firstly, no encrypted communications can be made.. anything sensitive could be sniffed, even over a DCC connection (the paranoid types, like me, who wave hi to echelon and its ilk during most sensitive 'private' irc chats). To solve this, client side scripts could be used to encrypt DCC communications, no new server needed.

The other problem is lag/netsplits. For some purposes (talking to a small group of friends), this could be solved by using a single-server 'network' (no netsplits) and no server to server lag.

Most of these solutions require setting up your own irc server, but this isnt too hard to do and is no less hassle than moving to a completely new, incompatible system.

Re:IRC can be fixed easily. (1)

grifferz (444301) | more than 13 years ago | (#2119738)

However it is still possible (even with any ip address blocking) to determine a users address by using netstat on a shell.

With some form of "hostmasking" scheme, this is only possible if you can get the person to open a direct connection to yourself (e.g. by getting them into a DCC CHAT/SEND situation). So that is a question of user education.

Hostmasking as a security method has other more serious problems which I would actually love to discuss (as I am trying to implement this in a non-sucky way) but I fear that for this thread that'd be off-topic. Chat to me if you care, you can find me here [blitzed.org] .

The other problem is lag/netsplits.

What many people seem to ignore is that multiple servers are there to solve Internet connectivity issues, not to make them worse -- the theory being that a set of servers housed in large organisations under professional hosting conditions are more reliable than the path between any two domestic internet users.

If your network of choice has servers that split off all the time then those servers should not be there and are likely being used as penis extension tools by people running them off their own @home cable modem (when their mom doesn't need to reboot into win98 to use Word).

Consider that if your chosen network has 5 servers and one dies, your users can go to another server and resume conversation with the same people. If your network has one server and that dies, well, you work it out. In short, reducing the network down to one good server is only the answer when the other servers are lame.

Re:IRC can be fixed easily. (1)

Jedi Alec (258881) | more than 13 years ago | (#2127364)

I.E. bubbles is your nick?

In that case, /me has a problem...my nick is IE.

Re:IRC can be fixed easily. (3, Interesting)

SCHecklerX (229973) | more than 13 years ago | (#2128438)

Being able to see other people's IP's is probably the biggest flaw of IRC. Makes fscking with that guy who just kicked you off your favorite channel that much easier.

The only issue I can see, is how would DCC Chat establish a connection then? If you make it depend on the server, then you could still trivially get the IP address by faking a DCC initiation. I guess the server would have to stand in the middle and only hand out the IP to each end after each end agreed to the communication. Major change in the protocol.

Re:IRC can be fixed easily. (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2113876)

You misspelled "fucking". HTH.

Yours, Typo Nazi.

Re:IRC can be fixed easily. (1, Informative)

Anonymous Coward | more than 13 years ago | (#2118083)

Nope, the way the DCC protocol works, you send a normal CTCP message to the user you want to connect to yourself. In that message you send the IP address and port you want the user to connect to. So the server still doesn't need to pass out address info, it's just as if you messaged somebody telling them your IP address yourself.

Re:IRC can be fixed easily. (1)

sshore (50665) | more than 13 years ago | (#2135897)

No change in protocol required. With the existing protocol, if A wants to dcc to B, it sends a ctcp dcc chat through the server containing an ip and a port to connect to. If B accepts, B's client connects to the ip and port that A provided. If B doesn't accept, no packet is sent and no address is revealed.

All you have to do is remember to turn DCC autoget off.

Re:IRC can be fixed easily. (1)

Suidae (162977) | more than 13 years ago | (#2136194)

If you set up a network so you had to log in, and you couldn't get other peoples IP's until they gave them to you, you know what you'd have?

AIM.

Only decentralized and open source. IRC is the original instant message client, the main problem is its annoying tendancy to give people your IP address. If it didn't do that it would work very well as the back end for an AIM workalike. Scalability and reliablity improvments would be nice, but not necessary.

that only fixes the little problems (1, Insightful)

Anonymous Coward | more than 13 years ago | (#2151424)

Most of the big problems with IRC are caused by users feuding over channels. However, nowadays they rarely attack each other directly. Instead, they load up their list of haXX0rd servers and proceed to flood the irc server or its upstream provider with a horrendous amount of traffic.

It doesn't matter how good your security is on the irc network itself. If someone is able to saturate your bandwidth there's not a whole lot you can do about it.

There are only two things you can really do. One, is to get the rest of the Internet more secure, and better able to track the initiators of such attacks. Good luck; people have been trying for years.

The second thing is to take away the adversarial nature of IRC. If users have no power over each other, then there is no incentive to attack the servers. Of course this means you either need a lot of oper intervention, or you don't have much choice over who can join in on your conversation.

The best solution probably lies with a combination of the two.

insecure? (0)

Anonymous Coward | more than 13 years ago | (#2124807)

About a month ago, you could bang about 512 A's into the silc TCP port and overflow it. Is this still the case?

All your Encryption are belong to us... (2)

BrookHarty (9119) | more than 13 years ago | (#2125515)

Nothing of mine is encrypted, What good is encyption when only 1 side uses it? I cant get my mother to use PGP and I have too many OS's to use an encrypted filesystem...

Just thinking about why you would want to encrypt your IRC session. Some jokes that could be taken as fact.

[bob] If you stopped hanging around schools, maybe you could get a date your own age! (-;

Bob must be a pedophile!

[bob] I need a copy of win95, anyone got cab3?

Bob must be a software pirate!

[bob] I just wrote a dvd player in perl using ac3dec and DeCSS! I can now watch my dvds on Athena OS!

Bob ends up in court for breaking the DMCA

[bob] Whoa, CmdrTaco just wants to DCC chat me!

Bob was hanging out in slashnet #PenguinLove again...

Re:All your Encryption are belong to us... (1)

grifferz (444301) | more than 13 years ago | (#2152306)

Hmm, but isn't this just a slight modification of the statement, "The only people who would ever want strong encryption are criminals!" ?

Re:All your Encryption are belong to us... (2)

BrookHarty (9119) | more than 13 years ago | (#2152300)

I watching a show with the wife on the women's network. (-; The show was about this mom who was accused of child pornography because there was a picture of her kid naked jumping on a bed, and a daughter touching a pregnant women's stomach. The judge (and the end of the tv movie) finally threw the case out, as no merit. But 1 person in power almost ruined the mothers life, took away her kids, and made her goto court to prove she was innocent. It was also based on a True Story(tm)...

We live in a society where your guilty till proven innocent. And anything you say, can and will be used against you... The Law enforcement agencies will come in, kill your family and friends before they have any proof of any crimes. An anonymous tip is all it takes for someone's life to be ruined, or ended... (I don't need to point out cases, there are hundreds or people each year that die at the hands of the police...)

Its not all conspiracy theories, its people who think they know what is the best for Joe Q. Public. We must down size government and let people live their lives without repercussions of the moral majority. Until then, we have to protect ourselves from the jack booted thugs. (Sorry to sound like a paraphrase...)

---
Stoop and you'll be stepped on; stand tall and you'll be shot at. - Carlos A. Urbizo

Re:All your Encryption are belong to us... (1)

BrookHarty (9119) | more than 13 years ago | (#2152282)

Humm, how come you re-read your post, after you submit, you find the spelling mistakes?
Posters Law (or something like that...)

ircii supports encryption. (0)

Anonymous Coward | more than 13 years ago | (#2128284)

Um, hallo ? Anybody who has played around with ircii properly will have noticed that it has built in support for encrypted channel/conversations activated by a key/password (client to client). Normal irc clients will just see the encrypted conversations as a bunch of garbage. It's entirely feasible for popular irc clients (mIRC, BitchX, xchat, etc) to incoporate encryption on a basic level without requiring corresponding support on the ircds.

The Correct Way to Deal With IRC Problems... (1)

szomb (318129) | more than 13 years ago | (#2128402)

Is AVS (adult verification system). :-)

Yeah, but not all IRC kids are packet kiddies. Then again...if I didn't discover IRC in my preteen years I might be alive today.

Different Protocol? (1)

CharlesV (22919) | more than 13 years ago | (#2128405)

The problem I see with this is that in order to be effective, it must be widely accepted as the de facto standard. A friend of mine on a small-ish network is actually working on an app that, when hooked into by a script-enabled client, allows for encrypted irc over normal protocol servers. Very cool, but could open a whole can of worms of security issues in itself.

I don't expect secure IRC (3, Funny)

wirefarm (18470) | more than 13 years ago | (#2128865)

And I don't expect pure water in gutters, either.
Yet both seem to serve a purpose, don't they?

Cheers,
Jim in Tokyo

IRC doesn't need security.. (2, Interesting)

ltning (143862) | more than 13 years ago | (#2129437)

This is ridicolous. If the reason for all this is the skript-kiddos thumping away at the big irc nets, then I say this is not the right means to deal with the problem. IRC doesn't need encryption and all that crap, except perhaps of DCC chats. It's a total waste of computing power. And it will make my IRC client obsolete :P Tunnel IRC connections through SSH if it's that goddamn important ;)

An improvement in the way the servers communicate, resulting in better stability and availability, would however be very welcome.. It's rather ridicolous that networks like openprojects are so incredibly unstable - and afaik that's not even due to attacks, but simply that people don't understand one basic rule: "If it's not broken, don't fix it!"
br

Re:IRC doesn't need security.. (1)

Loconut1389 (455297) | more than 13 years ago | (#2115190)

ssh tunneling will only help you encrypt between your client and the nearest server, but still goes over the unencrypted net.. the SILC website touches on that. it really depends on where the security threat is. but what's more likely, someone's going to be snooping at your office on the connection between the irc client and the ISP/backbone provider, or someone snooping on the big backbone between the irc servers.. not too likely on the latter. ssh wrapping would help by that token, but not totally. as for security on irc, irc is admittedly overpopulated with script kiddies, but there are a minority of people who use it for legitimate chatter and a small percentage more who would use it if they felt it was secure. I'd probably talk about my personal issues with my friends if i knew I had a secure channel. stuff I don't want just floating around to any ircop on a hackedup server. security is a legitimate concern. don't discount it so quickly.

Re:IRC doesn't need security.. (1)

Foss (248146) | more than 13 years ago | (#2117762)

I totally agree. The reason people need more and more security is the little script kiddie who happens to have a copy of netsphere or who's gotten his hands on some IRC utils. IRC bots could be the answer - bots that hunt script kiddies down and ban them. It'd cut down on all the research that goes into making IRC more secure too.

Re:IRC doesn't need security.. (5, Insightful)

krokodil (110356) | more than 13 years ago | (#2121007)

This is not a reason you need more security. Let me give you an
example: I hang on IRC to chat with friends. I usually sit there in
passive mode and if somebody wants to talk to me, they could. Kind of
instant messaging, but using more popular and accessible
media. Sometimes my colleagues from across the ocean stop by and want
to discuss some business related issues. Main problem is our
conversation (if it is not DCC, which in most case does not work
because of firewalls) could be observed by any IRC server
operator. There are dozen servers on network, some administrated by more
than one person. You could not assure integrity of all these people.

Proposed system will solve this problem, since all communication will
be encrypted using public keys of participants and channel keys. So
several people can chat on channel in confidence that nobody is
snooping their discussion.

Re:IRC doesn't need security.. (2, Informative)

oldave (160729) | more than 13 years ago | (#2125520)

You overlook the fact that server operators can join any channel - private or not.

Anytime you have a server-based protocol, you'll have people who will not be willing to change to a protocol they can't snoop on.

Major changes to IRC are going to be a hard sell. A very hard sell. And I just don't see it happening.

Re:IRC doesn't need security.. (1)

malfunct (120790) | more than 13 years ago | (#2152315)

The solution to the snooping problem is client based encryption. Not the silly replacement encryption that was popular not long ago, but real PGP or something. There is no reason that I can see that some sort of encryption algo couldn't be placed in a client and used.

Granted it will be as annoying as all hell to those people with out the special clients but the people with encryption will flock together just like the silly people with that comic chat heh :)

SILC doesn't help here + certificates anyone? (0)

Anonymous Coward | more than 13 years ago | (#2130496)

hi, afair from last time I looked at silc site, server is trusted by all users, i.e. operators are still able to read your stuff. there are other issues with silc, like if you wanna authenicate someone who wants to talk to you you need to know either their or their CA public key beforehands... evidently that doesn't help you anywhere... moreover anyone can still have multiple identities which is uhm, uavoidable?

Re:IRC doesn't need security.. (2)

SCHecklerX (229973) | more than 13 years ago | (#2136652)

So run your own server. Then again, your friends would be paranoid of you then, huh?

I got tired of everything that was going on on EFNet a couple of years ago, and have been running my own server for mountainbikers ever since. It's great! Full control, and only people with the same interests pop in.

I disabled ident lookups, so even when people are at work behind firewalls, they can still use my server.

Re:IRC doesn't need security.. (2)

krokodil (110356) | more than 13 years ago | (#2124359)

OK. Let us assume I am interested in mountain biking
and will hang on your server. But I also interested in motorcycling, so I hang on another one. Since I also
like Linux, should I also hang on Linux server? Running 3-4 IRC cliens under 'screen' may work but will be extrimely uncomfortable.

Re:IRC doesn't need security.. (1)

dewke (44893) | more than 13 years ago | (#2125018)

Not necessarily. There are several irc clients that allow you to attack windows to specific servers. I use BitchX and the /window server commands allows me to log into efnet with a window, while I idle ina channel on another. Each server has a window.

If you run windows you can always use something like xirc that has similar features.

dewke

Re:IRC doesn't need security.. (1)

nz (86669) | more than 13 years ago | (#2129899)

Decent IRC clients allow you to connect to several different servers at the same time. And yes there are decent textmode clients also like for example irssi [irssi.org] which seems to also have plugin for this SILC stuff.

Re:IRC doesn't need security.. (0)

Anonymous Coward | more than 13 years ago | (#2151357)

On SILC, server and SILC operators cannot join invite and private channels. On SILC they are normal users with just extra privileges to adminstrate their servers (plus some other privileges).

Re:IRC DOES need security.. (1)

rmarcano (473352) | more than 13 years ago | (#2123479)

To quote a comment from the article last year:
Friend of mine works at (large computer manufacturing company). They have a non-official irc channel, sort of an e-WaterCooler...
Anyway, internal MIS dept. found out about it and started sniffing the network, and logged EVERYTHING that was said in the channel over a three week period. Talk of stupid bosses, who was screwing who, drug taking at weekend parties, the works.
Upshot: 6 people fired, 3 more severely reprimanded.

So thats just one reason I can think for encripting IRC communications.Whats the problem with having an extra layer of security?

Re:IRC DOES need security.. (1)

enneff (135842) | more than 13 years ago | (#2120999)

Simple solution:

ssh to a box _outside_ work, and irc in. After that there's no way that a) they can sniff you, or b) they can prove that you're on irc ;)

Re:IRC doesn't need security.. (3, Interesting)

Webmonger (24302) | more than 13 years ago | (#2123687)

As discussed recently on bugtraq. . .

The IRC protocol is a badly designed protocol. Permitting DCC connections is a security risk to your computer or network, because DCC is even stupider than active ftp.

It *is* broken and *should* be fixed.

Re:IRC doesn't need security.. (1)

stesch (12896) | more than 13 years ago | (#2151031)

The IRC protocol is a badly designed protocol. Permitting DCC connections is a security risk to your computer or network, because DCC is even stupider than active ftp.

That's why I use SAFT instead.

SAFT/sendfile [belwue.de]

Dude, most of the internet is a "waste of time". (0)

Anonymous Coward | more than 13 years ago | (#2136250)

IRC doesn't need encryption and all that crap, except perhaps of DCC chats. It's a total waste of computing power.

The internet will continue to be used for nonessential purposes. Get over your smug judgements and self elevation. The thin air up there is making you loopy.

Newsflash! What YOU think is an important use of the net is worth its weight in cat shit.

An improvement in the way the servers communicate, resulting in better stability and availability, would however be very welcome.. It's rather ridicolous that networks like openprojects are so incredibly unstable

So:

(1) join the project and help make it more stable or
(2) don't use it and shut the fuck up.

Gawd, what a l0s3r.

It *is* broken, and needs to be fixed. (1)

Philipv1 (467269) | more than 13 years ago | (#2151048)

Perhaps you haven't tried to log on any IRC network lately. It's a frigge warzone with servers going down 5-10 times a *day* because some 10 year old lost ops in a channel. It was never meant to be abused and as such, is totally broken.

Re:It *is* broken, and needs to be fixed. (2, Insightful)

Vanders (110092) | more than 13 years ago | (#2136761)

Any IRC Network? I think you'll find it is only the larger networks such as Efnet, IRCNet, Dalnet, Undernet etc. that are currently under kiddie attacks. There are plenty of other networks out there that do not have any of these problems.

Most people who use IRC regularly will stick to a few channels 99% of the time. It isn't a huge task to move a channel onto a new network if everyone who uses the channel is aware of the move. Something as simple as placing the details in the topic is usually all that is needed. The channel I've used for the past three years has moved twice now, and even changed names once.

IRC as a protocol does has flaws when you scale it past a dozen servers or so, but that doesn't mean IRC is a wasteland. Smaller networks are better, generally, as they're run by admins and opers who give a damn.

Need Bilingual Clients (1)

B. Vhalros (468243) | more than 13 years ago | (#2134597)

If we want this, or some other form of secure-IRC style communication, it's going to require clients that can speak both protocols.

If the client can speak both (IRC and whatever Secure IRC), eventually a seamless transition becomes possible. Once the new clients have sufficiently diffused (say, if they came out now a year or two), servers could switch to the new protocol with out most of the users even noticing (Although it would probably be a good idea to show a little icon saying weather the connection is secure or not).

Any way, the advantages of a secure protocol are obvious, and here you have my thoughts on how to get it into use. Of course, this requires IRC clients to actaully implement the second protocol. What do the rest of you think of this idea?

Re:Need Bilingual Clients- no need better user ex. (1)

florkle (470151) | more than 13 years ago | (#2123237)

Bilingual clients would be confusing. But your idea does address the problem of transition or adoption, which is problematic for dozens of popular insecure programs or protocols or OS's vs. secure ones. Telnet is still widely used, so are insecure unices and many insecure windows machines aren't even patched. More people give lipservice to security than implement it, and there are often significant impediments to impementation even if the desire is there (i.e. management wants desktops usable by new employees w/o training or technical complexity is greater than technical ability of security conscious user). This product is just another in a long stream of products and services. People don't want security, as MS correctly estimated, they want features. Security isn't something you "have"- if it's secure it just does what the non-secure product does- and often worse- slower, more logins, expires, etc. Therefore to compete with IRC it would need a comprable feature base and or more features or equal or easier of use, i.e. it has to be a *better* user experience along with being secure.

We posted an article about another secure IRC syst (-1, Offtopic)

Anonymous Coward | more than 13 years ago | (#2136483)

My god, sometimes you look for previous articles!

Compiling for Mac OS X/Darwin? (1)

sjonke (457707) | more than 13 years ago | (#2136596)

Ok, I'm not that savvy on compiling Unix stuff. I downloaded it and ran ./configure but it says it can't determine the type of host. What do I need to enter as the host type to get it to compile in OS X?

software by design (0)

Anonymous Coward | more than 13 years ago | (#2136648)

It seems inevitable that old protocol's need some type of overhaul. IrcOp's grow tired of script kiddies security evaision and abusive users lack of respect for the privilage of use. It's one of the main things users seem to forget after all, Irc is not a right.
...
And then you have comercial programs that are available, which by design should give you a different sence of security .. ha! Take a look at one of the more well known ones, conferenceroom by webmaster. For only $4,2** dollars, they would be glad to sell you their top leval program, which by design does add various security, and a major security flaw, or excuse me, a back-door. All anyone with knowledge of your software key has to do is type" /oper your-soft-ware-keey webmaster " and they are given complete root access to your server. Passwords, services, agents, anything can be compromised from that point. And as an added bonus, the software does not send any notice, global or otherwise to the administrator or other operators alerting them to this. Nice huh ..?
---
posting anon sucks .. but when your remote and to hung-over to remember your password ...

The last of the wild nets (1)

Nihilanth (470467) | more than 13 years ago | (#2147223)

You know, for all of it's frustrations and hazards, i hope IRC persists in it's current form forever. It's the last real "lawless" corner of the web. I mentally relate it to the saloons of the old west, where a great story or a dangerous barfight are only moments away. Of course, it's being flooded with more and more luddites nowadays (think of the old west saloon being flooded with tourists from New York), but IRC to me represents a sort of living communal electronic nostalgia, one i'd hate to see phased out completely.

The question is... (1, Funny)

Nachtfalke (160) | more than 13 years ago | (#2151040)

...will it have pr0n and mp3?

Re:The question is... (1)

florkle (470151) | more than 13 years ago | (#2130797)

this comment was marked troll, but like everyone doesn't use the net for porn or mp3 or other file transfer? This is actually a pretty good index of whether people would want it. If it was secure, *and* it acted as an excellent file transfer client, it would be a pretty winning product.

Securing an open system would be hard (3, Insightful)

hardaker (32597) | more than 13 years ago | (#2151041)

In other words, trying to secure IRC would be difficult to do successfully. Most of the problems associated with IRC come from it's allowed annonymous access by many servers. IE, you don't need an account with a password to join. This gives annonymous access and hence can be nice if you have debatable things to say that you don't want others to see. However, it also allows for "flashing" DoS and other IRC related fun. The proper way to secure IRC against abuse would to be only allow servers that check authentication and make people accountable. It is possible to do this, however, without sacrificing annonimity if you trust the servers you're using (ie, they authenticate you for accountability purposes promising they won't give out who you are without a court order). This will likely not prove to be popular among people who want to be annonymous further than that (like Flashers, of course).

Like securing USENET. (0)

Anonymous Coward | more than 13 years ago | (#2117518)

USENET could benefit from a Slashdot style moderation system.

Re:Securing an open system would be hard (2)

Shoten (260439) | more than 13 years ago | (#2122882)

Hey pal? READ THE ARTICLE. READ ABOUT SILC.

From the FAQ on the SILC website...

Under "What is SILC?":
Biggest similarity between SILC and IRC is that they both provide conferencing services and that SILC has almost same commands as IRC. Other than that they are nothing alike.

Under "How much SILC Protocol is based on IRC?":
SILC is not based on IRC. The client superficially resembles IRC client but everything that happens under the hood is nothing alike IRC. SILC could *never* support IRC because the entire network toppology is different (hopefully more scalable and powerful). So no, SILC protocol (client or server) is not based on IRC. Instead, We've taken good things from IRC and left all the bad things behind and not even tried to burden the SILC with the IRCs problems that will burden IRC and future IRC projects till the end. SILC client resembles IRC client because it is easier for new users to start using SILC when they already know all the commands.

Re:Securing an open system would be hard (1)

DNS-and-BIND (461968) | more than 13 years ago | (#2130998)

That's got nothing whatsoever to do with this topic. We're talking about encrypting communications, and you're talking about stopping abuse. Score:4 indeed. Moderators don't read the articles either.

Re:Securing an open system would be hard (1)

krokodil (110356) | more than 13 years ago | (#2133166)

> it's allowed annonymous access by many servers.

IRC does not allow anonymous server connections!
You need to have C/N lines in server cfg to be allowed
to connect.

But allows anonymous cliens. Not completely anonymous -
most IRC servers try to use IDENT protocol
to check client identity, but this could be
easily faked.

Re:Ident (2)

Tridus (79566) | more than 13 years ago | (#2121259)

I don't understand why some networks still insist on getting an ident reply before letting you connect. I mean really, that just means I need to map a port on ICS to allow mIRC to send back a random fake ident response.

Whats the point?

Re:Ident (1)

sshore (50665) | more than 13 years ago | (#2136300)

Not so long ago, kiddies commonly bounced through misconfigured proxies onto irc in order to hide their true hostname, avoid accountability, etc.

Most proxies do not provide ident service. Therefore, the easiest way to block these people was to block non-ident clients.

The other alternative is to scan hosts as they come in for open proxies, but you can imagine the floods of "your server portscanned me" emails. It's also yet another extra program to be running on the server, with all the bugs inherent in that.

This is a pain for people legitimately using proxies, but for the rest of us it's a minor nuisance and a major win.

Use a crypto plug in (1)

Lawrence_Bird (67278) | more than 13 years ago | (#2153278)

The members of the chat room I am in use a
crypto plug in called rcforge. We use the CS2
protocol, and it a) protects are convos, and b)
keeps the strays to a minimum. And its very easy
to switch back and forth between clearn and coded
text.

What is Michael afraid of? (0, Offtopic)

Saib0t (204692) | more than 13 years ago | (#2151044)

We posted an article about another secure IRC system last year.

Looks like Michael is getting afraid of seeing all those "Hey, that is old news, we got that last year already" :)

Come on Michael, stop walking on eggs ;-)

Re:What is Michael afraid of? (1, Offtopic)

Saib0t (204692) | more than 13 years ago | (#2127642)

Offtopic? Looks like a moderator has no sense of humour... Bah... Burn karma, burn...

this won't stop them.. (0)

General8 (470466) | more than 13 years ago | (#2151045)

you think this will stop them skript kiddos who can hack away at it 16 hours a day? And the most frightening thing is they are motivated to do it.

IRC vs. Instant Messaging Chat (2)

hillct (230132) | more than 13 years ago | (#2151047)

Does IRC hold promite as a secure communication mechanism? Seems to me it's major flaw is that it's server based, whereas there are Instant Messaging systems which facilitate Live Chat without the need for server intervention (for the chat function) which reduces the liklihood of the conversation being recorded/stored by some one who is not a party to the chat. What we really need is SSL integration with Instant Messaging systems (rather than just PGP as ICQ has), since Instant messaging has a far greater userbase than IRC, which is still dominated by the Geek set. The non-technical public has latched onto IM as their chief means of realtime online text chat. br>
--CTH

Re:IRC vs. Instant Messaging Chat (1)

Nachtfalke (160) | more than 13 years ago | (#2117582)

DCC chat is direct client to client chat, so there's no server intervention there.

Re:IRC vs. Instant Messaging Chat (1)

Unknown Bovine Group (462144) | more than 13 years ago | (#2123769)

What we really need is SSL integration with Instant Messaging systems (rather than just PGP as ICQ has)

JUST PGP? PGP is so much more insecure than SSL? Is that why the FBI had to put a keylogger on the Mob keyboard to get past it?

Re:IRC vs. Instant Messaging Chat (0)

Anonymous Coward | more than 13 years ago | (#2129887)

Licq have support for SSL.. www.licq.org

Won't Work (4, Insightful)

audibility (136433) | more than 13 years ago | (#2151194)

The big-sell factor for IRC at the moment is its age. It's been around forever, and there's enough knowledge of it and how it works / software / literature / networks etc etc out there to form a user base.

It'd be far too hard to implement this system attractively wide scale, simply due to the fact that IRC has been losing usefulness (in it's intended form) for quite a while now.

There's no real demand for such a system. If people care who's listening they use encrypted email / private messaging software - they may themselves not be totally secure but you've got a better chance if you talk to 1 person than a room of 78.

Current IRC users don't give a shit who listens. Just the way it is.

Re:Won't Work (1)

Telastyn (206146) | more than 13 years ago | (#2127118)

Though one of the reasons IRC (imo) ,as far as *chat* is concerned, has been declining in popularity is due to the general chaos and warring that goes on. Also with the design is the concept of channel ownership and privledge levels. The encryption is an added bonus/mechanism.

You're basically correct, but you have it reversed (5, Interesting)

FallLine (12211) | more than 13 years ago | (#2151401)

People continue to use IRC, by and large, as a method of open communication because of its particular user base: friends, acquaintance, partners, groups, and like-minded individuals use it.

It's basically a network effect, much like that which allows MS to continue to produce relatively mediocre products. In other words, you won't use method XXX, because your friends won't be there. Your friends won't because you (and others) won't be there. Unless a substantial portion of the given social groups actually agrees to coordinate a movement, the entrenched users will stay and put up with the crap (to a point).

The bottom line is that IRC, in and of itself, has very little going for it as an open forum: it's harder to learn and use; it's laggy; its service is poor; it's insecure; and so on. It's continuing use owes largely to its users, not to the technology itself.

Public IRC should be extinct by all rights. That said, the fact that is easy to setup a server and free, means that it still has a role for private/commericial uses.

Re:You're basically correct, but you have it rever (2, Informative)

DNS-and-BIND (461968) | more than 13 years ago | (#2117194)

IRC is open. Nobody can hijack the standard, even though MS tried to extend it without much success.

Re:You're basically correct, but you have it rever (0)

Anonymous Coward | more than 13 years ago | (#2127421)

Thanks for the point back, I would have used "underrated" rather than "informative" though.

Re:You're basically correct, but you have it rever (0)

Anonymous Coward | more than 13 years ago | (#2129615)

Hey, moderating bitch, MS did extend IRC, but it didn't take off. Ever hear of Microsoft Comic Chat? It's IRC. Fucknuts.

Re:You're basically correct, but you have it rever (1)

evvk (247017) | more than 13 years ago | (#2123279)

> The bottom line is that IRC, in and of itself, has very little going for it as an open forum: it's harder to learn and use; it's laggy; its service is poor

That only matters when there are people around the world on the same channel. But I don't think any system of that scale could manage much better. The internet is lagged and slow these days. Sometimes it takes ages to load web pages overseas (that is, the US) because the network at some point is totally lagged there.

But when all the people on a channel are using the same or nearby servers, IRC usually works very well. That happens be the case with all the channels I'm on. Everyone uses the university IRC server located just a couple of hundred metres from here.

Man-in-the-middle safe? (1)

Kaa42 (137049) | more than 13 years ago | (#2151455)

[- ]Secure key exchange and authentication protocol. SILC Key Exchange (SKE) protocol provides key material used in the SILC sessions in secure manner. The protocol is immune for example to man-in-the-middle attacks and is based on the Diffie-Hellman key exchange algorithm.

I wonder how they made Diffie-Hellman KEA safe from a man-in-the-middle attack, as I understand it this is extremely difficult and D-H doesn't help you a bit.

Secure IRC? (1)

TheSHAD0W (258774) | more than 13 years ago | (#2151681)

If you're talking about an IRC that's been modified to get rid of some of the exploits, try IRCX.

If you're talking about a chat system where all communications are encrypted (though the crypto is suspect), try Filetopia.

Hardly News (0)

Geekenstein (199041) | more than 13 years ago | (#2152135)

A secure IRC system has been around for a while from Webmaster, Inc. [webmaster.com] Its proprietary sure, but it runs on just about everything. The clients and the servers can both communicate through an SSL connection.

I'm sticking with IRC thankyouverymuch (5, Insightful)

evilMoogle (304970) | more than 13 years ago | (#2152288)

Q: Does SILC support file transfer? A: Not yet. This is a feature that will be added to the SILC protocol. The exact file transfer protocol is undefined.
Q: How secure SILC really is? A: A good question which I don't have an answer for.

Okay, so let's go down a checklist: 1) No file transfer yet, and when it comes, we don't know what the protocol will be. You know, IRC is really more than just a chat network, Files are also important. When you want to find a hard-to-find mp3, where do you turn? IRC. If you want the latest Southpark episode because you forgot to tape it, where do you turn? IRC. If you want to fine fansubbed anime, or test out a series before you spend money on a DVD, where are there tons of fservers dedicated to anime? IRC. If you're looking for almost any type of file, where to turn? IRC. SILC, even if it does get a protocol (which allows fserves) couldn't get the sheer volume of stuff that IRC has. SILC will never replace IRC, for that reason alone.
2) Wow, it's more secure, but they aren't really sure how secure it is. It might as well be the latest security feature out of Microsoft, for all that they can tell us. They mention stuff, but they don't actually answer the question.

Well, these two, for me, are enough to persuade me that I'm not uninstalling mIRC, and not going to be d/ling SILC any time soon. Besides, IRC is great because of the variety with the people, does SILC have that? Nah. I'm sticking with my beloved IRC, thankyouverymuch.

Re:I'm sticking with IRC thankyouverymuch (2, Insightful)

Bostik (92589) | more than 13 years ago | (#2151837)

Q: How secure SILC really is? A: A good question which I don't have an answer for.

I'm answering this one first. Or more than that - can YOU tell me exactly how secure RSA as an algorithm is? Or AES (Rijndael)? SSL as a protocol? The PGP specification?

None of these have absolute and accurately measurable "amount" of security. The algorithms are open, as are the protocol specifications. We only know that they haven't yet been publicly broken. We use them, and we trust them.

SILC is by no means a silver bullet and it's not meant as such. Personally I think it's one huge step into the right direction. One, it adds to the generally small amount of encrypted traffic which is always good. Two, nobody owns a nick in SILC network so the ever increasing nick wars as seen in IRC are not going to be a problem. Three, people are touting about not using telnet when we have SSH. It didn't happen overnight.

No, I don't think SILC is ever going to replace IRC, in the same way that SSH has not replaced telnet. What we need is more clients, more users and a lot more testing and good ideas as to how SILC should be developed. It's not a ready product but it's definetely quite stable - and because the UI is almost exactly like IRC, those that wish to give it a try should feel quite at home.

The SILC protocol appears quite solid and the person who designed it, has had it brewing for ages. No, he's not an established crypto authority like Zimmerman or Biham. But he works in this field and as such, has a pretty good insight. The protocol is still under developement, as you have noticed. The chat part is quite finished but file transfer is not yet there. What we need is a set of really good ideas and a streamlined protocol for file transfer. You have a very good point about that - but how long did it take for IRC to have DCC capability? I'm pretty confident it didn't have it at the very beginning. Don't bash SILC just because it's still an infant and trying to grow.

You have absolute rights to your opinion, and I respect that. I just used mine.

The reason irc is still alive (2, Insightful)

Phork (74706) | more than 13 years ago | (#2152600)

IRC may not be the greatest protocol ever, but it work, and there is an irc for basically every platform. I can go and download 3 different irc clients for my palm pilot right now, i cant download an silc client for it.

Also, i dont see that this solves any problems with irc that havent already been solved. There has been irc over ssl for a while, it is no to widly used, but there are places that use it. There is authentication via nickserv. One of the ircds has hostname cloacking so people cant get your hostname. And as far as being scaleable, irc is very scaleable, a single server can easily handle 30,000 connections, and it is not to difficult to make a net of 20 server. Using routing servers makes this even more scalable.

Michael the Troll (-1, Flamebait)

gamorck (151734) | more than 13 years ago | (#2153018)

Is michael on a trolling run today? The man has posted the last five articles on /. This makes you wonder what the other "editors" are doing in all their spare time.

No this article isnt really a troll - but for the most part I cannot stand Michael (not to mention his shady history) because hes so much like that one fly that you just CANNOT get rid of.

Gam
"Flame at Will"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>