On Sat, May 29, 2010 at 7:22 PM, Aaron Wiebe <epiphani@gmail.com> wrote: > On Sat, May 29, 2010 at 7:26 PM, Jason Hill <secrtagnt@gmail.com> wrote:>>
I disagree. If you can trust your irc server/network, ssl provides benefits: I know that content in transit between me and my server cannot be decrypted. That was the _ONLY_ goal of ssl. Yes, there is some value to SSL encrypted client connections.
An easy example of IRC over SSL being "broken", most web irc clients allow SSL connections to IRC servers over HTTP. The ircd has no idea [snip] This goes back to there being no security validations or standards for IRC clients. However, if you will trust some random web site with your IRC connection, do not be surprised if the implementation is flawwed or backdoored.
In addition, an untrusted party could have injected code into or tampered with the web site, by exploiting the webmaster's weak FTP password (for example). It's ok for IRCD to provide an option to use SSL, even if some IRC clients are flawwed.
This argument is bull. The same could be said of every single other ssl mechanism out there.
Tthe same could not be said of every single SSL mechanism... this is a unique situation. Most SSL implementation scenarios involve a communication that is only between two directly connected parties; a client application and a server, the conversation doesn't go any further. Securing that and representing things accurately is much easier in that scenario, than where you have a semi-trusted intermediary attempting to enable multiple parties to communicate. The closest similar situation to this is e-mail. You can connect to your SMTP server using SSL or TLS to send an e-mail message. Just like you can connect using SSL to a supporting IRC server. However, the fact that you send an e-mail message over SSL or TLS doesn't mean the recipient will get the message, without it ever passing over plaintext. There is no box you can check on your mail client "Do not allow recipient to read this message using non-SSL POP3" Basically the same reason I suggest there should be no box you can check in your IRC client's channel modes list " [ ] +S - Do not allow user to join channel if using non-SSL" -- -Mysid