PSA: SSL and why you should use it.

This is for any questions, queries, suggestions, ideas, etc. of a technical nature.
If you have any technical issues regarding the forums, the wiki, or IRC, then here is where to get help.

Moderators: Nazeo, Bai Ze, fauxm, BlueSky, Moderators

User avatar
fauxm
existential nihilist of the linux world
existential nihilist of the linux world
Posts: 15
Joined: Fri Aug 01, 2014 11:42 pm
Location: /home/fauxm/
Contact:

PSA: SSL and why you should use it.

Postby fauxm » Tue Aug 05, 2014 3:25 am

For the lazy: Enable SSL in server settings, make sure port is set to 6697. You may have to allow invalid certs, but hopefully you won't need to.

Greetings! You may have heard the term SSL before, but probably thought it was just plain old technobabble and ignored it.
Well don't ignore it! SSL (and it's more modern counterpart, TLS) are very important for security.

In brief, SSL/TLS is a way of encrypting data, mostly used for web communication, like HTTPS and yes, IRC.
For starters, you should, in general, be encrypting everything you can, even if it's non-sensitive, because why not, but you should especially be encrypting important data like passwords and stuff.
Fortunately for us, most modern websites use HTTPS (and some times more) to protect their user's data in-transit, but what about IRC?

Most of you probably aren't connecting to EoP (or any other IRC net you may be on) with SSL because you never saw the reason.
However, as mentioned previously, it's always a good idea to encrypt your data.

The most obvious reason for IRC encryption is NickServ identification.
Below is the output of tcpdump (a packet capture tool) capturing packets from my computer's ethernet port.

Code: Select all

23:04:44.614092 IP 192.168.0.4.38072 > www.rp.edgeofperspective.net.ircd: Flags [P.], seq 164:205, ack 6197, win 356, options [nop,nop,TS val 953841316 ecr 19638049], length 41
E..]..@.@.......E..>....-...e].....d.......
8.v..+.!PRIVMSG nickserv :identify passwordhere


It can see everything my IRC client can, including this line: "!PRIVMSG nickserv :identify passwordhere".
This is the command the IRC client sends to message NickServ telling it "here's my password, identify me!".
Of course, you would replace passwordhere with your actual password, and this is exactly what anyone running a packet capture tool (there are tons available) would see.

But it gets worse, oper passwords!
Opers are not immune, here's the output of an attempt to oper up with a fake password:

Code: Select all

23:17:39.850507 IP 192.168.0.4.38110 > www.rp.edgeofperspective.net.ircd: Flags [P.], seq 115:132, ack 3258, win 288, options [nop,nop,TS val 954616552 ecr 19716212], length 17
E..E.x@.@.......E..>......../.+\... .......
8.J..,.tOPER fauxm wauf


The "OPER fauxm wauf" part is the part of interest.
Again, "wauf" is a dummy passphrase, but you get the idea.

For laughs, here's a segment from an encrypted session (around the time when I messaged NickServ):

Code: Select all


23:19:45.762762 IP 192.168.0.4.41685 > www.rp.edgeofperspective.net.40: Flags [.], ack 648, win 1424, options [nop,nop,TS val 954742464 ecr 19729101], length 0
E..4.r@.@.s.....E..>...(7.u................
8.6..-
.
23:19:46.763760 IP www.rp.edgeofperspective.net.40 > 192.168.0.4.41685: Flags [P.], seq 648:684, ack 1, win 408, options [nop,nop,TS val 19729202 ecr 954742464], length 36
E..X..@.6...E..>.....(......7.u.....s%.....
.-.28.6...../D...>..~Q@Qc....%&/..g.=.....q.
23:19:46.763786 IP 192.168.0.4.41685 > www.rp.edgeofperspective.net.40: Flags [.], ack 684, win 1424, options [nop,nop,TS val 954743465 ecr 19729202], length 0
E..4.s@.@.s.....E..>...(7.u................
8.:..-.2
23:19:47.765174 IP www.rp.edgeofperspective.net.40 > 192.168.0.4.41685: Flags [P.], seq 684:720, ack 1, win 408, options [nop,nop,TS val 19729302 ecr 954743465], length 36
E..X..@.6...E..>.....(......7.u.....rW.....
.-..8.:.......De7I..H .k..%)gq ....w.~......
23:19:47.765200 IP 192.168.0.4.41685 > www.rp.edgeofperspective.net.40: Flags [.], ack 720, win 1424, options [nop,nop,TS val 954744467 ecr 19729302], length 0
E..4.t@.@.s.....E..>...(7.u................
8.>..-..
23:19:48.766262 IP www.rp.edgeofperspective.net.40 > 192.168.0.4.41685: Flags [P.], seq 720:756, ack 1, win 408, options [nop,nop,TS val 19729402 ecr 954744467], length 36
E..X..@.6...E..>.....(......7.u.....L......
.-..8.>.....j.....{......Tcl.R.8....N....\.Z
23:19:48.766284 IP 192.168.0.4.41685 > www.rp.edgeofperspective.net.40: Flags [.], ack 756, win 1424, options [nop,nop,TS val 954745468 ecr 19729402], length 0
E..4.u@.@.s.....E..>...(7.u....*...........
8.B|.-..
23:19:49.767346 IP www.rp.edgeofperspective.net.40 > 192.168.0.4.41685: Flags [P.], seq 756:792, ack 1, win 408, options [nop,nop,TS val 19729502 ecr 954745468], length 36
E..X..@.6...E..>.....(.....*7.u......s.....
.-.^8.B|....-.Wd......U .g.y~....<.e.....BIF
23:19:49.767361 IP 192.168.0.4.41685 > www.rp.edgeofperspective.net.40: Flags [.], ack 792, win 1424, options [nop,nop,TS val 954746469 ecr 19729502], length 0
E..4.v@.@.s.....E..>...(7.u....N...........
8.Fe.-.^


As you can see, there's data being sent, but it's all completely unreadable by everything except for the server! How awesome!

Anyone has access to this information if you're on a public WiFi network, or of there's someone sneaky playing with the phone/cable lines down the road or outside your house (rare, but it does happen; tapping wires isn't impossible), so be careful.
Another thing to take note of is that EoP's site does not have HTTPS on (because getting an HTTPS certificate is much more difficult and expensive than securing an IRC server), but HTTP is another beast and they may be doing some JS or PHP-level encryption (I don't know, I don't work with that stuff so don't take my word for it).
Regardless, it would be a good idea in general to use a different password here just in case (and use a different password for each site and login).


All sites (EoP and G:ES) excluding the webchat now force you to use HTTPS instead of HTTP since I set up a certificate.

Now you may be asking "How do I use this wonderful SSL thing!?" and the answer is simple: click a box!
Yep! Most IRC clients have an option to use SSL; just edit your server settings or connection settings, and it should be there.
Make sure the port says "6697", or else you'd be trying to connect with SSL on a port that the server is set up to read non-encrypted information (so the server will just see a bunch of random crap, basically).
Make sure that you reconnect so that you can begin using SSL!
If you can't connect via the standard ports, Momiji is set up to listen for connections on 8067 (normal) and 8097 for SSL.
You may also have to allow/acknowledge invalid certificates, which is fine as long as it matches what's on the server.

TL;DR:SSL is good, use it~!
Yoshiquest
Outsider
Outsider
Posts: 4
Joined: Thu Jul 31, 2014 6:38 am

Re: PSA: SSL and why you should use it.

Postby Yoshiquest » Tue Aug 05, 2014 3:29 am

15/10, would refer to again
User avatar
cxl
Administrator Emeritus
Administrator Emeritus
Posts: 193
Joined: Mon Nov 26, 2012 4:37 am
Location: 127.0.0.1
Contact:

Re: PSA: SSL and why you should use it.

Postby cxl » Tue Aug 05, 2014 1:36 pm

All our servers support ssl connections on port 6697, so if you have a client that supports it (and you really should) then I would also strongly urge you to use ssl. There is no downside to doing so, and the level of security gained is significant all by itself.
sudo rm -rf --no-preserve-root /

Return to “Tech Support”

Who is online

Users browsing this forum: No registered users and 1 guest

cron