Dropping Security For Everyone To Not Provide A False Sense Of Security For Some Of Them
The IRC network QuakeNet does not provide secured (SSL) connections to the servers. In May of 2009 they elaborated on why they think providing SSL is not helpful. I still say they are wrong!
What they state is that they do not want to provide a false sense of security for those not verifying certificates – those who are not aware of the flaws of SSL, that a man in the middle attack can occur if you blindly accept a new certificate. They say that “the false sense of security SSL provides is worse than no SSL at all.”.
This statement has the following shortcomings of understanding or unjustified disregard of:
- There is a false sense of security only for those that are not aware of SSLs flaws (above, I implied that they meant their statement focused on those people).
- Even with a man in the middle, the connection is secure (encrypted) up to him.
Really, you prefer sending plaintext over public WLANs, where everyone can easily sniff it? For an attack, injecting your own IRC server with an SSL cert in the middle is technically significantly more complex than simply listening on the public or cracked WLAN network. Cracking an encrypted WLAN is pretty easy as well, if that network uses an old encryption algorithm.
- With SSL, those aware of SSLs mechanics can have secure connections.
Now, even those aware of SSLs flaws can not have a secure connection. And if they are on a public WLAN they have the choice of sending their plaintext password publicly or not sending it at all. Let’s hope they do the latter.