Visit me elsewhere:

Unsecure QuakeNet IRC network

Dropping Security For Everyone To Not Provide A False Sense Of Security For Some Of Them

The IRC network QuakeNet does not provide secured (SSL) connections to the servers. In May of 2009 they elaborated on why they think providing SSL is not helpful. I still say they are wrong!

What they state is that they do not want to provide a false sense of security for those not verifying certificates – those who are not aware of the flaws of SSL, that a man in the middle attack can occur if you blindly accept a new certificate. They say that “the false sense of security SSL provides is worse than no SSL at all.”.

This statement has the following shortcomings of understanding or unjustified disregard of:

  • There is a false sense of security only for those that are not aware of SSLs flaws (above, I implied that they meant their statement focused on those people).
  • Even with a man in the middle, the connection is secure (encrypted) up to him.

    Really, you prefer sending plaintext over public WLANs, where everyone can easily sniff it? For an attack, injecting your own IRC server with an SSL cert in the middle is technically significantly more complex than simply listening on the public or cracked WLAN network. Cracking an encrypted WLAN is pretty easy as well, if that network uses an old encryption algorithm.

  • With SSL, those aware of SSLs mechanics can have secure connections.

    Now, even those aware of SSLs flaws can not have a secure connection. And if they are on a public WLAN they have the choice of sending their plaintext password publicly or not sending it at all. Let’s hope they do the latter.

The comment I replied to their article (not unlocked, no notice of moderation when posting):

Did you really just state you prefer sending unencrypted, potentially over public networks that can be sniffed on (WLAN), over providing a false sense of security to the less informed?

I can’t believe it.

The thing you actually point out is correct – SSL can’t prevent man in the middle attacks for the persons accepting the cert blindly. But that’s not different from websites at all. If you, unlike the other person, do not blindly do so – and get a heads up when the cert changes, you still have a secured connection even if the other person has not. You are safe to send passwords to Q while the other person is not. Of course, if the other person sends channel passwords over the man in the middle, that password is compromised, but that’s just like on websites as well.

Please, do implement SSL – not to give a false sense of security, but to even *allow* encrypted connections to the server you are connected to. Even if it’s the man in the middle you are connecting to via SSL, you are not giving your data away unencrypted in a public WLAN.