"Soni \"It/Its\" L." <[email protected]> writes: > a long time ago, someone found out you could flood IRC networks using > HTTP clients (browsers): > https://www.theregister.com/2010/01/30/firefox_interprotocol_attack/ > > we do not immediately find any RFCs that address this issue. browsers > mitigated the issue by blocking certain ports, while IRC networks... > we're not sure what IRC networks did, honestly.
I've found https://medium.com/devopsontheblock/irc-is-still-cool-in-2019-25c7c1203504 which says For most channels on Freenode you will need to register your username and authenticate. This is probably to prevent similiar attacks like the one that happened in 2010. The underlying problem is that if you have a protocol and server that doesn't require clients to authenticate in any way, then it's easy to abuse the server. In this particular case, Firefox could be tricked by a bad link to sending junk to Freenode, but as long as a server accepts whatever it receives, it's always possible that tools can be deceived to assist in the attack. It might be worth writing up guidelines on how to avoid such problems. But I suspect that the knowledge is widespread that servers need to authenticate clients because there are many malicious users out there. The difference with IRC is that it was developed in 1988, before Eternal September. Dale -- Witarea mailing list -- [email protected] To unsubscribe send an email to [email protected]
