--On Tuesday, August 20, 2024 11:47 -0400 "Dale R. Worley" <[email protected]> wrote:
>... > I've found > https://medium.com/devopsontheblock/irc-is-still-cool-in-2019-25c7c > 1203504 which says > > For most channels on Freenode you will need to register your > username and authenticate. This is probably to prevent similiar > attacks like the one that happened in 2010. > > The underlying problem is that if you have a protocol and server > that doesn't require clients to authenticate in any way, then it's > easy to abuse the server. In this particular case, Firefox could > be tricked by a bad link to sending junk to Freenode, but as long > as a server accepts whatever it receives, it's always possible that > tools can be deceived to assist in the attack. > > It might be worth writing up guidelines on how to avoid such > problems. But I suspect that the knowledge is widespread that > servers need to authenticate clients because there are many > malicious users out there. The difference with IRC is that it was > developed in 1988, before Eternal September. Dale, Yes. But, unfortunately, serious/ careful/ accurate authentication of clients in general purpose protocols is hard. Doing it when the client is already known, individually, to the server is much easier, but such pairwise arrangements don't scale very well. More superficial authentication, including depending on domains rather than individuals and client machines, is easier but extensive experience suggests that, if those techniques started to become ubiquitous, the effect would be to cause the bad guys/ attackers to become smarter. As an example from the email world, if I had a address for which the delivery server would bounce or trash a message unless the massage body were signed with OpenPGP or S/MIME, using a key whose public counterpart I had seen and verified before, the amount of trash, malware, etc., that would show up in that mailbox would be zero or very close to it. But, if that were a primary mechanism, no one would ever receive mail except by prior agreement on a sender basis -- not very practical, especially for things like IETF lists where we want to be open to contributions from new people. So, again yes, but not as easily accomplished as said. john -- Witarea mailing list -- [email protected] To unsubscribe send an email to [email protected]
