Secure IRC?

priikone writes: "IRC has had a lot of problems related to security and network scalability in the past, and recently as well. However, there is an alternative -- secure alternative to IRC; the Secure Internet Live Conferencing (SILC), which has all the same features IRC has, with addition of superior security, and hopefully more scalable and powerful network topology. It is for all those who cares who's listening. It works, and is of course all Open Source." We posted an article about another secure IRC system last year.

Re:IRC doesn't need security..

[krokodil]

This is not a reason you need more security. Let me give you an
example: I hang on IRC to chat with friends. I usually sit there in
passive mode and if somebody wants to talk to me, they could. Kind of
instant messaging, but using more popular and accessible
media. Sometimes my colleagues from across the ocean stop by and want
to discuss some business related issues. Main problem is our
conversation (if it is not DCC, which in most case does not work
because of firewalls) could be observed by any IRC server
operator. There are dozen servers on network, some administrated by more
than one person. You could not assure integrity of all these people.

Proposed system will solve this problem, since all communication will
be encrypted using public keys of participants and channel keys. So
several people can chat on channel in confidence that nobody is
snooping their discussion.

Re:You cannot secure IRC

[RedX]

IRC is a denzien of hackers, pirates and kiddieporn scum.

Sounds just like just about every ignorant Internet critic, RIAA or MPAA member, government official when trying to justify DMCA or some other piece of legislature/censorship. Get a clue, troll. Just like every other area of the Internet, IRC does have its "hackers, pirates, and kiddieporn scum", but it also has a great array of technical resources and general chat areas. I don't know of many other places where I can drop in and get real-time support from peers when trying to chase down a network or OS problem. Hate to burst your bubble, but many people might think of IRC and Usenet to be the bottom of the Internet barrel, I find them to be two of the most useful technical resources I have at my disposal.

You're basically correct, but you have it reversed

[FallLine]

People continue to use IRC, by and large, as a method of open communication because of its particular user base: friends, acquaintance, partners, groups, and like-minded individuals use it.

It's basically a network effect, much like that which allows MS to continue to produce relatively mediocre products. In other words, you won't use method XXX, because your friends won't be there. Your friends won't because you (and others) won't be there. Unless a substantial portion of the given social groups actually agrees to coordinate a movement, the entrenched users will stay and put up with the crap (to a point).

The bottom line is that IRC, in and of itself, has very little going for it as an open forum: it's harder to learn and use; it's laggy; its service is poor; it's insecure; and so on. It's continuing use owes largely to its users, not to the technology itself.

Public IRC should be extinct by all rights. That said, the fact that is easy to setup a server and free, means that it still has a role for private/commericial uses.

I'm sticking with IRC thankyouverymuch

[evilMoogle]

Q: Does SILC support file transfer? A: Not yet. This is a feature that will be added to the SILC protocol. The exact file transfer protocol is undefined.

Q: How secure SILC really is? A: A good question which I don't have an answer for.

Okay, so let's go down a checklist: 1) No file transfer yet, and when it comes, we don't know what the protocol will be. You know, IRC is really more than just a chat network, Files are also important. When you want to find a hard-to-find mp3, where do you turn? IRC. If you want the latest Southpark episode because you forgot to tape it, where do you turn? IRC. If you want to fine fansubbed anime, or test out a series before you spend money on a DVD, where are there tons of fservers dedicated to anime? IRC. If you're looking for almost any type of file, where to turn? IRC. SILC, even if it does get a protocol (which allows fserves) couldn't get the sheer volume of stuff that IRC has. SILC will never replace IRC, for that reason alone.
2) Wow, it's more secure, but they aren't really sure how secure it is. It might as well be the latest security feature out of Microsoft, for all that they can tell us. They mention stuff, but they don't actually answer the question.

Well, these two, for me, are enough to persuade me that I'm not uninstalling mIRC, and not going to be d/ling SILC any time soon. Besides, IRC is great because of the variety with the people, does SILC have that? Nah. I'm sticking with my beloved IRC, thankyouverymuch.

I'm sceptic

[borud]

I started reading the "SILC Protocol White Paper" and I have to admit that it I didn't make it further than a few pages before I lost interest. Mainly because of the language and what it told me.

I am not talking about the embarrasing mutilation of the english language, but the fact that you can tell from the wording that the person who wrote it is neither a cryptographer by profession or someone who seems to have digested any significant amount of litterature related to cryptography or security in general. If you've read a good deal of scientific papers on cryptography and related areas, perhaps digested a couple of books you can spot this quickly. People who understand cryptography express themselves quite differently. They strive to be precise and they are much more reluctant to call anything safe without at the same time either giving some measure of what they mean by "safe" or pointing out limiting factors. And God forbid: they'd never point their finger at a complex system and say that it was provably safe unless they could actually prove it.

I doubt you'll ever se any formal proof that SILC is secure.

I know most people would say "so what?". A lot of people would even say "well, you don't need a Ph.D to write a crypto app" -- and they would be right. you don't. however you still have to know a bit about cryptography and a LOT about how you avoid basing conclusions on assumptions.

(Just ask Bruce Schneier if his book "Applied Cryptography" suddenly lead to more quality crypto software being written. Tip: it didn't. It lead to more inept people writing even more bad crypto software). But you do need to understand what you are doing to make any kind of valid statement about what one should expect.

In any case, my point is that it takes a certain kind of mindset to design and implement anything having to do with security. The aforementioned white paper was apparently written by someone who understands some of the mechanics involved, but who doesn't seem to have absorbed any of the intellectual discipline good cryptographers convey in their writings.

I was thinking about downloading the thing and possibly install it, but if the white paper is that naive, what is the actual system going to be like? Probably not worth the bother from a security point of view, although one might actually learn other things from such a system (for instance their approach to message routing etc. I don't know I never got that far once it became obvious to me that this was the wrong place to look for a *secure* system)

So why am I writing this? To slam SILC?

Definitively not.

I'm writing it because most people are too ignorant, or to arrogant about their ignorance, to realize that they probably wouldn't be able to tell a more secure system from a less secure system. Also, because I think it is important that people try to make an effort to understand what type of security something provides -- ie. exactly what does the system prevent and what doesn't it prevent. I'd like people to *think* instead of choosing their security solutions the way most consumers choose toothpaste.