Messages

1

Mircryption / Re: Are the tcl encrypt functions secure?

« on: November 26, 2007, 06:46 PM »

SSL is vulnerable to man-in-middle attack

On the web them use some "web of trust" system, like when you do internet banking. But do I really trust those "web of trust"? Not really.

From what I know you can use self-signed certificates without web of trust. Clients would need then to check each others sha1 hash over a pre-secure channel or in a meeting (or more unsecure on phone). After the sha1 hash is checked it should be perfect secure against man in the middle, or not?

I think SSL would be still nice to implement encrypted file transfer at protocol level. Sure you can still encrypt each file yourself and then send it, but that`s not a user-friendly solution. No doubt, encryption at protocol level would be nice.

From my researchs it should be even possible to wrap SSL so much that users just need to compare hashs. (it provides encryption and authentication) (still only works for active connections, not offline) (so this could be choose for encrypted file transfer)

PGP (asymmetric ciphers in general) would be pretty impractical and still has the problem of (public) key distribution.

Yes. PGP is for mails the only good thing but for chats not really good, maybe only if you are using it for mails already. It is to overload with features like signing others keys and such. You have also to use web of trust or exchange the public keys over an pre-secure channel (... same like above).

Dunno about OTR, perhaps it's worth checking out?

Absolutely, there is an good implementation for pidgin from the otr project itself. Just check it out. The "shared secret" feature is currently more confusing then helping but no must.

Checking each others hash is - at the moment - perfectly secure. Cryptography conversations are possible, full user support and them also offer support for implementing it.

It provides 4 cryptography features (encrypt, authenticate, deny, forward...) and seams well designed for messengers. But otr is also only for online messages, not offline message support.

...

A lot of kinda unsorted stuff inside my head and this posting. Lots of ideas but no ideal solution. The only correct toolkit would be ssl for filetransfer. The rest has kinda disadventages...

2

Mircryption / Are the tcl encrypt functions secure?

« on: November 26, 2007, 05:01 PM »

I assume:
- aes256 > blowfish
- proven and cryptography implementations (like pgp/ssl) > own handmade implementation
- using the right tool for what it`s made > using something twisted
- the current implementation provides encryption, but no kind of authentication (an active man-in-the-middle attacker could store messages and send them later)

Just from what I read, I am not an expert.

That`s why I am about to suggesting to change the implementation off the tcl functions cbc_encrypt and cbc_decrypt.
- ssl has a lot of good cipher and is very well proven and used a lot but would be kinda overkill and only good for active sessions and not offline chats
- pgp is also not very user friendly, you have to learn to create a public and a private key and to give everyone your public key but still seams to be the most secure solution for chats if someone might be offline and the messages stored on a server
- otr looks also very interesting, although it`s not old and proven like pgp it can be very user friendly (users just have to check if a hash is ok over a pre-secure channel)

Just thoughts, discussion, no offence at all. What do you think?

3

Mircryption / Re: tcl error handeling won`t work after using mircryption for eggdrop

« on: July 02, 2007, 06:47 PM »

About the worktogether with mirccryption and the tcl addon.

- Go to the eggdrop script settings and set a key for your nickname (mirc client).
- Now go to eggdrops console.
- See private messages to the, type console +m.
- Now use your mirc client and type /query yournickname message.
- You will see that message on eggdrops console.
- Now activate mirc encryption and send other message and the bug is that you won`t see that message though +m.

##########################

- Another thing, set up a key in your mirc client for the bot and input the same key in your eggdrop settings.
- Ff you send an encrypted message from the eggdrop to the mirc though putquick then the mirc can decrypt and read it.
- But if the user writes something on dcc partyline, the bot will just echo the encrypted text but and sure don`t understand what you want him to do.
- I guess this is not a real bug, but imho this is an important feature which is currently missing.
- Not that important, but another suggestion is to encrypt incoming and outgoing file transfers. I use that quite often to downloads logs from the bot or to update scripts from my local windrop to my eggdrop shell.

##########################

Btw, are you interested at bug reports/feature requests/suggestions at all?

4

Mircryption / Re: tcl error handeling won`t work after using mircryption for eggdrop

« on: June 29, 2007, 08:19 PM »

Well, I don`t think the problem is on my side. That`s why I made a a bug report and told you how to reproduce the bug. I posted here to get sure that it´s really a bug and not my mistake.

Since it seams he is one of mircryption`s contributors please redirect him to this topic since I don`t know him.

I could also try to look myself deep into your source and figure out how to change this behavor, but  it would take my an big amount of time because I use another style of formating. You also did not state that you are looking for new contributors. Guess he could fix that bug in less time.

I also do other tests, I am about to reproduce another bug with a short as possible code.
EDIT: Found it. Here another bug.

.tcl putquick "mode #channel +o nickname" -next
Tcl error: wrong # args: should be "putquickmc putlinetext"

Works with normal eggdrop, won`t work after mircryption tcl addon is loaded. It`s caused due the -next parameter.

5

Mircryption / tcl error handeling won`t work after using mircryption for eggdrop

« on: June 29, 2007, 05:39 PM »

I tell you how to reproduce the error.

bind pub - !prof proftest

proc proftest { args } {
   invalid_command
}

This small code is enough to show you. Now go on partyline, load the script and type !prof in any unencrypted channel. On partyline you will see Tcl error [proftest]: invalid command name "invalid_command". All ok so far.

But if you type !prof in an encrypted channel no error will be shown on the partyline.

I think this is worth to be changed.

6

Mircryption / [<time>] -nickname- ® <8 digits> / problem with nonamescript

« on: June 29, 2007, 03:50 PM »

Since I am using mircryption I see this in the server window all time. I think this comes from noname script, rather noname script lag toolbar.

[<time>] -nickname- ® <8 digits>

mircryption is loaded as frist remote script already. Any way to get ride of this other then not using nnscript or deactivating the lag toolbar?

7

Mircryption / Re: master password, I really want to save it

« on: June 29, 2007, 03:46 PM »

Found it. Thanks.

If you feel confident that your local machine is secure, there is a feature to let you store your master passphrase in a mirc file and not enter it each time.  You can do this by adding a line to your alt-R variables list:

       %mc_keypassphrase YOURMASTERPASSPHRASE

8

Mircryption / master password, I really want to save it

« on: June 29, 2007, 02:52 PM »

I really want to store the master key (mirc). Really anoying to enter it every time. I know this is not recommend. For my own security needs this is ok. I don`t trust the irc server and the ircops, but I trust my computer. Would be fine enough to have a save password function in the next versions.

For now, I would be happy if you can tell me how I could avoid to enter the master password . Can I store it somewhere in the mirc script?