[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Weechat-dev] [patch #5835] USER message privacy fix
From: |
Alex Tarkovsky |
Subject: |
[Weechat-dev] [patch #5835] USER message privacy fix |
Date: |
Fri, 30 Mar 2007 10:47:05 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20060601 Firefox/2.0.0.2 (Ubuntu-edgy) |
URL:
<http://savannah.nongnu.org/patch/?5835>
Summary: USER message privacy fix
Project: Wee Enhanced Environment for Chat
Submitted by: atarkovsky
Submitted on: Friday 03/30/2007 at 10:47
Category: irc protocol
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
This patch implements RFC 1459-compliant privacy measures for the
client-to-server connection process.
WeeChat compromises user privacy by sending unnecessary identifying
information to the server via the USER message upon connection. RFC 1459
specifies the parameters of the USER message as:
<username> <hostname> <servername> <realname>
Regarding the hostname and servername parameters, the specification states:
"Note that hostname and servername are normally ignored by the IRC server
when the USER command comes from a directly connected client (for security
reasons), but they are used in server to server communication."
Per the specification those two particular USER parameters when sent by the
client aren't used by the server for anything. WeeChat creates a privacy
problem however by sending the following values for them:
1. For hostname WeeChat sends the client machine's real hostname. To see how
other *nix IRC clients handle this parameter I tested two popular ones, Irssi
and X-Chat. Over identical privacy concerns, as of version 2.6.1 X-Chat
stopped using the client machine's real hostname for the value of the
hostname parameter, and instead it duplicates the value of the username
parameter there. Irssi still uses the real hostname (but I'll be submitting a
patch to them shortly).
2. For servername WeeChat sends the string "servername". Among the IRC
clients tested, only WeeChat uses this particular value for servername,
making it obvious to the server (or a packet sniffer) which IRC client the
user is connecting with. Irssi and X-Chat both send the server's hostname
(NB: not the client's hostname!) as the servername parameter.
RFC 2812 further supports the argument that the value of USER's hostname and
servername parameters, when sent by a client, are non-vital. It updates the
specification for the USER message parameters:
<user> <mode> <unused> <realname>
Notice that the former servername parameter is now completely unused, and
mode now takes the place of the hostname parameter: "The <mode> parameter
should be a numeric, and can be used to automatically set user modes when
registering with the server."
The attached patch doesn't attempt to implement the mode parameter (or any
other RFC 2812 features). It simply addresses privacy concerns by using the
following USER parameter values:
1. For hostname: The value of the username parameter is duplicated here (a la
X-Chat)
2. For servername: The server's hostname (read from server->address)
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Friday 03/30/2007 at 10:47 Name:
weechat-0.2.4-login-add_servername-no_hostname.patch Size: 1kB By:
atarkovsky
weechat-0.2.4-login-add_servername-no_hostname.patch
<http://savannah.nongnu.org/patch/download.php?file_id=12344>
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/patch/?5835>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Weechat-dev] [patch #5835] USER message privacy fix,
Alex Tarkovsky <=