Great post IMHO
Coolio said:
Rexeh, it makes no sense to duplicate the functionality of an authentication system between areas of a website like Bluelight. Any official BL IRC server should require any IRC clients who connect to authenticate against the same SQL table that the vBulletin forum software uses to do its authentication.
Example:
http://www.inspircd.org/wiki/Modules/sqlauth
The NICK command should be disabled on the IRC server. This would help diminish abuse and trolling on IRC because the IRC nickname is tied down to your Bluelight username, and you could receive a warning on the forum if a Moderator is paying attention.
I think that you have much more knowledge than me regarding IRC :D , using that sqlauth module when compiling the IRCd seems a lot easier than creating a new system. I can see the advantages of using a nick + password only server and forgot that people can simply register on BL and log in.
The
killreason variable could have a message saying they have to register on BL first and provide a link to the registration system
<disabled commands="NICK"> is the part needed in the config file am I right?
I get it now, it has been a long time since I was involved in IRC administration but I remember the exploits and bots that were used on our server.
Nobody in their right mind would run a Win32 IRC server. mIRC is no better than a Win32 IRC server, but that's just my opinion.
We all had to start somewhere.
Ofcourse using Win32 servers is stupid, but I have learned a lot about possible exploits this way and only mentioned it because more people have used mIRC and Windows than X-Chat or Redhat 6.2. Now with Ubuntu it's easier to set up a proper IRC server probably.
Also mIRC scripting can be used to create a BL script which people can use, I have my own version of an IRC script complete with internet browser, download manager and a powerful CLI (Command Line Interface). You can create some pretty nice scripts with mIRC.
As far as SSL is concerned, you have to be kidding me when you say it's not important? With the War on Terror and War on Drugs and telco immunity and whatnot going on, it's retarded to transmit unencrypted realtime communications through the Internet. Whether it's a VoIP phone call, a personal e-mail, AIM, or IRC... the technology to encrypt the contents of these conversations is mature, stable, and unobtrusive. Even if you're just talking to your family about what kind of dog food to get for the pet dog, you never know who is listening in or how it might be used against you in the future. Even without the government trying to record your private matters, there are always hackers and corporate spies out there sniffing traffic all across the world.
Considering the fact that Bluelight can be used as a tool in the war on drugs in the future you are right, I didn't think about that since I am not used to using SSL connections and was forgotten that IRC can be exploited / hacked quite easily.
It's bad enough the Bluelight forums don't use SSL for logging in and sending private messages.
Anyways, every IRC client supports SSL now out of the box and has for a while. It's also simple to setup an instance of the Perl web application CGI:IRC on a subdomain like
https://chat.bluelight.ru that automatically grabs the nickname and password or authentication token from the bluelight.ru cookie in your browser and begins to login to IRC, skipping the usual login screen that CGI:IRC starts with.
Thanks for the schooling...
Nah I am interested in creating a BL IRC server and didn't think about security which was stupid. It's been a while since I have been involved in IRC.
![:\](https://bluelight.org/xf/BL_Images/Orig_Emoji/wrygrin.gif "wry grin :\")
BTW how did you get involved into IRC servers? You seem to have a good knowledge about IRC and security.
Peace o/
