#cinch on 2015-07-11 — irc logs at freenode.irclog.whitequark.org

2015-07-08 18:14 dominikh changed the topic of #cinch to: The IRC Framework | Latest version: Cinch 2.2.6

00:29 sarkyniin has quit [Ping timeout: 252 seconds]

00:38 Crazy_Atheist has quit [Quit: Leaving]

02:06 rikai has quit [Ping timeout: 264 seconds]

02:07 rikai has joined #cinch

02:08 ZeeNoodleyGamer has quit [Quit: WeeChat 1.2]

07:35 head8debian has quit [Ping timeout: 244 seconds]

07:43 head8debian has joined #cinch

10:14 head8debian has quit [Ping timeout: 256 seconds]

10:48 head8debian has joined #cinch

11:01 head8debian has quit [Ping timeout: 256 seconds]

11:03 <Zarthus> is it possible to change the sasl mechanism used? It seems to default to BLOWFISH

11:04 <Zarthus> http://www.rubydoc.info/github/cinchrb/cinch/Cinch/Configuration/SASL doesn't state a mechanism either

11:04 <Zarthus> but I can see sasl plain being implemented

11:07 head8debian has joined #cinch

11:22 head8debian has quit [Ping timeout: 246 seconds]

11:55 postmodern has quit [Quit: Leaving]

12:13 head8debian has joined #cinch

12:20 <dominikh> Zarthus: it tries blowfish, and if that fails, it tries plain. (yes, that's prone toa degradation attack, but blowfish itself already is insecure, so eh). but there's no way to set the mechanism to use right now. do you really need that?

12:20 <dominikh> (it could be added.)

12:22 <Zarthus> dominikh: it's not "necessary", but from what I gathered blowfish is less secure than PLAIN over TLS, so my preference goes to using PLAIN.

12:22 <dominikh> I don't see how it could be less secure than PLAIN. BLOWFISH over TLS should be as secure as PLAIN over TLS, no?

12:23 <Zarthus> I suppose it might just be the atheme implementation of blowfish, I am not sure. One second, I'll get a source.

12:24 <dominikh> thanks

12:24 <Zarthus> https://github.com/atheme/atheme/blob/59c79f7ea1a52073033132d0d992b9da62b1d438/NEWS.md#saslserv and http://kaniini.dereferenced.org/2014/12/26/do-not-use-DH-AES-or-DH-BLOWFISH.html

12:26 <Zarthus> I am not 100% confident if this applies to every services package, but it does apply to Atheme at least.

12:26 <dominikh> that doesn't say that BLOWFISH over TLS is less secure than PLAIN over TLS. It's saying that BLOWFISH over an unencrypted connection is less secure than PLAIN over TLS. And that's of course true, BLOWFISH is sort of broken. BLOWFISH over TLS shouldn't be less secure than PLAIN over TLS, it's just pointless

12:29 <dominikh> also, as that changelog says, atheme removed support for BLOWFISH alltogether, so if you connect to atheme services, Cinch will try BLOWFISH, it'll fail, and then it'll use PLAIN

12:30 <Zarthus> alright, thanks for clearing up the confusion.

12:31 <dominikh> (I would love to drop BLOWFISH support completely, but there's probably someone depending on it. I also hate myself for the downgrade attack I'm allowing, but there's probably people depending on that, as well…)

12:31 <dominikh> People should just use ssl client certificates for authentication ;)

12:37 <Zarthus> yeah that's a good alternative to authentication, I just ended up implementing sasl first, but it shouldn't be too much effort to end up also allowing for SSL authentication

12:37 <Zarthus> eerr, client certificates*

12:41 <dominikh> are you writing your own services?

12:42 <Zarthus> nope - just using cinch for generic irc plugins and getting familiar with ruby in general.

12:43 <dominikh> because you said you implemented SASL

12:43 <Zarthus> Yeah it's a bit misphrased, it's more or less just referring to "reading the password from a configuration file and then telling cinch to use that"

12:43 <dominikh> ah.

12:43 <dominikh> okay

16:17 sarkyniin has joined #cinch

16:44 sarkyniin has quit [Ping timeout: 244 seconds]

16:46 sarkyniin has joined #cinch

18:03 sarkyniin has quit [Quit: Quit]

18:03 sarkyniin has joined #cinch

20:33 postmodern has joined #cinch

20:50 sarkyniin has quit [Ping timeout: 264 seconds]

21:11 sarkyniin has joined #cinch