[Weechat-dev] [patch #5835] USER message privacy fix

[Alex Tarkovsky]

URL:
  <http://savannah.nongnu.org/patch/?5835>

                 Summary: USER message privacy fix
                 Project: Wee Enhanced Environment for Chat
            Submitted by: atarkovsky
            Submitted on: Friday 03/30/2007 at 10:47
                Category: irc protocol
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

This patch implements RFC 1459-compliant privacy measures for the
client-to-server connection process.

WeeChat compromises user privacy by sending unnecessary identifying
information to the server via the USER message upon connection. RFC 1459
specifies the parameters of the USER message as:

    <username> <hostname> <servername> <realname>

Regarding the hostname and servername parameters, the specification states:
"Note that hostname and servername are normally ignored by the IRC server
when the USER command comes from a directly connected client (for security
reasons), but they are used in server to server communication."

Per the specification those two particular USER parameters when sent by the
client aren't used by the server for anything. WeeChat creates a privacy
problem however by sending the following values for them:

1. For hostname WeeChat sends the client machine's real hostname. To see how
other *nix IRC clients handle this parameter I tested two popular ones, Irssi
and X-Chat. Over identical privacy concerns, as of version 2.6.1 X-Chat
stopped using the client machine's real hostname for the value of the
hostname parameter, and instead it duplicates the value of the username
parameter there. Irssi still uses the real hostname (but I'll be submitting a
patch to them shortly).

2. For servername WeeChat sends the string "servername". Among the IRC
clients tested, only WeeChat uses this particular value for servername,
making it obvious to the server (or a packet sniffer) which IRC client the
user is connecting with. Irssi and X-Chat both send the server's hostname
(NB: not the client's hostname!) as the servername parameter.

RFC 2812 further supports the argument that the value of USER's hostname and
servername parameters, when sent by a client, are non-vital. It updates the
specification for the USER message parameters:

    <user> <mode> <unused> <realname>

Notice that the former servername parameter is now completely unused, and
mode now takes the place of the hostname parameter: "The <mode> parameter
should be a numeric, and can be used to automatically set user modes when
registering with the server."

The attached patch doesn't attempt to implement the mode parameter (or any
other RFC 2812 features). It simply addresses privacy concerns by using the
following USER parameter values:

1. For hostname: The value of the username parameter is duplicated here (a la
X-Chat)

2. For servername: The server's hostname (read from server->address)




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Friday 03/30/2007 at 10:47  Name:
weechat-0.2.4-login-add_servername-no_hostname.patch  Size: 1kB   By:
atarkovsky
weechat-0.2.4-login-add_servername-no_hostname.patch
<http://savannah.nongnu.org/patch/download.php?file_id=12344>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/patch/?5835>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/