Anope IRC Services

Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1]   Go Down

Author Topic: enc_* module hiding  (Read 3673 times)

0 Members and 1 Guest are viewing this topic.

katsklaw

  • Guest
enc_* module hiding
« on: July 13, 2007, 09:52:33 PM »

IMHO, it's a security risk to list the module in the open for all to see that whether passwords are encrypted or not. I feel that when people see "(enc_none)", they automaticly think "cool, someone to hack". Imangine someone bouncing from network to network looking for "victims", the victim being the shell account Anope runs on to get all their passwords. Sure, there are other ways to get hacked, but it's my belief that this is an invitation.

Personally I see no real reason people other than admins need to know which type is used. As far as end users go, all they need to know is if they can use SENDPASS or not and even though it's automaticlly disabled while encryption is in use, it's still optional with plaintext.

Although there are several ways to hide this from non-opered users, my personal favorite is to remove it completely from /version output. Someone with access to services shell account will know and can tell those that need to know what it is.

I have plans on adding ENCModule to my os_confinfo module so it can be listed there for sure.
Logged

Charles Kingsley

  • Contributor
  • *
  • Offline Offline
  • Posts: 1405
(No subject)
« Reply #1 on: July 19, 2007, 09:06:42 PM »

I'd agree.
Logged
Pages: [1]   Go Up