Anope IRC Services

Anope Development => Feature Requests => Topic started by: katsklaw on July 13, 2007, 09:52:33 PM

Title: enc_* module hiding
Post by: katsklaw on July 13, 2007, 09:52:33 PM
IMHO, it's a security risk to list the module in the open for all to see that whether passwords are encrypted or not. I feel that when people see "(enc_none)", they automaticly think "cool, someone to hack". Imangine someone bouncing from network to network looking for "victims", the victim being the shell account Anope runs on to get all their passwords. Sure, there are other ways to get hacked, but it's my belief that this is an invitation.

Personally I see no real reason people other than admins need to know which type is used. As far as end users go, all they need to know is if they can use SENDPASS or not and even though it's automaticlly disabled while encryption is in use, it's still optional with plaintext.

Although there are several ways to hide this from non-opered users, my personal favorite is to remove it completely from /version output. Someone with access to services shell account will know and can tell those that need to know what it is.

I have plans on adding ENCModule to my os_confinfo module so it can be listed there for sure.
Title:
Post by: Charles Kingsley on July 19, 2007, 09:06:42 PM
I'd agree.