You are not logged in.
- Topics: Active | Unanswered
#1 2012-03-27 12:35:50
- brianb
- Member
- From: Montreal, QC
- Registered: 2012-02-17
- Posts: 81
- Website
Bitlbee/irssi and password security
Hi,
I've been using Bitlbee with irssi to chat using gtalk, but only today did I realize that there's a "register" command that will save all your account settings so you don't have to add your accounts and passwords each time you fire up Bitlbee. However, I read about it in this user guide, which says that "IRC is not an encrypted protocol, so passwords still go over the network in plaintext ... so don't use your root password".
Not that I would ever use my root password, but it makes me curious: is there any difference in security between the password that I register with Bitlbee for account settings, and the passwords for those accounts? In other words, if the Bitlbee password can be intercepted, then can my gmail, etc. passwords also be intercepted?
I don't know enough about encryption, protocols, etc., or how these chat programs and servers actually communicate with each other. Any info would be greatly appreciated!
Brian
Last edited by brianb (2012-03-27 12:37:03)
Offline
#2 2012-03-27 13:20:45
- magicalChicken
- Member
- From: in the sky
- Registered: 2012-03-03
- Posts: 73
- Website
Re: Bitlbee/irssi and password security
Passwords for most accounts and protocols are encrypted before they are transmitted, so you should not have too much to worry about but if you do want more security than using ssl or tcl can help.
Offline
#3 2012-03-27 15:00:47
- brianb
- Member
- From: Montreal, QC
- Registered: 2012-02-17
- Posts: 81
- Website
Re: Bitlbee/irssi and password security
Thanks for the response. I guess my question is, Is there a difference in terms of security (encryption) between the password registered with Bitlbee for account settings ("register password") vs. the password(s) given to Bitlbee for each account (e.g., "account add jabber username@gmail.com password").
If there is no difference, then either both are secure (encrypted), in which case I've got no problem registering all my account settings with a password, or they're both insecure, which is a problem. The user guide claims that the registered password is insecure, so hopefully the account passwords are somehow transmitted differently.
Maybe what happens is this: your registered password is transmitted openly in plaintext, but once you're connected, everything is secure. But then what's to stop someone else from intercepting the register password, connecting as you, and seeing all your account settings* and/or logging into your IM accounts?
I know this sounds very tin-foil-hat-ish, and honestly I'm not worried about it -- I'm just curious how it all works. 
*Actually, doing "account <account id> set" lists all settings, but the password has *'s, so I guess it's kept hidden.
Offline
#4 2012-03-28 05:36:07
- freebullets
- Member
- Registered: 2011-11-10
- Posts: 31
Re: Bitlbee/irssi and password security
I don't think bitlbee supports secure IRC. It does support chat encryption though. A good overview can be found here.
Alternatively, you can use ZNC, which, among other things, acts as a secure IRC tunnel.
Offline