charybdis-ircd / charybdis

Scalable IRCv3.2 server for large, community-oriented networks
GNU General Public License v2.0
230 stars 102 forks source link

TLS-SRP #349

Open SoniEx2 opened 4 years ago

SoniEx2 commented 4 years ago

TLS-SRP does the password authentication at the TLS layer, prevents phishing and ignores invalid/outdated PKI certs as they're not relevant for the SRP. It improves UX all around.

I'd like to see TLS-SRP being used to authenticate users, similar to how we can use client certs. TLS-SRP is mainly used by Apple to provide iCloud security. It is by no means perfect, but as far as PAKEs go, it's the only thing we currently have, altho it only works with TLS 1.2. As far as I know there are no approved PAKEs for TLS 1.3 yet but that's not a good reason to delay security features.

I'd like to see PAKEs widely deployed, so they're taken into account in future versions of TLS, rather than being a late addition. Between their anti-phishing capabilities and the fact that they don't rely on PKI, they're awesome!

Also, I am willing to implement it myself, but I'll need help (onboarding) for that.

(OT: yes, I'm that Soni who used to harass the project members. I'm sorry. I don't do that anymore.)