Friday, August 5, 2016

Planned Obsolescence of Plain Text Connections (Port 6667)

As everyone knows, I take a (pretty big) interest in user privacy, and user security. With this in mind, I'm working on a plan to make plaintext connections on port 6667 obsolete, and eventually reject them. This post is a very public way of documenting the process.

The Plan

The current plan as of now is to perhaps start blocking connections on 6667 by January 1, 2017. This date isn't set in stone and is definitely subject to change.

The Method

Before normal access on 6667 is blocked (there will be some exceptions), I plan to figure out who still connects to the network using plain text, and individually reach out to them. There really isn't an already-established way of easily determining the folks who connect over plaintext, so figuring out these users might take more time as well.

When the time comes to "disable" 6667 connectivity, I plan to set up a special connect block that rejects users with a message telling them about plain text being obsolete. This post might even be the one served in the error message. Here's a preview error message:
Plain text connections have been disabled on Techtronix as of January 1, 2017. Please connect using TLS on port 6697 or contact network staff for an exemption.

Exceptions

I hope to keep these down to the absolute minimum, but I do plan to have a mechanism in place to still allow certain types of connections to occur over plain text. The biggest example I can think of would be for IRC index bots for some (older) IRC search engines, and also for developers who wish to use Techtronix as a playground network to do their testing (HoloIRC comes to mind).

The Aftermath

I plan to keep this system in place for a long while, probably for a year or more. Eventually, I do hope to just outright turn off port 6667 altogether, hopefully when the push to more secure IRC networks becomes more common. There are already some networks out there that do SSL/TLS-only connections, but I want to make this transition as clean as possible to avoid alienating users, bots, and entire services alike.

Request for Comment

I hope that you folks will leave your feedback either on the network or in the comments section below. I want this to be a move that's positive for everyone, not just another administrative decision that most users aren't aware of.

Edit Nov. 12, 2016:
Final provisions to enable the port restriction at the turn of the year are now complete. Only known search engine bots/indexers are exempt from the new restriction. This is the new message that will be sent by the server:
* Closing link: (user@host) [*** Plain text connections have been disabled on Techtronix as of January 1, 2017. Please connect using TLS on port 6697 or contact network staff for an exemption.]
Default connections for certain IRC clients are being considered and will probably be added to the exception list, but nothing else is really eligible. It's almost the end of 2016 and insecure IRC connections are a thing of the past.