mirror of
https://github.com/ChronosX88/psyced.git
synced 2024-12-05 00:22:19 +00:00
are you human? do you care about privacy?
This commit is contained in:
parent
5cf911c6ae
commit
b8506361f6
@ -511,10 +511,10 @@ then
|
||||
git stash save 'changes stashed automatically by psyced -m'
|
||||
git merge -s resolve origin
|
||||
# restore local changes?
|
||||
# git stash apply
|
||||
# git stash pop
|
||||
echo ""
|
||||
echo "If you had local changes to your files you can now restore them using"
|
||||
echo "${hi}git stash apply${lo}"
|
||||
echo "${hi}git stash pop${lo}"
|
||||
exit
|
||||
fi
|
||||
|
||||
|
@ -4,6 +4,9 @@
|
||||
_warning_server_shutdown_temporary
|
||||
|Serverneustart: [_reason]
|
||||
|
||||
_warning_missing_circuit_encryption
|
||||
|Deine Verbindung ist nicht verschlüsselt. Du gefährdest die Privatsphäre anderer Personen!
|
||||
|
||||
_status_circuit_encryption_cipher
|
||||
|Gratuliere! Deine Verbindung ist mit forward secrecy verschlüsselt ([_circuit_encryption_cipher]).
|
||||
|
||||
|
@ -1,6 +1,9 @@
|
||||
<PSYC:TEXTDB> ## vim:syntax=mail
|
||||
## Check utf-8: Praise Atatürk!
|
||||
|
||||
_warning_missing_circuit_encryption
|
||||
|Your connection is not encrypted. You are putting other people's privacy at risk!
|
||||
|
||||
_status_circuit_encryption_cipher
|
||||
|Congratulations. Your connection is encrypted with forward secrecy.
|
||||
|
||||
|
@ -1,6 +1,9 @@
|
||||
<PSYC:TEXTDB> ## vim:syntax=mail
|
||||
## tradotto al 30% ... cerca /TODO/ per continuare
|
||||
|
||||
_warning_missing_circuit_encryption
|
||||
|La tua connessione non è crittata. Stai mettendo a rischio la privacy di altre persone!
|
||||
|
||||
_status_circuit_encryption_cipher
|
||||
|Muy bueno! La tua connessione è crittata con forward secrecy.
|
||||
|
||||
|
@ -276,4 +276,9 @@
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#define PRIVACY_SURVEILLED 0
|
||||
#define PRIVACY_UNKNOWN -1
|
||||
#define PRIVACY_MITMX509 23
|
||||
#define PRIVACY_REASONABLE 44
|
||||
|
||||
#endif
|
||||
|
@ -487,8 +487,9 @@ enter(source, mc, data, vars) {
|
||||
}
|
||||
# endif
|
||||
# if defined(SECURE)
|
||||
// let people in who are either connected via a SSL/TLS
|
||||
// protocol or are coming from the localhost (probably SSH users).
|
||||
// let people in who are either connected via an MITM-prone TLS
|
||||
// protocol or are coming from the reasonably safe localhost
|
||||
// (either SSH or Tor users).
|
||||
//
|
||||
// both cases are no absolute guarantee for safety.. it is still
|
||||
// in the hands of each user in the room to safeguard true secrecy
|
||||
@ -497,27 +498,14 @@ enter(source, mc, data, vars) {
|
||||
// or belong to a certain group, so you have to use the respective
|
||||
// #defines to also ensure that, if that's what you want.
|
||||
//
|
||||
// -lynX 2004
|
||||
|
||||
if (!((objectp(source) &&
|
||||
// should use trustworthy level 9 instead? if so.. how?
|
||||
(query_ip_number(source) == "127.0.0.1"
|
||||
# ifdef SECURE_IP_NUMBER
|
||||
|| SECURE_IP_NUMBER(query_ip_number(source))
|
||||
# endif
|
||||
|| query_ip_number(source) == __HOST_IP_NUMBER__ ))
|
||||
# if __EFUN_DEFINED__(tls_query_connection_state)
|
||||
// -lynX 2004, updated 2015
|
||||
//
|
||||
int intimacy = probably_private(source);
|
||||
// psyc client.. may also one day be a psyc server, in that
|
||||
// case we have to hope the rest of the link is secured, too
|
||||
|| (objectp(vars["_INTERNAL_origin"])
|
||||
&& interactive(vars["_INTERNAL_origin"])
|
||||
&& tls_query_connection_state(vars["_INTERNAL_origin"]))
|
||||
// tls connection, be it telnet irc jabber or https
|
||||
// shouldn't this check happen before "_INTERNAL_origin"? -lynX
|
||||
|| (objectp(source) && interactive(source)
|
||||
&& tls_query_connection_state(source))
|
||||
# endif
|
||||
)) {
|
||||
if (intimacy == PRIVACY_UNKNOWN)
|
||||
intimacy = probably_private(vars["_INTERNAL_origin"]);
|
||||
if (intimacy <= PRIVACY_SURVEILLED) {
|
||||
sendmsg(source, "_error_place_enter_necessary_encryption",
|
||||
"[_nick_place] may only be accessed by clients with enabled encryption.",
|
||||
([ "_nick_place" : qName() ]) );
|
||||
|
@ -186,3 +186,44 @@ string tls_bad_cipher(object sock, string scheme) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// Do not use server technologies like psyced for strong
|
||||
// privacy or anonymity requirements. Get started using
|
||||
// distributed technologies instead. Check out:
|
||||
// http://youbroketheinternet.org
|
||||
// http://secushare.org
|
||||
// But if you're happy with half-baked security, here you
|
||||
// have it:
|
||||
// -lynX 2015
|
||||
//
|
||||
int probably_private(object source) {
|
||||
// object has no TCP to it. you have to ask its circuit.
|
||||
unless (objectp(source) && interactive(source))
|
||||
return PRIVACY_UNKNOWN;
|
||||
// should use trustworthy level 9 instead? if so.. how?
|
||||
if (query_ip_number(source) == "127.0.0.1"
|
||||
// query_ip_number() efun is faster than a local
|
||||
// LPC variable, so it is fine we call it often
|
||||
|| query_ip_number(source) == __HOST_IP_NUMBER__
|
||||
# ifdef SECURE_IP_NUMBER
|
||||
|| SECURE_IP_NUMBER(query_ip_number(source))
|
||||
# endif
|
||||
// People coming from localhost have either made it
|
||||
// through SSH's reasonable certificate pinning or
|
||||
// Tor's public-key based addressing.. both provide
|
||||
// reasonable protection from men in the middle, if
|
||||
// only the server itself could be considered secure.
|
||||
//
|
||||
) return PRIVACY_REASONABLE;
|
||||
# if __EFUN_DEFINED__(tls_query_connection_state)
|
||||
// Alas, this person is using a TLS/SSL-enhanced
|
||||
// access protocol which, unless the client implements
|
||||
// certificate pinning, is susceptible to man in the
|
||||
// middle attacks. Find out more on this topic on
|
||||
// http://patrol.psyced.org
|
||||
//
|
||||
if (tls_query_connection_state(source))
|
||||
return PRIVACY_MITMX509;
|
||||
# endif
|
||||
return PRIVACY_SURVEILLED;
|
||||
}
|
||||
|
||||
|
@ -8,18 +8,27 @@
|
||||
|
||||
qScheme() { return "tn"; }
|
||||
|
||||
logon() {
|
||||
// first check limits and authlocal, then show banner
|
||||
if (::logon()) {
|
||||
// unless (nick) {
|
||||
cat(TELNET_PATH "clear.vt");
|
||||
cat("/local/banner.txt");
|
||||
// }
|
||||
human(x) {
|
||||
x = lower_case(x);
|
||||
unless (abbrev(x, "yes") || abbrev(x, "ja") || abbrev(x, "si") || abbrev(x, "zes")) {
|
||||
emit("\nSorry, no other species welcome currently.\n\n");
|
||||
}
|
||||
// now check limits
|
||||
else if (::logon()) {
|
||||
// takes a little tweaking to use T() here
|
||||
emit("Name: ");
|
||||
}
|
||||
}
|
||||
|
||||
logon() {
|
||||
if (nick) return ::logon(); // authlocal
|
||||
cat(TELNET_PATH "clear.vt");
|
||||
cat("/local/banner.txt");
|
||||
input_to(#'human, INPUT_IGNORE_BANG);
|
||||
// takes a little tweaking to use T() here
|
||||
emit("Are you human? ");
|
||||
}
|
||||
|
||||
password(a) {
|
||||
// send IAC + WONT + ECHO to go to echo-mode again
|
||||
#ifdef OLD_HACKS_WE_PROBABLY_NO_LONGER_NEED
|
||||
@ -67,7 +76,7 @@ hello(ni) {
|
||||
//
|
||||
// only the PROMUVE will need this, as the freemuve isn't accepting "." and
|
||||
// ":" in nicknames anyways (PROMUVE converts those to "_").
|
||||
#ifdef PRO_PATH
|
||||
#if 0 //def PRO_PATH
|
||||
# if 0
|
||||
{ int i1, i2, i3, i4, i5;
|
||||
if (strstr(ni, "://") > 0 ||
|
||||
@ -83,7 +92,8 @@ hello(ni) {
|
||||
return 1;
|
||||
}
|
||||
# else
|
||||
if (abbrev("GET ", ni) || abbrev("POST ", ni)
|
||||
// we could simply disallow space in the name here...
|
||||
if (abbrev("GET ", ni) || abbrev("POST ", ni) || abbrev("OPTIONS ", ni)
|
||||
|| abbrev("CONNECT ", ni)) {
|
||||
// hehe.. we could htredirect proxyscanners to our www port ;)
|
||||
emit("Dumbhead.\n<h1>Don't you have a telnet client?</h1>\n");
|
||||
@ -95,7 +105,7 @@ hello(ni) {
|
||||
return ::hello(ni);
|
||||
}
|
||||
|
||||
#ifdef BRAIN
|
||||
#if 0 //def BRAIN
|
||||
morph() {
|
||||
if (user->isNewbie())
|
||||
emit("\nSorry, no unregistered users currently.\n\n");
|
||||
|
@ -1572,13 +1572,22 @@ logon() {
|
||||
string evil;
|
||||
|
||||
if (tls_query_connection_state(ME) == 1) {
|
||||
if (evil = tls_bad_cipher(ME, t)) {
|
||||
// i bet jabber users will love this
|
||||
// evil TLS ciphers are no problem if the connection is being
|
||||
// tunneled through SSH or Tor, so we shut up in that case.
|
||||
if (probably_private(ME) < PRIVACY_REASONABLE &&
|
||||
(evil = tls_bad_cipher(ME, t))) {
|
||||
// Seems to affect only pidgin for linux prior to 2015
|
||||
w("_warning_circuit_encryption_cipher", 0, ([ "_circuit_encryption_cipher": evil ]));
|
||||
//return remove_interactive(ME);
|
||||
} else {
|
||||
unless (beQuiet) w("_status_circuit_encryption_cipher");
|
||||
}
|
||||
} else if (!probably_private(ME)) {
|
||||
w("_warning_missing_circuit_encryption"
|
||||
# ifdef _warning_missing_circuit_encryption
|
||||
, _warning_missing_circuit_encryption
|
||||
# endif
|
||||
);
|
||||
}
|
||||
#endif
|
||||
// cannot if (greeting) here this since jabber:iq:auth depends on this
|
||||
|
Loading…
Reference in New Issue
Block a user