Page MenuHomePhabricator
Create Task
Maniphest T152926

Set channel cmode +S for wikimedia private IRC-Channels
Closed, ResolvedPublic
Actions

Description

we have SSL at all wikis now. We try to make everything more secure, 2FA etc. But there is still one thing to do:
There are people talking in IRC, IRC allows SSL as well. Of course, we should not require SSL in IRC in every channel, for example if you use freenode webchat, you can't use SSL, so it would be bad for new users, or users asking for help etc.
But at least for channels, where people mention private data, we should require SSL, in my opinion.

What would need to be done then? At private channels, where private data gets mentioned, like #wikimedia-checkusers or #wikimedia-privacy, the channelmode +S should get set. This would mean, that every user, who is not connected via SSL would not be able to join the channel then. Instead they would recive a message about it, that they need SSL.
Currently, this feature is not enabled:

[21:54:26] * Channel #wikimedia-checkusers Modes: +cimntzf
[21:54:31] * Channel #wikimedia-privacy Modes: +FLcginsf

Related Objects

Event Timeline

Luke081515 created this task.Dec 11 2016, 9:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2016, 9:02 PM
Luke081515 added subscribers: dungodung, Az1568, Barras, Snowolf.Dec 11 2016, 9:03 PM
Krenair subscribed.Dec 11 2016, 9:32 PM

It might be a good idea to make clear up what kinds of private information can be sent over FreeNode.

Bawolff subscribed.Dec 11 2016, 10:19 PM

#mediawiki_security should probably be added to that list

Luke081515 added a comment.Dec 13 2016, 5:05 PM

Hm:

[18:01:43] <Sagan> info #mediawiki_security
[18:01:44] -ChanServ- Information on #mediawiki_security:
[18:01:44] -ChanServ- Registered : Apr 06 18:36:11 2005 (11y 36w 1d ago)
[18:01:44] -ChanServ- Mode lock  : +ins
[18:01:44] -ChanServ- Flags      : PRIVATE
[18:01:44] -ChanServ- *** End of Info ***

[18:01:50] <Sagan> info #mediawiki-security
[18:01:51] -ChanServ- Information on #mediawiki-security:
[18:01:51] -ChanServ- Founder    : freenode-staff, wmfgc
[18:01:51] -ChanServ- Registered : Jun 02 09:55:14 2016 (27w 5d 7h ago)
[18:01:51] -ChanServ- Last used  : Jun 02 09:55:14 2016 (27w 5d 7h ago)
[18:01:51] -ChanServ- Mode lock  : +mpsC
[18:01:51] -ChanServ- Flags      : GUARD
[18:01:51] -ChanServ- *** End of Info ***

[OT] We maybe should ask the GCs, if #mediawiki_security is included in the wikimedia namespace too. (I don't know which namespaces we have exactly, but per default, only #mediawiki and #mediawiki-* are included I think.

Legoktm subscribed.Dec 13 2016, 5:11 PM

#mediawiki_security is explicitly named with an _ so GCs don't have control over it.

Also, does this task need to be private? Anyone can look up channel modes.

Parent5446 subscribed.Dec 13 2016, 6:03 PM
In T152926#2869441, @Legoktm wrote:

Also, does this task need to be private? Anyone can look up channel modes.

Agreed. This can probably be made public.

In T152926#2863768, @Krenair wrote:

It might be a good idea to make clear up what kinds of private information can be sent over FreeNode.

We should make a separate bug for this so we can keep track of this.

Bawolff triaged this task as Medium priority.Dec 13 2016, 10:36 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".
Bawolff added a project: Privacy.

Bug made public

Bawolff added a subscriber: APalmer_WMF.Dec 14 2016, 1:59 PM
Luke081515 added a comment.Dec 28 2016, 6:01 PM
In T152926#2869441, @Legoktm wrote:

#mediawiki_security is explicitly named with an _ so GCs don't have control over it.

Then, it does not belongs to a registered group, so it violates freenodes policys about channel ownership: https://freenode.net/policies

Legoktm added a comment.Dec 28 2016, 6:12 PM
In T152926#2905190, @Luke081515 wrote:
In T152926#2869441, @Legoktm wrote:

#mediawiki_security is explicitly named with an _ so GCs don't have control over it.

Then, it does not belongs to a registered group, so it violates freenodes policys about channel ownership: https://freenode.net/policies

What? Please cite the actual part of the policy you think is being violated. Freenode doesn't require any group registration to create new primary channels.

Luke081515 added a comment.Dec 28 2016, 6:17 PM

If a channel does not belong to a group directly, freenode will not transfer the control to another person, even if the channel is expired, etc.

Legoktm added a comment.Dec 29 2016, 7:41 AM

You're now saying something entirely different, which has nothing to do this task.

Peachey88 subscribed.Dec 29 2016, 7:48 AM
Seton subscribed.Feb 22 2018, 4:21 AM
In T152926#2869424, @Luke081515 wrote:

Hm:

[18:01:43] <Sagan> info #mediawiki_security
[18:01:44] -ChanServ- Information on #mediawiki_security:
[18:01:44] -ChanServ- Registered : Apr 06 18:36:11 2005 (11y 36w 1d ago)
[18:01:44] -ChanServ- Mode lock  : +ins
[18:01:44] -ChanServ- Flags      : PRIVATE
[18:01:44] -ChanServ- *** End of Info ***

[18:01:50] <Sagan> info #mediawiki-security
[18:01:51] -ChanServ- Information on #mediawiki-security:
[18:01:51] -ChanServ- Founder    : freenode-staff, wmfgc
[18:01:51] -ChanServ- Registered : Jun 02 09:55:14 2016 (27w 5d 7h ago)
[18:01:51] -ChanServ- Last used  : Jun 02 09:55:14 2016 (27w 5d 7h ago)
[18:01:51] -ChanServ- Mode lock  : +mpsC
[18:01:51] -ChanServ- Flags      : GUARD
[18:01:51] -ChanServ- *** End of Info ***

[OT] We maybe should ask the GCs, if #mediawiki_security is included in the wikimedia namespace too. (I don't know which namespaces we have exactly, but per default, only #mediawiki and #mediawiki-* are included I think.

Luke081515 added a project: Trust-and-Safety.Dec 13 2019, 12:33 AM
Luke081515 moved this task from Backlog to Security/Privacy on the Trust-and-Safety board.Feb 8 2020, 11:07 AM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
JFishback_WMF moved this task from Intake to Backlog on the Privacy board.Mar 24 2020, 3:08 PM
DannyS712 subscribed.Oct 26 2020, 4:46 AM
Ameisenigel awarded a token.Mar 20 2021, 8:35 PM
Ameisenigel rescinded a token.
Ameisenigel awarded a token.
Luke081515 added a project: wikimedia-irc-libera.Mar 20 2021, 8:38 PM
stwalkerster subscribed.Mar 21 2021, 1:45 AM
1997kB subscribed.Mar 21 2021, 2:45 PM
Zabe subscribed.Apr 7 2021, 4:21 PM
Ameisenigel subscribed.May 14 2021, 1:57 PM
stwalkerster added a comment.May 20 2021, 3:46 PM

It's worth noting that the move to libera.chat (T283247 ) changes the TLS stack and drops support for anything below TLS1.2, whereas freenode supported TLS1.0

jrbs moved this task from Security/Privacy to Other team on the Trust-and-Safety board.Dec 21 2021, 12:44 PM
jrbs removed a project: Trust-and-Safety.Dec 22 2021, 9:04 PM
jrbs subscribed.

I don't think this is something T&S can help with, though the Privacy tag might still be useful

Aklapper added a comment.Dec 25 2021, 10:37 AM

So this task is now only about setting +S on #wikimedia-privacy to get it resolved, if I understand correctly?

>ChanServ< info #wikimedia-checkusers
-ChanServ- #wikimedia-checkusers is not registered.
>ChanServ< info #wikimedia-privacy
-ChanServ- Information on #wikimedia-privacy:
-ChanServ- Mode lock  : +nt-lk
-ChanServ- Flags      : GUARD PUBACL
TheresNoTime subscribed.Dec 26 2021, 7:34 PM

Just a passing point that the CU channel is #wikimedia-checkuser, and not #wikimedia-checkusers :-)

Information on #wikimedia-checkuser:
Mode lock  : +nt-lk
Stang subscribed.Dec 30 2021, 8:33 PM
stwalkerster closed this task as Resolved.Mar 12 2023, 2:52 PM
stwalkerster assigned this task to AmandaNP.

Done by Amanda on -checkuser and -privacy - the channel mode for both channels is now +Sint

As a quick correction to the task description - webchat users connect via TLS by default, so are not impacted by this change.

Stang unsubscribed.Mar 15 2023, 10:33 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL