Logging in to your services account via SASL instead of NickServ IDENTIFY
is advantageous for a number of reasons:
- You are logged in far earlier in the connection process.
This means that you can instantly:
- Match a channel invite exception based on your account name.
- Join a registered-users-only channel.
- Join a restricted channel that you have access to, without worrying about services kickbanning you,
for not being logged in at the time.
... and the list goes on.
- Your IRC client can usually be configured to abort the connection if SASL authentication fails for any reason.
This is useful if, for example:
- You always want to join channels with a vHost instead of your partially-cloaked hostname.
- You do not want to connect to the network at all if the IRC services are unavailable.
The AlphaChat IRC Network currently supports the following SASL authentication mechanisms, in decreasing order of
security:
-
EXTERNAL
- This mechanism relies on you connecting with TLS, using a TLS client certificate.
- This mechanism is somewhat-supported by contemporary IRC clients.
- You must register your TLS client certificate fingerprint in your
services account.
- SCRAM-SHA-256
- This mechanism uses your services account name and account password.
- This mechanism is poorly-supported by contemporary IRC clients.
- This mechanism requires you to be connected via TLS to use it securely;
enough information is disclosed to perform an offline brute-force password discovery attack if you do
not.
- This mechanism does not work if you have the
NOPASSWORD flag set on your services account.
- PLAIN
- This mechanism uses your services account name and account password.
- This mechanism is very widely-supported by contemporary IRC clients.
- This mechanism requires you to be connected via TLS to use it securely;
your password is disclosed in plaintext if you do not.
- This mechanism does not work if you have the
NOPASSWORD flag set on your services account.
If you are unsure what your account name is, /whois yourself
when you are logged in; this is NOT the same thing as a nickname!
If you don't know what any of this means, but your client indicates that it
supports SASL, just use PLAIN (if given the option); it is not any more insecure than NickServ
IDENTIFY.
Additionally, the following mechanisms are also supported, with caveats:
- ECDSA-NIST256P-CHALLENGE
- This mechanism uses your services account name and a randomly-generated
challenge that your client signs with a NIST P-256 elliptic curve private key.
- This mechanism is poorly-supported by contemporary IRC clients.
- This mechanism does not require you to be connected over TLS to use it
securely; but we recommend always using TLS anyway.
- You must register your corresponding NIST P-256 public key in your
services account.
- This mechanism relies on cryptography that is suspected to have been subverted by
the United States intelligence community.