diff options
| -rw-r--r-- | README | 25 |
1 files changed, 24 insertions, 1 deletions
@@ -6,7 +6,15 @@ FiSHLiM is a HexChat plugin for FiSH IRC encryption. It's my attempt at making -a simple, lightweight and secure plugin for this encryption protocol. +a simple and lightweight plugin for this encryption protocol. + +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! WARNING: FiSH encryption is not secure. See the security section below. !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +NOTE: A modified version of FiSHLiM is now bundled with HexChat. If you +use HexChat you should generally not install this plugin (and if you do +you need to remove the bundled version of FiSHLiM). For installation instructions, see the INSTALL file. @@ -28,6 +36,9 @@ Not working: * Topic encryption * Remote exploitation (hopefully!) * Plaintext content that contain +OK is decrypted twice + * Very long messages (more than ~200 characters) + * encryption of /me messages + * Message authentication Commands @@ -66,3 +77,15 @@ Commands Deletes the given nick or channel from the configuration file. +Security warning +---------------- +FiSH encrypts your messages in ECB mode (in other words, in independent +blocks). If the same block appears two times it will be encrypted the +same way both times. + +So, never give untrusted people unencrypted chat logs if they also have +the encrypted version! Then they can decrypt the messages if they appear +again. Also, it's possible to make statistical attacks or replay +attacks. The CBC mode is somewhat better, but does not use a HMAC and no +timestamp/nonce, so it is still not secure against message manipulation +or replay attacks. |