If I run an IRC server, and my friend and I connect over TLS and chat, is the conversation essentially end-to-end encrypted because all computers that see the plaintext messages are owned by one of the participants?
-
Related: If you and your friend each run a TLS web server, the two if you can communicate very securely (without IRC). See https://security.stackexchange.com/questions/256443/in-a-synchronous-environment-does-signal-offer-any-security-benefits-that-can-t – mti2935 Jul 31 '22 at 14:09
2 Answers
No. End-to-end encryption means that the middle man cannot see anything. Even if you own the IRC server, it is not end-to-end encrypted. It's probably safer than using a public IRC server, but not as safe as using OTR or another client-side text encryption plugin that supports IRC.
The fact that the IRC server has access to your communications means it is, by definition, not end-to-end encrypted. Just because you trust the server doesn't change this.
- 64,616
- 20
- 206
- 257
-
What if the client program runs on the same machine as the server? e.g. I allow port 6697 on my router, I connect to localhost:6697, my friend connects to
:6697 – Someone Jul 30 '22 at 22:54 -
@Someone In that case it boils down to semantics. If you define your system as one "end" then yes. If you only define the process itself as the "end", then no. For all intents and purposes, yes. – forest Jul 30 '22 at 22:55
-
okay. So in that case it is as secure as "real" e2ee, but depending on the definitions one uses it might not be "real" e2ee? – Someone Jul 30 '22 at 22:56
-
@Someone If you trust your computer, then yes. It is effectively e2e because there is no 3rd party that has any access to the plaintext data. – forest Jul 30 '22 at 22:56
-
Okay. I've used IRC on a LAN with the router, server, and one of the clients all running on one device (my phone with mobile hotspot enabled, running a server in Termux and a regular Android client), and the other user was connected to my hotspot. I was using an encrypted WiFi connection, but not TLS. Is that effectively e2ee? – Someone Jul 30 '22 at 22:58
-
@Someone No, because your router has access to the plaintext data, as do any other devices that know the router's password. – forest Jul 30 '22 at 22:59
-
the router was the phone (it was mobile hotspot), and only the two users knew the password – Someone Jul 30 '22 at 23:02
-
@Someone I think you need to define a threat model at this point. Whether it's end-to-end encrypted is just semantics, and attackers don't care about word definitions. – forest Jul 30 '22 at 23:03
No, IRC isn't end to end encrypted.
End to end encryption is not something you see usually. A few communication applications use it, because is something difficult to implement, and most use cases don't need it.
On IRC, the connection between the clients and the server are encrypted, but the server holds the keys to every connection. The server have access to the clear text of every single message.
The owner of the server have plaintext access to every single message sent on the server. Unless the clients themselves are encrypting the messages before sending, the owner have access to every single one of them.
It's the same with email, with FTP servers, with almost every online chat service...
- 50,648
- 13
- 127
- 142
-
1...Unless the clients themselves are encrypting the messages before sending. – ThoriumBR Jul 30 '22 at 22:51
-
1