[IRCServices] Re: While talking about NickServ...

Countersync of AGNPH (and #agnph) countersync at hotmail.com
Sat Feb 24 14:16:01 PST 2001 

From: "Lonewolf" <lonewolf at lagnet.org.za>
> On Fri, Feb 23, 2001 at 11:09:29PM -0800, Countersync of AGNPH (and
#agnph) wrote:
> > Please do not forget that it is rare for a user to hide their email
> > address.
>
> Set "NSDefHideEmail" in your services.conf file.  This stops the
> possibility of would-be spammers from harvesting e-mail addresses from
> your NickServ database too.
>
> > Especially if they actually want to be contacted.  Perhaps the
> > addition of a 'secure' email address that the user is instructed to
> > set and not to share anywhere else is a good idea?
>
> Seems a terrible fiddle to add _another_ e-mail address; bound to
> confuse most users too.  If they want to be contacted, they should set
> their NickServ URL to a web page which has their preferred contact
> details.

Actually, I was suggesting it as a way to limit confusion.  If they know
that the address is to be used explicitly for the secure return of their
passwords they are less likely to compromise their own security.  The fact
is that a user may want to keep an email address public.  This would allow
the user to have their current (and probably known) email address under the
old system, and a new address just for nickserv to send their password to.
Leaving it blank would automatically make nickserv use the other mailing
address, and leaving both blank would disable the feature.  Or at least,
that sounds like the most simple way of setting it up to me.

Additionally were the services to have some type of split key encryption
module in the future the entry could be encoded with the public key, and
only decoded with the services private key.  It's still almost as vulnerable
to attack as the other methods, but if services had a separate account on
the same, or different server who's files might not be compromised by an
attack it could provide just slightly more security.  It is a bit complex
for the small increase.  Especially since root could likely read both the
private key and pass, thus separating the services and protecting root
security would be big concerns.