Server hosting and trust

For the purpose of disclosure we have had to make the difficult decision to discontinue a long-standing relationship with a server sponsor.

As a freenode user you may be aware that our set-up is somewhat untraditional and differs from that of many other IRC networks; servers are sponsored by various companies and educational institutions across the globe and all our infrastructure is centrally managed by the freenode infrastructure team. Generally speaking we do not provide o:lines or other privileges to server sponsors. Whilst it is possible for a sponsor contact to also volunteer as a staffer on the network such recruitment is independent of any server hosting.

Our staff are expected to work together closely and communication is key in any freenode relationship, be that with users, among staff or with sponsor contacts. It is important to us to be consistent in the way we provide support and apply policy and we expect all volunteers to be intimately familiar with our policies, procedures and philosophies — which in turn means that senior staff invest a lot of time in ensuring that any new recruits are given adequate support when getting to know the ins and outs of the network and what being a freenode volunteer entails.

Unfortunately one of our server sponsors added an o:line for themselves on the server they sponsored and whilst we do not believe that this was done with any malicious intent, more through thoughtlessness/negligence and having forgotten the expectations set out on our “Hosting a Server” page we feel that we are unable to comfortably and confidently continue the relationship.

Our number one priority has to be our target communities, the Free and Open Source Software communities that have chosen to make use of freenode in their internet activities.

Whilst we do not believe and have no evidence to indicate that any user traffic or data has been compromised, we would of course encourage you to change your passwords if you feel that this would make you more comfortable in continuing to use our services.

We can only apologise for this happening and we’d like to assure you that trust is incredibly important to us and that we are incredibly embarassed that this situation arose in the first place.

As a result of this we have just replaced our SSL certificates, so if you notice that these have changed then this is the reason why.

We will of course take this opportunity to remind all our sponsors of our expectations when it comes to providing services to freenode and our target communities.

Again, we apologise for any inconvenience and we hope that any loss of trust in the network that may have resulted from this incidence can be restored and that your projects will continue to feel comfortable using the network in future.



6 thoughts on “Server hosting and trust

  1. Someone giving himself an O line should not put certificates in danger.

    The only certificate that should be revoked is the one for the server itself. Each hosting party should not receive the main ssl record for the entire network, that’s utterly riddicilous!

    1. New host generates a private key and csr for his subdomain.
    2. Freenode staff receives the csr (NOT THE KEY) and generates a certificate from it.
    3. In case of badness, freenode staff revoke it.

    How hard is that?

  2. How the hell can adding a single o: line to an IRC necessitate regenerating certificates? Your explanation leaves *lots* to be explained.

  3. And furthermore, your staff isnt around 100% of the time, if some abusive user is on your network we just have to sit and wait and wait and wait; itd be quite niec if actual caring server admins that donate their damned hardware and bandwidth to support you, could actually change something in these cases.


  4. Thanks for your comments. We know that an o:line was added to our configuration and do not see any reason to believe our ssl certificates were compromised. Producing new ssl certificates is a “better safe than sorry” measure.

    Unlike other networks freenode staff manage all of our ircd servers directly and for historical reasons, use a wildcard cert.

    We don’t, as a general rule, provide O-lines or operator privileges to our server hosts. However, facilities hosts may apply separately for freenode staff duty and their applications will receive the same consideration as those of other users.

    We are always looking for volunteers and have a page on our website on the subject:

  5. So…is freenode now using a sane certificate policy across servers or is it continuing to use wildcard certs?

    Putting status quo over proper security isn’t acceptable, seriously.

  6. I thought there’s OperServ’s NOOP function which prevents O:Lines on unauthorized servers – and I was sure freenode used that to prevent exactly this possibility. Am I misunderstanding the situation or would this be a solution?

Comments are closed.