wiki:doc/TorifyHOWTO/HexChat

Written: 30-03-2018 (Jaruga)

Torifying HexChat

HexChat (originally forked from XChat) is an open-source, cross-platform internet relay chat client that grew in popularity shortly after the discontinuation of XChat in 2013. It has several security-oriented features such as OTR, an easy-to-use graphical interface, a simplistic window layout and includes all the basic functions of most popular IRC clients. HexChat also has a plugin system with support for various languages that allows for dynamic modifications and extensions.

Starting up HexChat

By default, HexChat automatically loads the "Network List" window on the first launch after installation. To modify your internal proxy settings, HexChat must first attempt to make a connection. You may avoid connecting to a server before configuring Tor by simply clicking the 'Add' button which creates a new, blank network entry. Then click 'Connect'. This will of course fail, and will open the chat window to allow entry to the settings menu.

Example output:

https://tor.dial.ga/m/hc/hc1.png

Adding Internal Proxy Settings

  1. When the chat window opens, click the 'Settings' drop-down menu on the toolbar and select 'Preferences'.

https://tor.dial.ga/m/hc/hc2.png

  1. When the Preferences window opens, select 'Network Setup' from the leftside menu.
  1. Fill the fields under the 'Proxy Server' header like so:

https://tor.dial.ga/m/hc/hc3.png

  1. Click OK.

All of HexChats connections will now be routed via Tor. To connect to a specific server without using Tor (due to IP bans or various other reasons), you can simply check the 'Bypass Proxy Server' option under that servers 'Edit' menu.

Using HexChat with TLS / SSL

Many IRC networks (IRC servers) support SSL/TLS/encrypted connections and it is highly advisable to utilize it - but depending on the specific configuration of an IRC server, some small setting changes may have to occur first.

Enabling SSL

If the destination IRC network uses a certificate from a major or paid CA (Certificate Authority) as many popular ones do, these modifications can be made under the servers 'Edit' menu:

  1. Select "Use SSL for all the servers on this connection" option in the desired networks Edit/Configuration window. This will ensure your client does not make any connections outside of the encrypted stream.
  1. IMPORTANT: Avoid selecting the option "Accept invalid SSL certificate".

Enabling SSL for Self-Signed Certificates

NOTICE: It is currently not possible to properly trust self-signed certificates in HexChat. The cause of this is outlined here.

Some servers (including virtually all onion-based IRC servers which offer SSL) use self-signed certificates which are not listed in any CA and therefore are recognized as invalid by HexChat. In order to connect to a server which uses a self-signed cert, you may simply:

  1. Select "Use SSL for all the servers on this connection" option in the desired networks Edit/Configuration window. This will ensure your client does not make any connections outside of the encrypted stream.
  1. Select the 'Accept invalid SSL certificates' option. This will force HexChat to bypass its CA check.

SSL port

If an IRC servers SSL supported port is the default 6697, then its entry in the menu will look like this:

irc.server.net/6697

OTR ("Off-the-Record")

For even stronger privacy, it is advisable to use the OTR protocol. This can be accomplished by using the hexchat-otr package / plugin.

SASL Authentication

SASL is a type of user login and authentication method that allows identification to services such as NickServ during the connection process, before anything else occurs.

Some IRC networks / servers also provide an onion service. They often require the users IRC client to have SASL functioning and credentials present in order to allow authentication. Fortunately, HexChat makes this simple:

  1. Open the Network List. Find the desired server and click 'Edit'.
  2. In the "User name" field, enter your NickServ nick
  3. Select SASL (username + password) for the "Login method" field
  4. In the "Password" field, enter your NickServ password

See also

Internet Relay Chat - General security and anonymity

Last modified 5 months ago Last modified on Jun 23, 2018, 3:26:46 PM