Do not connect to any servers until you have configured all important settings.
For SILC see SILC. This page should be renamed/moved to https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IRC
Warnings and Notes
SSL / TLS / Encryption
SSL/TLS: SSL or TLS based certificate encrypts communication between your IRC client and the destination IRC server, no one in the middle can view actual content. Even though many software commonly uses the term "SSL", but most is able to use TLS and SSL both encryption protocols/mechanism. It does not matter, if an IRC server is using a CA signed or self-signed certificate, what matters is, if a stronger & safer encryption method is used or not, and if your IRC client is using the correct certificate or not, to connect with the destination IRC server.
If the destination IRC server provides a Hidden Service (a .onion host/server inside Tor system/network), you can (or should, see below) use that instead. Tor provides Tor-to-Tor (usually equals end-to-end) encryption for hidden services. However, hidden services only offer 80bit strength against impersonation (which isn't very strong by todays standards). The strength of the content encryption itself depends on AES 128bit and RSA 1024. Especially the latter isn't very future proof (if throwing enough computing power at it it can be broken today). Therefore, depending on the threat model it might be recommended to combine SSL (or another end-to-end encryption like GPG) with Hidden Service. TLS secured hidden IRC services allegedly exist.
Having another extra layer of encryption makes it more hard to compromise the confidentiality of information, it is always a better to have more layers of security. Any extra layer of end-to-end TLS/SSL (using strong algorithms and key lengths) encryption/decryption comes at almost no performance or maintenance cost and is highly recommended. The more layers of encryption you will add/implement, the further your content will be protected (however, note The importance of the first layer. To protect data from being decrypted today is pretty simple. Assuming there aren't fundamental undisclosed flaws in the crypto we use (like AES and sha), choosing a strong enough key and lengths we can prevent brute forcing with great confidence. However if you need forward secrecy for the next decades or even a lifetime, most paranoid crypto settings can guarantee nothing because we don't know what mathematical and technological progress the future holds.
If the IRC server is using a self-signed certificate (this is always the case with hidden services using TLS) you need to make sure you are always using the correct SSL or TLS certificate for encrypting/decrypting and connecting with right destination, and not with some middle-man (middle relays, middle snooping relay/reflector) servers. The IRC client needs to be configured to only trust valid certificates and the self-signed certificate needs to be imported. (For an example see the Xchat configuration).
Some possible connection examples explained:
An IRC server on a Hidden Service: Your computer <--> IRC-client <--> Tor's local socks proxy <--> Tor <--> Hidden Service <--> IRC Network.
And we will look like the following, if we connect to other IRC Networks, which do not provide a Hidden Services: Your computer <--> IRC-client <--> Tor's local socks proxy <--> Tor <--> Tor exit node(s) <--> public/open Internet <--> IRC Server(s).
If we are using a BNC, our connections will look like this: Your computer <--> IRC-client <--> Tor's local socks proxy <--> Tor <--> Tor exit node(s) <--> (SSL supported port of) BNC server <--> (SSL supported port of) IRC Server.
If we are tunneling a VPN or (other tunneling services) through Tor our connections will look like this: Local IRC-client <--> local VPN client (configured to use Tor's local socks proxy) <--> local Tor client <--> Tor Network (entry and middle node) <--> Tor Exit-Node <--> VPN Host <--> (SSL supported port of) BNC Software (running on VPN Host, or somewhere else) <--> (SSL supported port of) IRC Server.
Add or create Firewall Rules for your IRC client by (1) allowing it only to connect to 127.0.0.1 on TCP port 9050, and (2) block any other connections from the client to any other ip address, and also (3) block all DNS resolving queries sent from your client to your/local computer's DNS server app, and block DNS queries made from the IRC client toward any external IP address on UDP port 53, because, all DNS queries must be obtained through the Tor to keep your anonymity state intact. Tor is a SOCKS5 proxy server and completely capable of doing so.
If you also need to connect to IRC server(s) via going through your own ISP, then you should install another IRC client and create firewall rules to allow only that 2nd client to access other IP address & DNS queries. Do not use nickname that you use for Privacy purpose in that 2nd client. Many XChat based software for example now has "Portable" mode installer to install XChat on a Portable Storage/Medias, or, on a different folder of your choice. E.g. 'XChat-WDK' in windows, 'PChat' in windows/linux allows Portable mode installations.
Circumvent Tor Bans / Create New IRC account
When connecting to any IRC server (such as Freenode) for first time, to create & register a new account, connection through Tor may keep failing, denied or blocked. The IRC network may require you to have an account, to allow you to connecting. But if you were to connect without Tor, you weren't anonymous anymore. That's kinda a chicken and egg problem. Never connect without Tor, never choose the "Bypass network proxy" option or similar on any XChat based clients in Windows/Linux or "Bypass global proxy server" option on XChat Aqua/Azure in MacOSX.
When a Tor exit-node is blocked or denied by an IRC server, you may first try different exit-nodes using Vidalia's Tor Network Map window's connection box. It shows different active circuits & exit-nodes. Each circuit has 3 portions and the right most side/portion is the exit-node. Inside the connection box, select a circuit (which is used for connecting to this IRC server), and either press 'Del' or right-click on a circuit & select "Close Circuit". In this manner, keep on closing circuits that has a blocked exit-node, and keep on trying to connect to another new circuit which has a new or a different exit-node. Tor can also be configured, to choose only a certain set of exit nodes, in certain countries. And certain sub-servers of your IRC networks, which usually are a group of servers, can be retried for connection.
Next simplest alternative for account creation is, using a free BNC (Bouncer), or a reflector, or a proxy, etc. (Also see General Instructions for IRC in parent article). Connect to a destination IRC server via that BNC account or service. Then create and register an account. Always connect to that BNC server through Tor. Always try to use SSL to connect to the destination IRC server, and also always use SSL supported port on that BNC server as well (if supported). Few other alternative options are to use any free VPN (or other Tunneling) software, installed on (your own) hosting service/account, or, use any other VPN supported hosting service/account, or, use any free BNC software installed on (your own) Shell access featured or supported Hosting service/account. And you must also obtain such service or account from such a Hosting Service Provider (HSP), which accepts Bitcoins or similar anonymous & secured payments, or, simply provides it to users for free. Also make sure the Tor proxy settings exists inside the Network Proxy Server settings during those connections.
For most IRC clients, unix username = default ident and a "fake" ident with leading tilde (example: "~user") is used. In Windows logged in user's profile name becomes default ident. The ident is seen by most clients during channel join and when doing whois. So better be sure to change your ident, before you connect to any IRC servers. Use IRC clients, which are able to send a another ident for each IRC network (If you care, to have one pseudonym at one IRC network, and another, on another IRC network. Some IRC bouncer software or ident servers, when installed on your own computer, can also allow to provide different idents for each IRC network.
2. Untrusted connection, SSL encryption, and logging.
Be aware, that a connection to an IRC server is, often, unauthenticated and unencrypted. Some IRC servers offer access over a hidden service or over a SSL encrypted port. Use it. If you encrypt the connection between you and the server, no Tor exit node can spy or inject something into your traffic. So always choose first to use a SSL encrypted connection & port of any IRC server. It does not matter if a server is using a Paid or Self-Signed encryption certificate, what matters is, if it is using a stronger & safer encryption cert or not, and, if your IRC software is using the correct certificate or not. The use of the hidden service is preferred (more servers between you and the IRC server; uses Tor's built in end-to-end encryption and does not rely on the faulty SSL certificate authority system). However, this only encrypts the connection between you and the exit-node or hidden server. Server admins (also called IRCops) are still able to read all your private messages (also called queries). Debugging session of any IRC server or or any bouncer server software can reveal any type of messages. If you want to prevent that, you have to use end-to-end encryption, which both, sender and recipient would have to use. If an IRC Server uses a 'Self-Signed' or lesser known or newer Certificate Authority(CA) issued certificate, then those need to be manually added into a Root Certificate collection file (recommended), or, select option in your IRC software to accept self-signed or invalid certificate (not recommended). If a certificate was issued by a major or known or paid CA, then most likely it already exist, thus not necessary to add manually. IRC is not the most convenient protocol for private chats. On some networks in some channels stay robots, which archive and store chat logs online. Of course, all this does NOT mean, that IRC isn't nice for public chats.
3. Prevent Leakage
4. SASL (A username authentication mechanism. It's about being able to connect using Tor, not about security.)
If your server requires you to use SASL, you may use 'PLAIN' mode SASL authentication, only if you are connecting on a SSL encrypted & secured port of a destination IRC server, and all connections between you and destination server are using (SSL) encryption. If any portion of full connection path is not using (SSL) encryption or has a proxy or another host in middle, then use of DH-BLOWFISH authentication should keep your password safe from middleman(s).
5. Bouncer (also known as, BNC)
IRC bouncers have some advantages, are convenient, not required for connecting to some IRC networks over Tor and expand the Attack surface. A bouncer may offer handy features. It keeps staying on all your IRC channels, once you closed your IRC client or went offline. You have an option to automatically change your nickname once you are offline. Private messages are logged. Some bouncers allow also logging of public channels, in case you do not want to miss, what people have talked about, when you were gone. It's a single proxy and hides your IP from the IRC server. The server admins will not know, that you are using Tor. Mostly notable, you can visit IRC networks, which banned Tor due to abuse. Also other users will not see the IP of your Tor exit node, this reduces the Attack surface. The problem is, that you will have a hard time finding an commercial IRC bouncer, which you can pay anonymously. The bouncer server administrator has the ability to sniff all your chats and IRC passwords. Debugging sessions in any IRC server or in any BNC server software can reveal all type of messages. You have to trust the service provider, otherwise you have to host your own bouncer on a secure server, which you obtained by paying anonymously. Free bouncers are often used to sniff users chats and passwords. If your bouncer support connection through SSL or a hidden service (preferred, already clarified above), use that. If you have used free bouncer just to create an IRC account, then change password afterword.
6. Cloak your hostname.
Normally your hostname/IP is visible to everyone in the channel and through whois. Some IRC networks allow you to cloak your hostname/IP, mostly thought registering and a special command like '/mode <yournick> +x'. Consult your IRC network to find out if that is supported and how. Note that the IRC server admins can still see what's behind the cloaked hostname/IP. Anyway, use that feature, no matter if you are behind Tor and/or a bouncer. The required effort is minimal. The Attack surface is not a single bit expanded and it offers some additional protection against anyone, who is not an IRC server admin. The problem with most IRC clients and bouncers (5.) is, the the cloak gets deactivated on disconnection and the IRC client and/or bouncer auto-reconnects and auto-rejoins all channels, before you're authenticated and cloaked again. To make use of the cloak against a skilled adversary (no IRC server admin, they can look behind the cloak anyway), who is whoising every few seconds (scripted), you'd need to 1) connect to the IRC network with a secret nickname, 2.) authenticate, 3.) cloak, 4.) change to your normal nickname, 5.) join all channels, 6.) don't reconnect/rejoin without beginning from step 1.
7. Double connection warning.
8. 'Harden' your client.
Additionally, to increase security, anonymity and privacy, you may harden your client (if possible). Deactivate all features, which you never use.
9. CTCP, CTCP replies and DCC.
Deactivate all CTCP replies, since they leak information about your machine. Do not use /CTCP (Client-To-Client Protocol) or /DCC. DCC (Direct Client-to-Client) chat or file transfer. This is because, your cloak (6.) and your bouncer (5.) IP will no longer protect you, since those protocols use direct connections, not through Tor. Behind a transparent proxy, such as Whonix, your real IP were still save, but it's not recommend anyway (you loose the additional protection from your cloak (6.) and/or bouncer (5.). Many viruses spread trough DCC file transfer. The connection is unauthenticated and unencrypted. Use a more secure method for file exchange. You may use file hosting sites, encrypt/authenticate your content if required.
10. Common sense.
Be aware, that IRC server admins can impersonate other users. Do not connect to small, unknown, new or untrustworthy IRC networks. Most IRC-client vulnerabilities, can only be exploited by the server. Abstain from using or posting data, which is related to your real identity. At best, do not click on any links, search them yourself. Do not fuck up other people, be nice, do not make yourself enemies and less hackers are trying to get you. Keep your IRC-client always up to date.
11. IRC-client local logging.
By default, most IRC-clients create local logs, of everything you do. This may be disabled. Your choice. It's a question of security vs. comfort.
12. End-to-end encryption and authentication.
By default, and due to the nature of IRC, there is no end-to-end encryption and authentication. Some clients offer such features. Search on your own. If you need this, you may also think about using alternatives to IRC, such as SILC, using e-mail with GPG or encrypted/authenticated instant messengers.
If you fear being impersonated by other people, most networks, offer account name registration. It will be password protected. No other users can impersonate such an account. It is not a perfect protection, since it does not protect against malicious IRC server admins. If IRC server admins do not like your activity, they will most likely ban (gline) you. However, registered accounts offer a sufficient protection against script kiddies and jerks. Only authentication offers full protection against impersonating, if you need this, look under 12.
14. Quit, leave and away messages.
All those messages, tell other people, which client you are using. It's safer not to reveal that. Turn those features off.
15. Flood protection, ignore, silence.
If anyone tries to flood you out, change your IP and cloak it (6.) before reconnecting. Also a bouncer (5.) may be of help, but a cloak (6.) is far more efficient. The ignore feature is a IRC client side ignore of messages, which is sufficient against people you do not want to receive messages from. Silence is a IRC server side ignore, your IRC client will not get disturbed by messages anymore, since the server will no longer deliver them. This should be used against flooders. Also temporarily setting the service side user mode, messages from authenticated (to the IRC network) users only, can also be efficient.
16. Failsafe techniques, mechanism.
For some known or unknown reason, settings may get lost, or get hacked because of poorly or purposefully written codes, or accidentally resetted to default settings, etc. This can occur in your IRC client software, and the next connections may start to use unwanted, identity revealing, non-anonymous, non-encrypted connections. To prevent such, apply & use failsafe techniques, mechanisms that will make sure your anonymity is not compromised in such cases. Since a Torified app/tool's (allmost) all network connections suppose to only go through Tor proxy (which is a Socks5 proxy server), use firewall and create a few rules. One rule should allow only outbound connections from IRC software to Tor's proxy server IP address 127.0.0.1 on TCP port 9050. Block all other connections, which are NOT toward 127.0.0.1 TCP 9050. Block all DNS resolving queries made toward any DNS server's UDP port 53. Block all DNS queries made toward your/local computer's DNS server/client software, for this you will need a firewall, which can check, which app initiating what network traffic. Some IRC software may need to use localhost (127.0.0.1) loopback connections, only those can be allowed by creating extra rules carefully. Once you have set your IRC client to your expected level of functionality, then backup configuration, setting & script files or all files in a dated backup directory, and, every few days later or before starting to use IRC software, overwrite existing setting, configuration & script or all files using batch commands from backup directory. Configuration & script files which will not need to be changed, set them on read-only mode. If you have to connect normally (non-anonymously) then install 2nd/another or 'Portable' IRC client software for that purpose and configure firewall rules to allow connections to regular/open internet only for that 2nd IRC client/software. You may also install & use Tor, IRC client, etc. inside VirtualBox, a small Virtual Machine (VM). And make backup VM image after all is configured. If you are willing to use a VM, you should also consider using a Transparent Proxy, such as Whonix.
17. Check before using IRC.
When connecting to an IRC network, use nickname, which you would never use and which is (almost) impossible to guess for others. For example, call yourself while connecting "exampleCBU25". Before you join any channels, make sure you look like intended, check that by whoising your temporary nickname, i.e. '/whois exampleCBU25'. In case something is wrong, disconnect, otherwise, if everything looks fine, change your nickname to your desired nickname and join channels.
18. Social Threads
IRC chats are public, keep that in mind. Deanonymsation is not only possible with IP addresses but by social threads too. Some recommendations to avoid deanonymisation collected by Anonymous:
- Do not include personal informations in your nick and screen name.
- Do not discuss personal informations in the chat, where you are from...
- Do not mention your gender, tattos, piercings or physical capacities.
- Do not mention your profession, hobbies or involvement in activist groups.
- Do not use special characters on keyboard, which are existent only in your language.
- Do not post informations to the regular internet while you are anonymous in IRC. Do not use Twitter and Facebook. This is easy to correlate.
- Do not post links to facebook images. The image name contains a personal ID.
- Do not connenct to chat at the same time. Try to alternate.
Heroes only exist in comic books keep that in mind! There are only young heroes and dead heroes.
Change IRC network password frequently.
Every few weeks change your password. At least if you fear your client computer has been compromised immediately change all passwords from another trusted system.
IRC client specific instructions
WARNING: The following instructions explain how to torify. They lack information on how to block leaks:
- CTCP replies
- ident (linux user name)
- quit, leave and away messages
SASL and SOCKS5 proxy can be used in WeeChat for Tor. Instructions are in WeeChat doc.
socks5 127.0.0.1 9050 http localhost 8118
to the ProxyChains config file at ~/.proxychains/proxychains.conf. Now that it is configured, type proxychains bitchx at the command line.
The gentoo build of proxychains seems to be broken on x86 arch. Using tsocks BitchX or torify BitchX works well.
You may want to look up your IRC server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.
2011-09-20: mIRC 7.19 (and likely older versions as well) is leaking DNS requests when "On connect, always get: Host name" is enabled. I am working on resolving this with the mIRC developer. ---nella
2011-09-21: Update: The issue has been confirmed and explained on mIRC forums. http://forums.mirc.com/ubbthreads.php/ubb/showflat/Number/233859/page/1 I will be posting a feature request to the mIRC developer to change mIRC behavior. For now, if you want to keep using mIRC and are serious about protecting your identity, disable the "On connect, always get: Host name" feature. I will keep this post updated. ---nella
Tools -> Options -> Connect -> Proxy
Connection: Both Protocol: Socks5 Hostname: 127.0.0.1 Port: 9050
There is a way to automate this with two commands:
/firewall -cm5+d on localhost 9050
to activate it and...
/firewall -d off
to deactivate the proxy. You can add this commands to your personal commands menu by following these instructions:
Press Alt+P to open the popup editor and type this bellow "Commands"
Anonymize:/firewall -cm5+d on localhost 9050 de-Anonymize:/firewall -d off
Preferences -> Advanced Preferences -> Proxy Server
Use proxy server to resolve names. Use proxy server. Protocol: SOCKS5 Host: localhost or 127.0.0.1 Port: 9050
Settings -> Configure KVIrc -> Connection -> Proxy Hosts
Use proxy. New proxy. Proxy: tor Port: 9050 IP Address: 127.0.0.1 Protocol: SOCKSv5
If you're running kVIrc version 3.4.0 or above you should be able to connect to any IRC server (whether it is running on a Hidden Service or not) now.
If you're running a kVIrc version before 3.4.0 you will have to add a map to your Tor config for each hidden service you want to connect to because these versions do not support resolving DNS remotely.
Add a line similar to this one to your torrc.
mapaddress 10.40.40.40 [scrubbed].onion
Then send a HUP kill to Tor.
pkill -HUP tor
Now you should be able to connect to a IRC server by telling kVIrc to connect to 10.40.40.40.