wiki:doc/TorifyHOWTO/XChat

Read first!!!

Also read General Instructions for IRC first!!!

Introduction

XChat base code is modified to run on different Operating Systems, and different Hardware architectures. Such XChat based IRC clients are listed below.
A comparison on various XChat based IRC clients is on XChatData site. A comparison of all types of IRC client/software is here in Wikipedia.

You will have to choose a version/build/brand of XChat (see the table of content for the available options) Follow the links and instructions given in that section. Afterwards you can look into other chapters, such as setting up SASL and importing SSL certificates. Don't forget to read and apply if necessary: #XChat_FirstTime Start XChat First Time

Doing ANY ONE of them is enough, either:

  • B) Manually execute commands one by one inside IRC client. Also applicable, if you have already installed & used XChat and now want to Torify it, then follow:
    • Configure and set these internal variables into the values mentioned next to them.
    • First type the "/set" command (without the double quote symbols) to view all the internal variable list.
    • Also see #Commands_ignore.conf DCC CTCP ignore Commands, #Commands_xchat.conf Set Net Proxy, ident, Block auto DCC, etc Commands sections.
    • Those commands (which start with "/" forward-slash character) can be manually entered one by one in XChat.
    • Connection Time Commands Script: To make sure these options are always applied on your XChat, a connection time commands script file can be used, and also as a failsafe to encounter accidental change or reset. For example, a script file "irc_oftc_net.txt" for "OFTC" IRC network, containing above commands set can be used. Place such script file inside your XChat based software's installed folder if you're using Windows/Linux/Unix, and to execute it automatically on every connections, use this command "LOAD -e ./irc_oftc_net.txt" in the "Connect Command:" text-field, in "XChat: Edit OFTC" window. (Do not use those double quote symbols inside that text-field). For XChat based software in MacOSX, place such scripts next to other .conf files, please see #Conf_File_Locations XChat .conf Files Locations section. Then in MacOSX it can be used with "LOAD -e ~/Library/Application Support/<XChatSoftwareDirectory>/irc_oftc_net.txt" connect command. If a command-line in script is needed to be delayed by few seconds, a "TIMER NN" command can be used as beginning words in that line, where NN is a decimal number, indicating 'seconds' of time delay.
  • C) If you have already configured XChat to your likening, replace just those settings manually that get set in our config files. You should see all below sections one by one and apply which is appropriate for you.
  • D) Use in Whonix 0.2.1 or later, it comes with XChat preconfigured. Optional settings (like using SASL) still need to be done manually.

XChat First Time Start issue [IMPORTANT!]

By default, XChat based IRC software automatically loads the "Network List" window (in Windows/Linux, and loads the "Server List" or "Network List" window in MacOS) with list of all IRC networks/servers when it is run (or started up) for first time right after installation. And forces you to choose at-least one Network from the list. And at first time startup, XChat by default tries to connect outside servers using your local internet connection. To prevent these from happening:

  • Select the "Skip network list on startup" option (in Windows/Linux, and select "Skip server list on startup" option in MacOS), so that this window does not appear from next time. Recommended and best way is to add below code line in 'xchat.conf' file before starting XChat:
    gui_slist_skip = 1
    
  • Unless you connect with at-least one IRC destination, XChat will quit running. So you may either 'Add' a new Network entry with 127.0.0.1 as an IRC server (which will fail to connect, but you stay safe), or, use any one of existing IRC Network entries and then add 127.0.0.1 inside as another IRC server and force XChat to use that 127.0.0.1 IRC server only. Recommended & best way is to add below commands inside 'servlist_.conf' file, before you start XChat for first-time.
    N=LocalComputer
    E=IRC (Latin/Unicode Hybrid)
    F=10
    D=0
    S=127.0.0.1/6667
    
    • If your computer also has an IRC server/daemon software running, then use any other port not in used by any other software, or use '/0' instead of '/6667' mentioned in above code.
  • By default, XChat based IRC client software tries to reach internet servers via your local network, instead of going through Tor proxy. To prevent that, use above mentioned technique, and, add special commands in 'xchat.conf' file, you must see #xchat.conf xchat.conf file section.

XChat Configuration

XChat (Official) (Unix/Linux/Windows/MacOS)

XChat (Official): This portion is specific to the official release of XChat. XChat supports SOCKS5, SSL and does not leak DNS requests. Does not support SASL out of the box, needs CAP_SASL script.

You can now configure optional features and settings: #XChat_SSL SSL | #XChat_SASL SASL | #Load_Perl_CAP_SASL Load Perl and CAP_SASL

XChat (Unix/Linux)

XChat (Unix/Linux): Unofficial builds of XChat supports SOCKS5, SSL and does not leak DNS requests. Does not support SASL out of the box, needs CAP_SASL script. Based on XChat.

You can now configure optional features and settings: #XChat_SSL SSL | #XChat_SASL SASL | #Load_Perl_CAP_SASL Load Perl and CAP_SASL

X-Chat Aqua (MacOS)

X-Chat Aqua: X-Chat Aqua (at GitHub site) (version 0.17.10 and above) supports SOCKS5, SSL, and does not leak DNS. Does not support SASL out of the box, but using the CAP_SASL perl script allows to use SASL. X-Chat Aqua (at SourceForge site) (up to version 0.16) supports Socks5, SSL, and does not leak DNS. Does not support SASL out of the box. And CAP_SASL script does not work without lot of tweaking. X-Chat Aqua is based on XChat engine.

  • X-Chat Aqua greater than or equal to v0.17.10 works on Lion (10.7.X), Snow Leopard (10.6.X). X-Chat Aqua older than or equal to v0.16 works in Leopard (10.5.X), Tiger (10.4.X).
  • You can either configure:
  • Follow instruction steps in #Adding_Server_Host Adding Different Server Host section.
  • Plugins, Scripts need to be placed inside /Users/YourMacUserName/X-Chat Aqua/Plugins or ~/X-Chat Aqua/Plugins/ directory where you've installed X-Chat Aqua, and when using older than or equal to v0.16. If you're using v0.17.10 or above, then place all plugins, scripts inside ~/Library/Application Support/X-Chat Aqua/PlugIns directory. Disable #plugins plugins to harden your client.
  • To login using the SASL authentication feature, use version 0.17.10 and above. SASL does not work on version 0.16 and older.
  • Perl runtime usually exist in Mac OS X. (If you need to load & use extra modules for perl, python, ruby, etc language then you will need to load 'Xcode' or 'Apple Unix Command Line Tools' first).
  • Unfortunately, X Chat Aqua development in SourceForge site, hasn't released binaries in a very long time (since ~2006) therefore it is unlikely that there will be a SASL plugin anytime soon. For new release please visit GitHub site.

You can now configure optional features and settings: #XChat_SSL SSL | #XChat_SASL SASL | #Load_Perl_CAP_SASL Load Perl and CAP_SASL

XChat Azure (MacOS)

XChat Azure: XChat Azure supports Socks5, SSL, and does not leak DNS. Does not support SASL out of the box, needs CAP_SASL script. Based on X-Chat Aqua (MacOSX). X-Chat Aqua is based on XChat.

You can now configure optional features and settings: #XChat_SSL SSL | #XChat_SASL SASL | #Load_Perl_CAP_SASL Load Perl and CAP_SASL

HexChat (Windows/Unix)

HexChat: HexChat supports Socks5, SASL (AES, BLOWFISH, EXTERNAL, PLAIN), SSL, and does not leak DNS for IRC server hostnames. Fork based on XChat.
Latest HexChat supports SASL auth out of the box right after installation found in the Network List (ctrl+s)

You can now configure optional features and settings: #XChat_SSL SSL

PChat (Windows/Linux)

PChat (Windows Linux): PChat supports Socks5, SSL, and does not leak DNS. Does not support SASL out of the box, needs CAP_SASL script. It is based on XChat, and XChat-WDK.

You can now configure optional features and settings: #XChat_SSL SSL | #XChat_SASL SASL | #Load_Perl_CAP_SASL Load Perl and CAP_SASL

PChat Portable (Windows)

[PChat Portable Window]: PChat Portable supports Socks5, SSL, and does not leak DNS. Does not support SASL out of the box, needs CAP_SASL script. Based on PChat (Windows). PChat is based on XChat.

You can now configure optional features and settings: #XChat_SSL SSL | #XChat_SASL SASL | #Load_Perl_CAP_SASL Load Perl and CAP_SASL

Location of .conf Files

In Linux, the defaults, which are set, after XChat just got installed with 'apt-get install xchat' on Ubuntu Linux Oneirirc, are kept at XChatDefaultConfigurationFiles, in case you want to compare.

Configuration files will be usually inside the hidden folder (in most linux or unix):

~/.xchat2/

Configuration files of Official #XChat_Official XChat are located, in Windows:

%APPDATA%\XChat 2\

Configuration files of #HexChat HexChat (XChat fork) are located in:

Windows: %appdata%\HexChat
Unix: ~/.config/hexchat

Configuration files of #PChat_Portable_Windows PChat (XChat & PChat based) are located, in Windows:

C:\PChatPortable\Data\settings\

Configuration files of #PChat_Windows_Linux PChat (XChat & XChat-WDK based) are located, in Linux/Unix:

~/.pchat2/

Configuration files of #XChat_Aqua X-Chat Aqua (XChat based) are located, in Mac OSX:

~/Library/Application Support/X-Chat Aqua/

Configuration files of #XChat_Azure XChat Azure (X-Chat Aqua based) are located, in Mac OSX:

~/Library/Application Support/XChat Azure/

Compulsory XChat Privacy Settings

Following paragraphs describe which configuration files you must manually configure, to make XChat based IRC clients/software more Anonymity & Privacy friendly.

You can force XChat, right after installation to use Tor proxy from the very first start, and, you can also prevent default leaks, by manually editing below all files. (Please make a backup directory "config.bak" and copy all .conf files in there first, before editing).

Plugins and Scripts

XChat comes with some modules by default. You can see them under XChat -> Window -> Plugins and Scripts. The attack surface can be decreased if you disable those plugins (in case you do not urgently need them). To disable automatic loading of plugins, move them out of the plugin directories. E.g. on Linux:

mkdir /usr/lib/xchat/plugins.disabled/
#to keep python for SASL use this: mv /usr/lib/xchat/plugins/{python.*,tcl.*} /usr/lib/xchat/plugins.disabled/
mv /usr/lib/xchat/plugins/* /usr/lib/xchat/plugins.disabled/

on Windows:
Most XChat client in Windows uses a "plugins" folder inside the installed folder. You should make another folder "plugins.bak", and move unnecessary .dll, .pl, .py etc plugin & scripts files from "plugins" to "plugins.bak" folder.

on Mac OS X:
In newer version Aqua/Azure, plugins & scripts are inside 'PlugIns' folder, here: ~/Library/Application Support/<XChat>/PlugIns/. In older version Aqua, the 'Plugins' directory is inside where you installed XChat. Remove unnecessary plugins into a backup directory.

servlist_.conf

  • When you start/run XChat for first time, then you should not connect with any outside servers, connect only in your own computer in a non-existent server, so you must see #XChat_FirstTime XChat First Time Start Issue section. If all settings are not configured properly, an accidental first time connection with outside IRC server can reveal your IP address, location, etc against your nickname.
  • Make a backup copy of 'servlist_.conf' file, and empty (that is, remove all lines from) it.
  • When all other configurations are set, then you may follow below instructions:
    • It's recommend to use Hidden Service based IRC servers, or, SSL protected IRC servers, when connecting outside via Tor proxy.
  • You can leave the OFTC IRC server which hosts the #Tor official channel, but do not auto connect with OFTC without making sure that your connection, ident & configuration, etc were set properly for an anonymous connection. OFTC's Hidden Service host is not working properly now.1
    • You can also connect over SSL (recommend), but you have to verify the SSL fingerprint yourself, see oftc.net for details.
    • The following file is for OFTC non-SSL:
      N=OFTC
      E=IRC (Latin/Unicode Hybrid)
      F=18
      D=0
      S=irc.oftc.net
      

1 There is a reason, why it does not point to the OFTC hidden service. "don't use the OFTC hidden service anymore. It proved to be quite unreliable, being sometimes down for days." source: Tails 0.11 is out! (Posted May 7th, 2012 by tails) And startpage.com host:oftc.net "tor" or "hidden service" has no reference.

xchat.conf

Either

  • copy this file and paste it into your XChat configuration folder or
  • execute the commands starting with / (slash) one by one in XChat. Do not copy the # (hash) if you run those commands manually one by one.
# By default, XChat based IRC software, when started-up, or run for first time,
# it starts to use local network, to connect to the internet. To prevent that,
# and to force it, to use Tor proxy (a Socks5 server):
#
# /set net_proxy_host 127.0.0.1
# /set net_proxy_port 9050
# /set net_proxy_type 3
# /set net_proxy_use 0
net_proxy_host = 127.0.0.1
net_proxy_port = 9050
# Technical note: 3 = socks5
net_proxy_type = 3
# Technical note: Do not worry. 0 is not equal to "off". 0 stands for "All".
#                 Check yourself https://toxin.jottit.com/xchat_set_variables
net_proxy_use = 0

# XChat should not use the same circuit/exit server as other Tor applications.
# Otherwise activity in different applications could be correlated to the same
# pseudonym. There is a way to prevent that.
# It is called stream isolation. We use IsolateSOCKSAuth, 
# see https://www.torproject.org/docs/tor-manual-dev.html.en
# The password is actually not required, but it does not hurt either.
# Will probable not hurt on Tor 0.2.2 and below.
# Works with Tor 0.2.3 and above.
#
# /set net_proxy_auth 1
# /set net_proxy_pass = XChat
# /set net_proxy_user = XChat
#
net_proxy_auth = 1
net_proxy_pass = XChat
net_proxy_user = XChat

# Get rid of protocol leaks:
# a DCC session can reveal IP address, etc. identd flag can reveal your
# username which you use to login in your OS(Windows/Linux/Unix/MacOS) profile.
# To prevent those:
#
# /set dcc_auto_chat 0
# /set dcc_auto_resume OFF
# /set dcc_auto_send 0
# /set irc_hide_version ON
# /set identd OFF <-- NOT working on all XChat-based IRC software.
# But still highly suggested to include & use it.
# Probable not needed on UNIX, source: http://xchat.org/faq/#q21 
dcc_auto_chat = 0
dcc_auto_resume = 0
dcc_auto_send = 0
irc_hide_version = 1
identd = 0

# If you use your own comment instead of default values, then these data are
# posted on each channel when you do these events: JOIN, PART, QUIT, AWAY.
# So they can reveal who you actually are, when you are using same XChat
# software for multiple different nicknames.
#
# Delete everything under Settings -> Preferences -> Default Messages:
# -> Quit: <Deleted everything!>
# -> Leave channel: <Deleted everything!>
# -> Away: <Deleted everything!>
away_reason = 
irc_part_reason = 
irc_quit_reason = 

# By default, XChat based IRC software uses your platform OS(Operating System)s
# login user name as your nickname, user name, real name.  To prevent leaking
# that, and, to use your own choice of nickname, realname, username:
#
# ***Pseudonymous vs. anonymous IRC use.***
# Actually IRC is pseudonymous. Your nickname might also reveal something about
# your origin, interests, etc. You can make IRC more anonymous by choosing a more
# meaningless nickname. Use the following defaults if you want to be more anonymous.
# If user, user_ and user___ are already taken, add more _ or start using user1,
# user2, user3, etc. Or if the irc network auto assigns your a nickname, i.e.
# guest532, stick with that nickname.
#
# Of course, you are free to continue using IRC in a pseudonymous manner.
# In that case, instant of user, choose your nickname.
#
# /set irc_real_name user
# /set irc_user_name user
# /set irc_nick1 user
# /set irc_nick2 user_
# /set irc_nick3 user__
irc_real_name = user
irc_user_name = user
irc_nick1 = user
irc_nick2 = user_
irc_nick3 = user__

# Use a more common nick completion suffix:
# When you write the first few characters of a nickname followed by tab,
# it will, by XChat default, complete the nickname and ", " behind the
# nickname. The behavior is XChat specific. The " :" is more more common
# for more common clients such as mIRC.
#
# XChat -> Settings -> Preferences -> input box -> completion_suffix set to :
#
completion_suffix = :

# Not starting the server windows at the beginning so you can check and set
# settings before connecting to any IRC networks.
gui_slist_skip = 1

ignore.conf

Either

  • copy this file and paste it into your XChat configuration folder or
  • execute the commands starting with / (slash) one by one in XChat. Do not copy the # (hash) if you run those commands manually one by one.
# Issue/Use do this, to block the CTCP, DCC commands and
# inquiries sent toward your IRC client software:
#
# /ignore *!*@* CTCP DCC
# /ignore * CTCP DCC
mask = *
type = 136
mask = *!*@*
type = 136

ctcpreply.conf

Either

  • copy this file and paste it into your XChat configuration folder or
  • execute the commands starting with / (slash) one by one in XChat. Do not copy the # (hash) if you run those commands manually one by one.
# new and empty
# no CTCP replies
#
# Same as:
# Go to Settings -> Advanced -> CTCP Replies, delete everything and safe. Check again if everything is empty.

keybindings.conf

  • no changes

sounds.conf

  • no changes, still empty

notify.conf

  • no changes, still empty

colors.conf

  • no changes

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

SSL / TLS / Encryption

General Information on using IRC with TLS

Enable SSL feature

IRC Networks (IRC Servers) which supports SSL/TLS/encrypted connections, you will must have to choose the top/first option from below, and the next option after that should be avoided:

  • select "Use SSL for all the servers on this connection" option on any XChat based IRC clients in Windows/Linux in the expected network's Edit/Configuration window.
    • For X-Chat Aqua/Azure in Mac OSX, select IRC network, click on 'Show details'. On the expanded new window of that network, click on 'Connect Options' tab, and select "Use SSL for all servers in this network" option.
  • Avoid selecting the option "Accept invalid SSL certificate" which is inside that specific IRC Network's Edit/configuration window. You must see next paragrapgh on how you can add valid certificate and use it appropriately.
    • For X-Chat Aqua/Azure in Mac OSX, this option exist under 'Connect Options' tab, but avoid selecting it. You must see next paragrapgh on how you can add valid certificate and use it appropriately.

Use Correct SSL Certificate

If destination IRC server uses a certificate from major or known or paid CA(Certificate Authority), then skip this section and goto #SSL-ServerPort SSL Server/Port section. But when a destination IRC server is using a self-signed certificate, then to make sure you are always using the correct SSL or TLS certificate for encrypting/decrypting and connecting with right destination, and not with some middle-man (middle relays, middle snooping relay/reflector) servers, then you must:

  • first unselect the option "Accept invalid SSL certificate" for that server/network (and this is recommended way for Tor users).
  • and then obtain correct certificate or key file from the IRC server's support website: For this you will must have to connect with that destination IRC server directly from your computer via local internet, (without using Tor proxy), and by using a different generic nickname (not real/actual username, and don't use the nickname that you usually use inside the Tor system), and ask IRC server operator/op where you can get the correct public certificate/key. Use generic nicknames like 'GuestXYZ', (XYZ is a decimal number), which you will not use anymore in future.
    • Another alternative way to obtain correct certificate is to either run multiple Tor proxy servers in your computer, or, connect with destination IRC server using a different Tor circuit & exit node at least for three times. Very carefully watch your connection circuit & exit node using Vidalia's Network Map window. Each of those three times, use 3 different circuits and 3 different identd + nickname, and ask for server's cert/key file from each of those 3 different nicknames, then make sure to download also cert/key file via using 3 different circuits, 3 times. Compare, if all 3 files are same or not, if same then you can use it.
  • and copy-paste code from downloaded .crt or .pem file, inside the "cert.pem" (root certificate collection) file, which exist next to "ssleay32.dll" file inside XChat installation folder for XChat client in Windows. The 'cert.pem' exist next to all .conf files, when using XChat IRC clients for Linux/Unix, and when using XChat-WDK IRC client for Windows. See top most section for #Conf_File_Location .conf file locations on different OS. In XChat-WDK client, to use a SSL cert, rename the certificate/key file to match the network entry name that you've used inside "Network List" in Linux/Unix/Windows, and then add .pem at end as filename extension (it will look like 'NetworkName.pem'). A software update will overwrite 'cert.pem', so always make backup of it right after adding a server, and after a software update, copy-paste your cert code portion at the end of new 'cert.pem'. (You may also need to restart XChat once after adding a new cert, or, disconnect once & then reconnect with that IRC network).
    • If your destination IRC Server uses a self signed or lesser known or newer Certificate Authority (CA) issued certificate, then those need to be added into 'cert.pem' file, or placed next to .conf files as .pem file, or added into operating system's default root certificate bundle file location. If the certificate was issued by a major, known or paid CA, then most likely it (a root certificate) already exist inside 'cert.pem' or in operating system's default root certificate collection location, thus not necessary to add them.

Add SSL certificate in MacOSX, for X-Chat Aqua/Azure:

  • Obtain or download a valid CA/root/server certificate(cert) .crt file. For example, let us save the cert as 'CAname-or-ServerName.crt' file.
  • Then, from the directory where you downloaded the certificate, execute the following commands from a Terminal shell:
    sudo cp CAname-or-ServerName.crt /System/Library/OpenSSL/certs/CAname-or-ServerName.pem
    sudo /usr/bin/c_rehash
    

SSL Server/Port

If an IRC server's SSL supported secured port is 6697, then in XChat based irc client for Windows/Linux, a server's entry will look like this: "irc.server.net/+6697" (without the double quote symbols). The "+" symbol indicates, XChat will initiate a SSL/encrypted connection to that IRC server.

  • In MacOSX X-Chat Aqua/Azure, the usage of + symbol or the port numbers next to host/server name is not necessary. A check mark is needed on the option box which is located at right most side of a 'Hostname/Servername' row and under the "SSL" column. And a port number is needed to be specified in that same 'Hostname/Servername' row under "Port" column.

End to End Encryption

For even stronger privacy, you should use End to End Encryption, by using

No review:

  • No cryptography expert or other researcher reviewed the software.
  • Ask yourself simple questions:
    • Will it still be safe if the server admin has taken over a nick name?
    • Will replay attacks work?

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Adding IRC Networks, Hidden Services, SSL or unencrypted (Common for ALL XChat based IRC Clients)

Before continue, read instructions in these sections if you have not yet done that: either see #Config_Files_Manually Configure All .conf Files Manually, or, manually enter commands one by one from these sections: #XChat_FirstTime Start XChat First Time, #Commands_HowToTorify Execute Torify Commands, #Commands_ignore.conf DCC CTCP ignore Commands, #Commands_xchat.conf Set Net Proxy, ident, Block auto DCC, etc Commands.

General

Adding different type of server host: Choose from below, based on what type of IRC server you want to connect with:

Freenode

If you are only interested to connect to Freenode, then first read Freenode's Tor information. For connecting with other IRC Network/Server, find out their regular connection port number & encrypted/SSL secured connection port number.

Adding Freenode's Hidden Service

Add Hidden Service host based IRC Network:
To connect quickly with Freenode by using existing "Freenode" network entry, 'Add' a second irc server inside it, rename 2nd irc server into freenode's .onion address, select option "Connect to selected server only", click on "Ok", "Connect". And in such case, skip below instructions and goto below #X-SASL X-SASL section.

But here we will create another Network entry named/called "FreenodeViaTor", and 'Add' the .onion IRC server address inside it, to use with nickname which you use when using Tor, and leave existing "Freenode" for direct & regular connection or other usage.

  • Please first follow instructions in #Config_Files_Manually Configure All .conf Files Manually section to start your XChat based IRC client with initial Anonymity & Privacy friendly settings (recommended). But if you don't want to manually edit .conf files, then configure your client by following instructions in #XChat_FirstTime Start XChat First Time, #Commands_HowToTorify Execute Torify Commands, #Commands_ignore.conf DCC CTCP ignore Commands, #Commands_xchat.conf Set Net Proxy, ident, Block auto DCC, etc Commands sections.
  • View instructions in #Circumvent_Tor_Bans How to Circumvent Tor Bans.
  • Create a Network named "FreenodeViaTor" (freenode has functional Hidden Service): XChat -> Network List (Ctrl+S) -> Add -> rename "New Network" into "FreenodeViaTor" -> press Enter/Return button once.
    • For X-Chat Aqua/Azure: goto main menu 'File' -> Server List > click on bottom side "+" button below 'Networks' box -> rename default name 'New Network' by typing name FreenodeViaTor for the freenode IRC Network & then press 'Return' button once to save it.
  • Add Hidden Service host address of freenode: XChat -> Network List -> select "FreenodeViaTor" -> Edit. Then select the IRC server "newserver/6667" --> Edit --> Rename it into "p4fsi4ockecnea7l.onion" (this is the current Freenode .onion address) and press Enter/Return button once.
    • For X-Chat Aqua/Azure: goto main menu 'File' -> click on 'Server List' -> select or click on "FreenodeViaTor" network -> click on 'Show details' button at bottomside -> in expanded new window, under 'General' tab, click once on 'NewServer' to select it, then click once again to edit it, rename 'NewServer' into "p4fsi4ockecnea7l.onion" (without the double quote symbols), and press 'Return' button once to save server name -> click on 'Hide details' button on 'Server List' window.
  • Select "Connect to selected server only" option. And optionally you may select the option "Auto connect to this network at startup" in 'Edit FreenodeViaTor' window in Windows/Linux. IRC Server, Network, Gateway or Bouncer which supports SASL login authenticatian mechanism for those "Server Password:" text field can be empty, as SASL plugin/script will automatically use password with IRC Server. If a IRC server or Hidden Service does not support SASL, then either provide your password in "Server Password" text field, or, use a #ConnectionCommandsScript Connection Time Commands Script to IDENTIFY.
    • in X-Chat Aqua/Azure: select option "Connect to selected server only" under 'General' tab. And optionally you may select "Auto connect to this network at launch" under 'Connect Options' tab for "FreenodeViaTor" network.
  • You can similarly configure other IRC Network which has a 'Hidden Service' host. If #XChat_SSL SSL is supported then it can provide another extra layer of security. If 'Hidden Service' server/host also supports SASL auth mechanism, then add SASL login credentials, by following #XChat_SASL SASL section.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Adding Mozilla's SSL supported IRC server

Add SSL supported host:

  • Please first follow instructions in #Config_Files_Manually Configure All .conf Files Manually section to start your XChat based IRC client with initial Anonymity & Privacy friendly settings (recommended). But if you don't want to manually edit many .conf files, then configure your client by following instructions in #XChat_FirstTime Start XChat First Time, #Commands_HowToTorify Execute Torify Commands, #Commands_ignore.conf DCC CTCP ignore Commands, #Commands_xchat.conf Set Net Proxy, ident, Block auto DCC, etc Commands sections.
  • View instructions in #Circumvent_Tor_Bans How to Circumvent Tor Bans.
  • Create a Network entry named/called "Mozilla_IRC_SSL_via_Tor": XChat -> Network List (Ctrl+S) -> Add -> rename "New Network" into "Mozilla_IRC_SSL_via_Tor" -> press Enter/Return button once.
    • For X-Chat Aqua/Azure: goto main menu 'File' -> click on 'Server List' > click on bottom side "+" button below 'Networks' box -> rename default name 'New Network' by typing name Mozilla_IRC_SSL_via_Tor for the Mozilla IRC Network & then press 'Return' button once to save it.
  • Add IRC server address for Mozilla: XChat -> Network List -> Select "Mozilla_IRC_SSL_via_Tor" -> Edit. Then select the IRC server "newserver/6667" --> Edit --> Rename it into "irc.mozilla.org/+6697" (without the double quote symbols) and press Enter/Return button once.
    • For X-Chat Aqua/Azure: goto main menu 'File' -> click on 'Server List' -> select or click on "Mozilla_IRC_SSL_via_Tor" network -> click on 'Show details' button at bottomside -> in expanded new window, under 'General' tab, click once on 'NewServer' to select it, then click once again or double-click to edit it, rename 'NewServer' into "irc.mozilla.org" (without the double quote symbols), and press 'Return' button once to save server/host name -> on that same row click on square box on right side under SSL column, a check mark will appear -> on the same row under "Port" column click once or double click, an empty text-field or a text-field with 6667 in it will appear, change 6667 into 6697, or type in 6697, a secured protocol supported port of Mozilla, press 'Return' button once.
  • Enable SSL: select option "Use SSL for all the servers on this connection", and you should avoid selecting "Accept invalid SSL certificate". Please see #XChat_SSL SSL section for more info on how you can add destination server's valid certificate, in Windows/Linux/Unix.
    • For X-Chat Aqua/Azure: in expanded new window of "Mozilla_IRC_SSL_via_Tor" network, click on 'Connect Options' tab, select "Use SSL for all servers in this network" option. Please see #XChat_SSL SSL section for more info on how you can add destination server's valid certificate in Mac OSX.
  • Select "Connect to selected server only" option. And optionally you may select the option "Auto connect to this network at startup". You can either specify password in "Server Password" text field, or, use a #ConnectionCommandsScript Connection Time Commands Script to IDENTIFY, if the server does not support SASL authentication mechaninm, like Mozilla's IRC server. But if a IRC server supports SASL, then no need to specify password in "Server Password" field.
    • in X-Chat Aqua/Azure: select "Mozilla_IRC_SSL_via_Tor" network and click on 'Show details', select option "Connect to selected server only" under 'General' tab. And optionally you may select "Auto connect to this network at launch" under 'Connect Options' tab, type in IRC network's password in 'Server password:' text-field when you will be connecting with a (non-encrypted or) SSL/encryption supported IRC server. Goto 'on Join' tab, and if you are going to use Connection Time Commands Script, then click on '+' button at below the 'Connect commands' box, change 'NEW COMMAND' into 'LOAD -e ./irc_server-name_login_script.txt' or something similar, press 'Return' button once to save it.
  • You may add SASL login credentials for an IRC server, if it also supports #XChat_SASL SASL, along with SSL.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Connect to BNC(bouncer) to Reach a Destination IRC Server

Connect to BNC to Reach a Destination IRC Server: When you will use a bouncer(BNC) server to reach a IRC destination server, then connect to bouncer(BNC) server using SSL/encrypted connection via going through Tor proxy, and, also connect from bouncer to destination using SSL/encrypted connection.

  • Via using tor proxy, connect with the IRC Network which has the official IRC channel of a BNC(bouncer) Service Provider, where you want to create a bouncer account. (Not all) some bouncer service providers allows to apply for bouncer account over their web-server, visit them through your torified web-browser. Apply for a bouncer account, mention your destination IRC server's host address & (SSL) port. Before a SSL port use + symbol, like, irc.freenode.net/+6697. Wait for it to be created completely. Most bouncer will not allow you to change destination by yourself.
  • Follow set of instructions in #Adding_SSL_Host Adding Mozilla's SSL Server section, and, change the name of Mozilla network, server, etc to match with the name of bouncer(BNC) server.
    • Most bouncer requires you to use bouncer server's password in this form: "nickname-in-bouncer:bouncer-password" (without the double quote symbols) specified in "Server password:" text field of 'Edit' / Configuration window for that bouncer Network entry.
  • Usually bouncer will remain connected with the destination IRC server, (if last time you get disconnected because of broken internet connection), but will disconnect if you closed all Tabs, or chosen to use 'Disconnect' option. Create a new account in destination IRC server, if you do not have an IRC account.
  • Most destination IRC servers wants their users to apply IDENTIFY irc command or else your nickname will be changed into 'Guest' or something similar, and may also disconnect you after 1 minute, and will not allow to join into various channels. See #ConnectionCommandsScript Connection Time Commands Script section.
    • To use identify command on destination IRC server when connecting via a BNC, you will have to use a script file containing IDENTIFY commands during connection time, as the "Server password:" text-field is already used for login into BNC. Follow steps in 'Connection Time Commands Script' section, to create the script file, for example, "DestinationIRCnetwork-via-BNC-via-Tor.txt". Add commands like below in that script:
      nick YourPrivacyNickNameInIRCserver
      TIMER 10 MSG NickServ IDENTIFY password-of-IRC-server
      
      Some channels will not allow you to change nickname, so use "part #channel" in script, before using nick command.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Connecting to regular IRC Networks

Connect to Regular IRC server/host: Please first follow instructions in #Config_Files_Manually Configure All .conf Files Manually section to start your XChat based IRC client with initial Anonymity & Privacy friendly settings (recommended). But if you don't want to manually edit .conf files, then configure your client by following instructions in #XChat_FirstTime Start XChat First Time, #Commands_HowToTorify Execute Torify Commands, #Commands_ignore.conf DCC CTCP ignore Commands, #Commands_xchat.conf Set Net Proxy, ident, Block auto DCC, etc Commands sections, before following below instructions.

  • Create a Network entry named/called "Mozilla-via-Tor": XChat -> Network List (Ctrl+S) -> Add -> rename "New Network" into "Mozilla-via-Tor" -> press Enter/Return button once.
    • For X-Chat Aqua/Azure: goto main menu 'File' -> click on 'Server List' > click on bottom side "+" button below 'Networks' box -> rename default name 'New Network' by typing name Mozilla-via-Tor for the Mozilla IRC Network & then press 'Return' button once to save it.
  • Add IRC server address for Mozilla: XChat -> Network List -> Select "Mozilla-via-Tor" -> Edit. Then select the IRC server "newserver/6667" --> Edit --> Rename it into "irc.mozilla.org/6667" (without the double quote symbols) and press Enter/Return button once.
    • For X-Chat Aqua/Azure: goto main menu 'File' -> click on 'Server List' -> select or click on "Mozilla-via-Tor" network -> click on 'Show details' button at bottomside -> in expanded new window, under 'General' tab, click once on 'NewServer' to select it, then click once again to edit it, rename 'NewServer' into "irc.mozilla.org" (without the double quote symbols), and press 'Return' button once to save server name. The 'SSL' option check box on that row, should remain unmarked. If the area under 'Port' column in that row is empty, then XChat will use port 6667 by default. For connecting to other ports, you will have to specify it there.
  • Connect with Netowrk: for example, connect with Mozilla, via Tor proxy: goto 'XChat' main menu -> Network List -> select "Mozilla-via-Tor" -> Connect. A new "Mozilla" tab will appear, and it connected through Tor to Mozilla.org via the open/internet.
    • For X-Chat Aqua/Azure: to connect with "Mozilla-via-Tor": goto main menu 'File' -> click on 'Server List' -> select or click on "Mozilla-via-Tor" network -> click on 'Connect in a new tab' button at bottomside.
  • If you find that, Tor exit-node is blocked/denied by the Mozilla's server, or, blocked by another IRC server where you want to connect, then view #Circumvent_Tor_Bans Circumvent Tor Bans section.
  • Enjoy.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua Xhat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

SASL

SASL: SASL is a type of user login and authentication mechanism. Some IRC Networks/Servers, like Freenode, provide a Hidden Service, (not all) but some of them, require the user's IRC client software to have a functional SASL feature (or component) to be present & working. XChat based IRC client software either comes with the X-SASL plugin, or needs the CAP_SASL perl script (and related software components, like Perl) to be present & working. See section #X-SASL X-SASL, #Load_Verify_Perl Load & Verify Perl, #CAP_SASL_Download CAP_SASL Download and your specific IRC client's section below, on how to add functional SASL support if your IRC client software does not support SASL initially right after installation. Since many IRC Networks, still don't support SASL yet, so SASL related steps may be not be necessary to follow for those type of IRC servers.

The /SASL or /XSASL command adds your login credentials in your XChat based IRC client, to use it against your desired IRC server. It is better to use the /SASL or the /XSASL command on the main IRC Network/Server tab, (like "freenode"), instead of on any channel name's tab (which starts with # or ## or * symbols, and neither on any username's tab), because, if there is any mistake in your command then others may get your password. You should prefer to add SASL login credentials while disconnected from IRC server, or, on a main TAB which is not connected to IRC Server. So click on any IRC network's main tab, don't click on it's any sub-tabs, and don't click on any username's tab, before using the /SASL or the /X-SASL command.

A 'PLAIN' authentication method (uses Base64 encryption) is not secured (as the encryption was already broken) when you will connect via using one or more proxy or host. So ask your IRC server op how you can use DH-BLOWFISH or other SASL encryption. Use 'PLAIN' SASL only when you are connecting to a SSL supported port of a IRC server, and there was no other proxy or host in between you & destination IRC server. DH-BLOWFISH type of SASL auth is helpful when you will be connecting with a SASL supported IRC server, via using one or more proxy-server or other middle host, and if any one portion of that full connection path is not using a SSL encrypted protocols.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Load Perl and CAP_SASL (Common for Official & older XChat based IRC Clients)

If you are using Official or older XChat based IRC clients, and does not have built-in SASL support, then you will need CAP_SASL, a perl based script, and for it you will also need Perl.

Load and/or Verify PERL

Perl usually exists inside Linux, Unix, MacOS. But in Windows OS, either install full scale Perl by installing Active Perl, or, install portable perl, like Strawberry Perl. If you are going to use perl based .pl scripts, only then you will need Perl.

  • When using portable perl, add perl binary file's folder location inside environment variable, like PATH, so that XChat can use perl binary, or verify that the location exist in environment variable.
  • To verify run below command, in Terminal or in Command Prompt or in shell:
perl -v

If you can see Perl's version info, then Perl is present and working for any other software, under any directory. If you do not see Perl's version info, and instead you see "Command not found" or something similar, then first try to find Perl, if not present then install, and make sure that Perl binary's directory or folder location is included inside environment variable, like PATH, so that other software can use it from any directory. Goto www.Perl.org or goto #perl channel in irc.freenode.net and ask or find out how you can load Perl in your OS.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Download the CAP_SASL script

Download CAP_SASL script cap_sasl_xchat.pl, or from this page, or follow the link mentioned in Freenode's FAQ page.

  • Check your specific IRC client software below, find out which exact directory or folder it goes in.
  • The CAP_SASL perl script requires XChat's Perl Language Interface Plugin, and Perl binary/runtime software. And XChat also requires access to Perl binary from inside its directory, using a pre-configured environment variable, like PATH.
  • Load CAP_SASL: Goto XChat -> Window -> Plugins and Scripts... -> Load -> browse to the file cap_sasl_xchat.pl & select it -> Ok.
    • Load in Mac OSX Aqua/Azure: goto main menu 'Window' -> click on 'Plugins and Scripts' -> Load -> browse to cap_sasl_xchat.pl -> Select -> Close. This option also exist under 'File' main menu.
  • Ensure/Verify that this CAP_SASL script is being loaded, via: Window -> Plugins & Scripts -> you should see it listed there as "CAP SASL", or, "cap_sasl".

Configure SASL

Configure SASL: (Before continue, read instructions in #XChat_SASL SASL and #CAP_SASL_Download CAP_SASL Download sections, if you have not yet done that). At first, click on the "freenode" or any IRC Network's/Server's main or top most tab, and then type:

/sasl set
or
/sasl

and verify that you see this response:

SASL: usage: /sasl set <net> <user> <password or keyfile> <mechanism>

If you do not see the above response, then Perl binary is not present, or, XChat Perl Language Interface/Plugin is not present, or Perl binary's location is not avilable to XChat (missing from PATH).

  • Next, enter below command, to use SASL with "FreenodeViaTor" (which has the p4fsi4ockecnea7l.onion IRC server) entry, use nick and password which you use with Tor, (and do not use "<", ">" symbols):
/sasl set FreenodeViaTor <your_Freenode_Nickname> <your_Nick_password> PLAIN
  • View #XChat_SASL SASL section to find out in which TAB window you can enter /SASL command, and what SASL mode to use. In above command change "FreenodeViaTor" into other IRC Network's name which supports SASL and in which you have account.

Not all, but, some version of CAP_SASL script will need "/sasl save" command to save SASL login credentials.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Configure X-SASL (Common for XChat-WDK based IRC Clients)

X-SASL: (Before continue, read instructions in #XChat_SASL SASL section, if you have not yet done that). At first click on the "freenode" or any other IRC Network's/Server's main or top most tab/window, and then type:

/xsasl

and verify that you see this response:

X-SASL Usage:
  /XSASL ADD <login> <password> <network>, enable/update SASL authentication for given network
  /XSASL DEL <network>, disable SASL authentication for given network
  /XSASL LIST, get the list of SASL-enabled networks

If you do not see above response, then X-SASL plugin is not present. In this case, you will have to use CAP_SASL perl script, and Perl, for the SASL auth to work, See section #CAP_SASL_Download CAP_SASL Download, #CAP_SASL_Config CAP_SASL Configuration.

  • Next, enter below command, to use SASL authentication mechanism with "FreenodeViaTor" (which has the p4fsi4ockecnea7l.onion IRC server) entry, use nick & password which you use with Tor, (and do not use "<", ">" symbols):
/xsasl add <your_Freenode_Nickname> <your_Nick_password> FreenodeViaTor
  • View #XChat_SASL SASL section to find out in which TAB window you can enter /XSASL command, and what SASL mode to use. In above command change "FreenodeViaTor" into other IRC Network's name which supports SASL and in which you have account.

To go back to your previous section, where you came from: #XChat_Official XChat (Official) | #XChat_Unix_Linux XChat (Unix/Linux) | #XChat_Aqua X-Chat Aqua (MacOS) | #XChat_Azure XChat Azure (MacOS) | #HexChat HexChat | #PChat_Windows_Linux PChat (Windows/Linux) | #PChat_Portable_Windows PChat Portable (Windows) | #XChat_How_To_Torify How To Apply/Torify | #Adding_Server_Host Adding Different Server Host |

Editor comment

  • (proper) Imho the few different XChat platform builds do not justify having detailed instructions for each of them. They are too similar, there are almost no differences. I think you are adding too much redundancy. Too much text is being mirrored. For example the line "gui_slist_skip = 1" is three times in the article. The text "with initial Anonymity & Privacy friendly settings by following instructions in" is 5 times in the text, but we have 6 clients. And if someone decides to update the text, he has to update it 5 times, instant of one times and is likely to forget something, that happened to the old article. Imho it's best to read from the top to the bottom through an article. Not click and navigate like crazy from one point to another.
    • just added more/other xchat clients, now we can remove redundant sections. -- Bry8Star. Jun 05 2:14pm.
    • Removed redundant "First Time Startup Issue" sections. and kept general direction to visit that section for further info. -- Bry8Star. Jun 06 7:05am.
    • Forcing users to read from top to bottom, how & why ? Why someone would read on freenode HiddenService section if he/she only wants to connect with a different SSL network ? URL for jumping to different sections are a MUST in a article. We are not writing TECHNICAL DOCUMENT here, that a researcher must read all stuff from top to bottom, its a GUIDE for general type of people who wants Anonymity & Privacy and also wants to know HOW TO TORIFY and apply on their XChat software for connecting to various type of host. -- Bry8Star. Jun 06 7:18am.
      • (proper) You always read from the top to the bottom and from left to right. Some sections are required to read (torify), some must only be read, in case needed (connect to hidden services).
    • Removed redundant sub-paragraphs from each IRC client. -- Bry8Star. Jun 06 10:16am.
  • (proper) Think it's the first time you read this article, pretty confusing. For example a X-Chat (Official) user. He starts reading "General Configuration". Jumps to his "X-Chat (Official)". Clicks on "Execute Torify Commands". Then he's seeing "DCC CTCP ignore Commands", but wait, that's already the next point in his "X-Chat (Official)"? He can't click one way through the article, there are a lot of forks.
    • You added "Doing one of them is enough, either:" in the top of that, then why would a user jump to a specific section unless he/she really prefers to receive instructions related to what xchat he/she uses. --Bry8Star. Jun 06 7:23am.
    • i've capitalized/highlighted, to indicate following ANY ONE way to torify is enough, now they can choose what way to follow out of different options. --Bry8Star. Jun 06 8:42am.
      • (proper) Good.
    • added jumping/navigating URL link at end of each section to go back specific & previous section. --Bry8Star. Jun 06 8:44am.
  • (proper) New idea: Let's move the XChat client specific things to the top. Shrink them to the absolute minimum, only stuff which is not common for everyone. Ask the user to remember the few specific things, like the different paths. And then let the user simply read the article from the top to the bottom, done.
    • yes, we may/should do that, without loosing clarity what a user have to do in his/her specific IRC client software. --Bry8Star. Jun 05 2:15pm.
  • We need to add another section inside Addding Server Host? that will illustrate how to connect with a destination IRC server via going though BNC(bouncers). -- Bry8Star. Jun 06 11:00am.
    • added basic infos. --Bry8Star. Jun 07 4:04am.
  • (anonymous) please let me know what you think of the updated article. xchat unofficial and official can probably be merged.

  • (proper) Are there any hidden services, which support hidden service + SSL at the same time?
    • i have not searched in google, yet. if a HiddenService server and it's users uses self-signed SSL or TLS for end-to-end encrypted communication then that would be always better, than relying on Tor's internal whatever encryption which is using 3 middle relays. A major/known CA issued SSL cert is not safe to use inside Tor, and i know of no CA issuing such. --Bry8Star. Jun 07 8:59am.
    • found hidden service + ssl based irc servers. some guy name christopher running it.
  • (proper) Tor relays, no matter if bridge, guard or middle are unable to decrypt the message for the exit relay. No matter if debug session or malicious Tor code. The Tor client does the encryption, onion routing. Every package is three times encrypted. Every node can decrypt only it's own layer and forward to the next one. Ok, unless, they found a way to break the whole encryption. Only the exit relay can read clear text traffic, unless encrypted end-to-end.
  • (proper) Connections to hidden services are safe against sniffing of any Tor servers. Unless they can break the encryption, which is still theoretical. Connection is encrypted "Tor to Tor". Additional SSL combined with the hidden service would still make sense, in case the Tor instance runs on one server and the IRC server on another server.
    • yes, if tor-client and HiddenService server daemon runs on different machine then that would be better, but, now most have more powerful multi-core processors, and processors now have built-in encryptions/decryptions features. And again, why would i make it easy or take a risk for some1 to break/decrypt it ? a smart person will always adopt a way to stay ahead, by using multiple layers of encryption. common sense. isn't that the reason why i'm using tor at the first place ? -- Bry8Star. Jun 07 9:12am.
    • (proper) Like said before, I am not against it. I just want to see the fact corrected.
  • (anonymous) please see updated section here. If you disagree or have questions or something important is missing, please let me know.

https://blog.torproject.org/category/tags/tor-compromise

  • (proper) To sum up, you couldn't provide any evidence, that bridge/guard/middle nodes ever decrypted anything. It's not simple as "debug session" and also not simple as "tweaked source code". The encryption between the Tor user and the exit node isn't the problem. One big problem is, that exit nodes see the cleartext, if Not using end-to-end encryption. There are more interesting attacks against Tor. Finding ways to force proxy bypass. If you scare someone breaking Tor's encryption between Tor user and exit, you should rather worry about buying zero day exploits. They are less expensive and require way knowledge.
    • you want me to find attacks, weakness of tor and post it here ! i showed many simple news that shows its done multiple times. you are claiming tor is perfect, do you have a way to prove that ? do you know there are groups who runs middle nodes and collaborate with each others ? -- Bry8Star. jun 09. 2:45am.
  • (proper) And all the other points you brought in are totally unrelated. Windows possible backdoors... I don't see what is has to do with "middle nodes debug session or custom source". That's just totally wrong. Carrier IQ for mobile phones is also totally unrelated, I am well aware, I wrote most of Mobile. See anonlib, read papers from independent researchers (get them from all sources), and you'll learn what Tor's weaknesses are. Certainly middle node sniffing is none of it. Back to the SSL issue... Yes, adding SSL makes sense, always, I said that already and reasoned. But the things, which are totally wrong, "middle node sniffing" have to be deleted.
    • point was+is tor is not perfect, neither windows, firewall, etc are a perfect systems. they have holes in them. there are many ways to get around many things. we can only make it harder for outsiders on areas where we have some controls. patches, fixes on this side, and exploits are implemented, tested on other sides. it is a 'Cat and Dog and Mouse' game that will go on. do you know there are groups running middle nodes and collaborates with each other ? -- Bry8Star. jun 09. 2:47am.
  • (proper) You know, the funny thing in this discussion is, Tor is already totally broken against various active and passive attacks. Onion routing is broken by design. Mixmion with high latency and cover traffic, is by design better, but can attract too less users, because users want low latency. How to do such attacks is documented and confirmed by torproject.org. This one I'd worry about https://blog.torproject.org/blog/one-cell-enough (ISP can perform attack) or this one https://trac.torproject.org/projects/tor/ticket/3678 (read it, understand it, follow the links and read the papers) and follow the links here https://trac.torproject.org/projects/tor/ticket/5936.
    • THANKS. you are most likely very expert on those area. i am glad you liked those article. i will read. i dont think i have the ability to really understand those. but i can definitely understand sum ups for average user like me, exposed by different experts from all around the world. -- Bry8Star. jun 09. 2:50am.
  • (anonymous) I didn't go through all these links and just glanced over these comments but the take away is: Tor's anonymity can be broken in reality under limited circumstances (without resorting to malware, backdoors or social engineering) and certainly has been in the past (and will happen more often in the future it TPO doesn't increase its strength proactively). Tor's traffic can be theoretically decrypted, I doubt anyone has done it though, and if, just a few packets. Crypto attacks tend to be really expensive, Flame is estimated to have cost 200.000$ and broke a single key (md5?) Tor has a few thousands of keys, uses sha1 and every packet is encrypted multiple times, maybe that can improved by attacking the bootstrapping process (only need to crack the directory consensus key) but even then you need a majority, i.e. more than just a single attack.
  • (anonymous) changing some stuff around...
    • Thanks. Its now in much much better form. -- Bry8Star ~ 2:19am jun 19 2012.
    • ooops, where is SSL/TLS, Circumvent Tor Bans section? existing links should be fixed to point to proper section if in another page. a brief/short para/info is needed at least or correct link. -- Bry8Star ~ 4:13am jun 19, 2012.
  • (anonymous) "since that is a more anonymous & secure way to connect with an IRC server, than connecting via Tor exit node, because by default, a tor circuit uses 4 nodes in between your IRC client software and an .onion host server, and it uses 3 nodes when connecting via Tor exit-node. When more middle nodes will exist in between you & destination server, then that path is more Anonymous." I deleted that because it's not really accurate; there isn't really a threat model were one hop more (or even 4, assuming the HS and its circuit is trustworthy) would make any difference at all. Either we have a global adversary who isn't affected by that, or you have correlation/timing/colluding attacks, which, you guessed it, aren't affected either. On the other hand according to TPO HS aren't really that well tested as other Tor code. If tor was high latency that would be very different.
    • i'm sorry, i change that to that line, on the place of proper's line, something like .. onion host is better than SSL, and ssl not necessary .. wasn't clear enough what exactly he/she meant. -- Bry8Star ~ 2:10am jun 19 2012.

Fork this article

  • (proper) I'd wish I'd had the time, but I can't discuss everything over and over again. I think we can't reach an agreement. We are too different. Until you'll agree with my view with "debug session or custom source code" could be ages if ever. Since there are no other contributors or admins... If there are only two people, no one can be right. Our styles are too different... What I don't want to do, is starting an edit war.
    • those who has broken different portion of Tor, obviously used debug sessions & custom made tor from source codes. -- Bry8Star ~ 2:14am jun 19 2012.
  • (proper) I suggest turning https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/XChat into simply two links. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/XChat_by_Bry8Star and Bry8Star https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/XChat_by_proper, i.e. forking the article, with a small explanation that two different authors have a different view. You may continue to maintain the current version (or any other) and I'll probable grab version 101.
    • i do not want my name to be mentioned in an article url or inside a content. i'm not some public figure, neither i've have publicly known 'degree'/'certificate' against username "Bry8Star" on public, on these matters. -- Bry8Star ~ 2:10am jun 19 2012.
  • (proper) Of course anyone is still free to make suggestions to the others article. But the one who owns the article has the final say. Also copy & paste from one article to another is of course allowed, it's still all under the same license.
  • (anonymous) What about just making the best Xchat/Tor article on the internet instead? I'm sure we can reach an agreement where everyone is happy with it.
    • where we have two or more opinion/suggestions, there we can create sub-sections/sub-paragraphs and indicate/explain further from/with different point of view/facts. Do not agree on creating separate articles. People should see even 'different' opinion. -- Bry8Star ~ 2:13am 2:33am jun 19 2012.
  • (proper) Thanks for editing this article.
    • Yes, (after 'anonymous's edit) the current form is in much better shape & content. -- Bry8Star ~ 2:17am jun 19 2012.
    • ooops, where is SSL/TLS, Circumvent Tor Bans section? existing links should be fixed to point to proper section if in another page. a brief/short para/info is needed at least or correct link. -- Bry8Star ~ 4:11am jun 19, 2012.
  • (proper) Not sure that's possible. Bry8Star added too much redundancy. I couldn't hold up fixing all things he added, which are simply wrong assumptions. Recommendations about SSL all over the place. And also the general guidelines also inside here all over the place. I don't believe we should have instructions for each client. The sections for each client often contain the same sentences. The differences between the clients are not so critical after all. Just minor things. The client specific sections should really only contain the small differences.
  • (aosUser) I don't want to offend anyone, and I'm sure that all parties involved had the best intentions in volunteering their time to edit this article. However, the truth should be stated without mincing words. Quite simply, and without exaggeration, this article is the single worst example I've seen of a dysfunctional 'How To' article. How anyone thinks that this article imparts any sense of direction or clarity is completely beyond me. Whoever thought it was a good idea to insert those atrocious links which end up cluttering the bottom of every section, and create some bizarre feedback loop of link hunting and bookmarking just to follow a simple set of instructions, is devoid of common sense and the basics of design. What should have been a quite easy linear set of instructions -- just like every single 'How To' article on the internet -- morphed into some joke of a article that sows confusion and ridicule. If the whole point is to impart a knowledge set to make Tor easier to use, then this article does the exact opposite; it would probably have the effect of turning away people who were originally attracted to the simplicity of the Tor Browser Bundle. While I definitely don't want to point the dirty end of the stick to any single person, judging from the childish comment dialogue above, it's clear who is responsible for the car wreck that is this article. Bry8star, please don't take offense, but your edits are less than exemplary and sometimes you seem to evince a lack of security basics and Tor knowledge. I've often heard of maniacal editors on Wikipedia who somehow felt some urge to protect their "turf" from the slightest edit, but let's not practice that here. proper, if you want to produce some other instruction set yourself, please do! Please link us and we'll help spread the word to your instructions. From my time on IRC, I can attest that there are plenty of people who are interested in a real 'How To'. To the powers that be, 1) engage in some introspection, 2) realize that this instruction set only makes Tor look like they can't find its butt with both hands, 3) demolish this and follow the tried and true way of creating a simple 'How To' that is sequential, easy follow, numbered, etc. - December 25, 2013
  • (proper) I am sure Bry8Star has no malicious intend as well and also without trying to offend anyone... Anyhow, I don't think it's possible to answer without offending anyone. Let's try it. I've permanently given up on any bigger torproject.org HowTo wiki changes because Bry8Star might show up any moment messing up the article and involving me into non-productive discussions. This would require intervention of wiki admins. (Options, either educating Bry8Star; having a moderator settling the dispute; asking Bry8Star to stop editing and/or revoking Bry8Star's wiki edit rights.) The Tor Project has been contacted by me about this, but it seems like they never found time to keep care of this wiki. - December 25, 2013
Last modified 4 months ago Last modified on Dec 27, 2013 12:20:25 AM