Howto IRC with Tor

because IRC is not dead!

This guide is done from the weechat pers­pec­tive, and it helps you to connect to oftc, free­node and indy­me­dia IRC through the most private way (tor). It also helps you to confi­gure otr encryp­tion which I think is the only way to encrypt 1:1 chats in IRC (and when both parts are connec­ted). Right now, there is no way to encrypt 1:1 asyn­ch­ro­nously, chan­nel or group.

Table of Contents

• compa­ri­son: weechat vs irssi
• requi­re­ments
• confi­gu­ra­tion
• access it through tor
  • access free­node with tor
• reduce our client finger­print
• sasl confi­gu­ra­tion (user, pass­word)
• use otr encryp­tion

compa­ri­son: weechat vs irssi

• code­base: irssi has a smaller code­base
• otr: found it easier to setup otr in irssi, in weechat looks like it requi­res more depen­den­cies
• easy of use: in irssi you do /connect free­node or /connect oftc and you are in, in weechat you have to set up the irc servers more manu­ally
• hidden service setup: very diffi­cult to setup hidden service IRC with irssi (I failed ref1 ref2). weechat does it in a very clean way
  • this is the thing that forced me to switch from irssi to weechat

requi­re­ments

tested with debian 10, python depen­den­cies are because of otr.py

apt install tor weechat-curses weechat-python weechat-plugins python-potr

confi­gu­ra­tion

The idea is to paste more or less cons­ci­ously the follo­wing lines that start with a slash /. When you done with the confi­gu­ra­tion you applied, save all the confi­gu­ra­tion current with /save

access it through tor

connect server through tor

create a socks5 proxy called tor:

/proxy add tor socks5 127.0.0.1 9050

exam­ple 1: using tor to access an irc server without hidden server

add server

/server add oftc-tor irc.oftc.net 6697

use this server through tor

/set irc.server.oftc-tor.proxy «tor»

connect to it

/connect oftc-tor

exam­ple 2: using tor to access an irc server that has hidden service access such as the recom­men­ded by riseup

/server add indy­me­dia-tor akeyxc6 hi­e26nlfyl­wiuyuf3a4tdwt4os7 wiz3f­sa­fijpvbgrkrzx2qd.onion
/set irc.server.indy­me­dia-tor.proxy «tor»

extra notes:

• oftc does not have hidden service, but allows you to use tor to access it without regis­te­ring a user account
• indy­me­dia has hidden service https://we.riseup.net/ircd/how-to-connect-through-tor-hidden-service
• https://weechat.org/files/doc/stable/weechat_quicks­tart.en.html
• https://trac.torpro­ject.org/projects/tor/wiki/doc/Torify­HOWTO/WeeChat

access free­node with tor

Connec­ting to free­node IRC commu­nity via tor is complex, so I include the details in this guide to faci­li­tate it.

Tor access is only provi­ded through cert authen­ti­ca­tion. We first need to connect to free­node via plain inter­net

/server add temp-free­node irc.free­node.net
/connect temp-free­node

select the nick you want to regis­ter and verify that it is avai­la­ble

/nick myIden­tity
/msg Nick­Serv REGIS­TER myFancy­Se­cret mymail­boxexam­ple [ punto ] com (mymail­box[at]exam­ple[dot]com)

check email, and paste the line sugges­ted which looks like:

/msg Nick­Serv VERIFY REGIS­TER myIden­tity free­no­de­Ve­ri­fi­ca­ti­on­Co­de­Here

keep that weechat open, and go a termi­nal because it is time to bind our iden­tity with the certi­fi­cate. Next commands are: create a direc­tory for our certi­fi­cate, navi­gate there, create a certi­fi­cate (non inter­ac­ti­vely) and obtain its finger­print (last line):

mkdir ~/.weechat/certs
cd ~/.weechat/certs
openssl req -batch -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out free­node.pem -keyout free­node.pem
openssl x509 -in free­node.pem -outform der | sha1 sum -b | cut -d’ ' -f1

come back to weechat and copy the finger­print to bind your user with the certi­fi­cate:

/msg Nick­Serv CERT ADD mmyyyy­Ce­e­e­errtt­tiii­fiiii­ca­teee

now, add free­node server to connect via tor:

/server add free­node-tor ajnvpgl6prmkb7ykt­vu­e6im5 wi­edlz2w32uhc­wa­am­di­ecdrfpwwgnlqd.onion/6697
/set irc.server.free­node-tor.proxy «tor»
/set irc.server.free­node-tor.ssl on
/set irc.server.free­node-tor.ssl_cert %h/certs/free­node.pem
/set irc.server.free­node-tor.sasl_mecha­nism exter­nal

I had to disa­ble ssl veri­fi­ca­tion which I think given the situ­a­tion is safe https://github.com/weechat/weechat/issues/972

/set irc.server.free­node-tor.ssl_verify off

And then you can connect to free­node IRC via tor

/connect free­node-tor

refe­ren­ces:

• https://free­node.net/kb/answer/certfp
• https://free­node.net/kb/answer/chat

reduce our client finger­print

By default, weechat client provi­des sensi­tive infor­ma­tion that iden­ti­fies us

/set irc.server_default.msg_part ""
/set irc.server_default.msg_quit ""
/set irc.ctcp.clien­tinfo ""
/set irc.ctcp.finger ""
/set irc.ctcp.source ""
/set irc.ctcp.time ""
/set irc.ctcp.userinfo ""
/set irc.ctcp.version ""
/set irc.ctcp.ping ""
/plugin unload xfer
/set weechat.plugin.auto­load «*, !xfer»

sasl confi­gu­ra­tion (user, pass­word)

Some service ask you to regis­ter (the proce­dure could change) and then put your user pass­word

/set irc.server.MyIRC-Tor.sasl_user­name «youru­ser­na­me­here»
/set irc.server.MyIRC-Tor.sasl_pass­word «your­pass­word­here»

use otr encryp­tion

otr is a cryp­to­grap­hic proto­col that provi­des encryp­tion for instant messa­ging conver­sa­ti­ons.. With the follo­wing limi­ta­ti­ons:

• multi-user group chat is unsup­por­ted
• to enable it, the two parts need to be online

install it in weechat

/script install otr.py

go priva­tely with that person you want an encryp­ted commu­ni­ca­tion with /query targe­tU­ser and then, start otr

/otr start

then, 3 opti­ons to verify:

• verify finger­prints in real life or some sour­ces (the more the better) and then, trust her /otr trust
• common secret challenge: /otr smp ask 'ourFancyS­ha­red­Se­cret’
• ques­tion-answer challenge: /otr smp ask 'What OS did we insta­lled yester­day in our server (just the name)?' 'debi­an’

check status of otr with that person

/otr status