Secure SSL IRC

Translations + other language manuals:

• SecureIRCnl (nederlandstalig)
• SecureIRCcaesen (catal\xE0 + espa\xF1ol + english)
• SecureIRCde (deutsch)
• SecureIRCcas (castellano)
• SecureIRCpt (portugu\xEAs)

Table of Contents:

Note

These advices aren't necessarily up to date. Some of the explanations in other languages are more recent and some of them are more elaborate, showing illustrations of the IRC clients. More translations are very welcome.

By connecting to the Indymedia IRC network using SSL, you can encrypt all data sent between you and the server. By extension, this means that you can create a secure line of communications with anyone else who is also connected to the server in this fashion. However, any text which you send to an individual not connected via SSL will travel via plaintext. Keep this in mind, as most of your communication will be on channels with many unencrypted individuals.

So, if just one person in a channel is not using SSL, then effectively the conversation is unencrypted. If you want to be sure you have an encrypted connection with someone, verify they are connected via ssl by running /whois nick, and then message them privately ( /msg nick your message here... or by double clicking on their names in most graphical clients).

There is a number of ways to make the connection. The simplest is to use an IRC client with SSL enabled. In Linux, you often have to compile SSL support manually. In Windows, you can often download add-ons that let you use SSL anyway. Most clients (if not every) rely on the OpenSSL implementation.

Web chat

To quickly connect via SSL using a web browser, you can use the webchat interface.

For new folks who want to connect quickly using SSL (from any computer), use the handy web version:

https://chat.indymedia.org

Note the 's' in 'https'.

For quick instructions on connecting via the web version, see the top of this page: IrcHowTo

Installable programs

SSL is the Secure Sockets Layer. When using the Webchat, you rely on the browser's support for SSL and you don't have to think about it. When using an external IRC program like mIRC or Irssi, you have to install SSL. We suggest you install OpenSSL, which is a free implementation for both Windows and Unix.

• http://www.openssl.org/ for the source code, various precompiled versions and documentation.
• http://www.shininglightpro.com/products/Win32OpenSSL.html for a Windows version.

Make sure you have OpenSSL installed.

mIRC (Windows)

From version 6.14 and onwards, mIRC has built-in support for SSL through OpenSSL. Remember that mIRC isn't free software, and that you technically have to pay for it after 30 days of use. Another good alternative is XChat.

• Download mIRC from http://www.mirc.com/ and install it
• Download a Windows version of OpenSSL from http://www.shininglightpro.com/products/Win32OpenSSL.html and install it
• Open mIRC and type either /server -e irc.indymedia.org:6697 or /server irc.indymedia.org:+6697 (the + in front of the port number indicates SSL)

An explanation of mIRC's SSL support can also be found at http://www.mirc.co.uk/ssl.html

Irssi (Unix, MacOS X)

Irssi has SSL support from version 0.8.6 and onwards. Requires OpenSSL and that you have compiled it using --with-ssl. You then use the command /connect -ssl irc.indymedia.org 6697. (In Irssi, you can also use /server, but /connect allows you to connect to multiple networks at once.) There is an IrssiHowTo that explains both how to install and run it on various Linux distributions. Its website is http://irssi.org/

Both you and server operators will be able to see from which IP you connect - other users will not.

For MacOS X, check out macirssi at http://www.g1m0.se/macirssi/

XChat (Unix, Windows and MacOS X)

Newer versions of XChat support SSL through OpenSSL. Under 'Server List', add a new network and call it 'Indymedia', click 'Edit...' and add irc.indymedia.org/6697. Check the boxes Use SSL for all the servers on this network and Accept invalid SSL certficate. You can also use the command /sslserver irc.indymedia.org 6697. To connect using SSL from the command line, use xchat ircs://irc.indymedia.org:6697. Type /whois yournick (where yournick should be your own nickname) and make sure it mentions that you are using a secure connection.

If you're in Windows, you should use the free version of XChat (due to politics) at http://silverex.org/. It works the same way. If you're in MacOS X, there is a version at http://xchataqua.sourceforge.net/

There is a graphical introduction to enabling SSL on the XChatInstall page.

On Windows, to be able to verify the CACert.org SSL certificate we use on irc.indymedia.org, do the following:

• download CACert.org's class 3 CA Certificate (PEM format) to your computer
• move the certificate file to the following directory (creating the directory structure if it does not already exist): C:\usr\local\ssl\certs\ - if you are using the SilvereX Windows build of XChat 2.8.6-1 or 2.8.6-2, the path is different due to a bug: C:\some\openssl\dir\ssl\certs * Rename the certificate file to 5ed36f99.0 - the ".0" at the end is required.

This hint is based on the how-to on mixxnet.net.

BitchX-SSL

(Considered by many to be an obnoxious client, and by its very name sexist. For a better client, try Irssi.)

Requires OpenSSL and that you have compiled it using --with-ssl. You then use the command /server -ssl irc.indymedia.org 6697.

EPIC-SSL

EPIC-SSL is a fork of EPIC which can be found at http://epicssl.sourceforge.net/. They announce it can be compiled on Cygwin. Use the command /server -ssl irc.indymedia.org 6697 to connect.

KVIrc (UNIX and Windows)

KVIrc has support for SSL, and it is compiled automatically if OpenSSL is present on the system. The command to connect is /server -s irc.indymedia.org 6697.

Chatzilla (UNIX and Windows)

Chatzilla works right out of your Mozilla-based browser. You can download it from https://addons.mozilla.org/en-US/firefox/addon/16 or http://www.hacksrus.com/~ginda/chatzilla/. Once installed, it uses the browser's SSL support through the command /sslserver irc.indymedia.org 6697. It also reacts to links in the form of ircs://irc.indymedia.org:6697/ from within the browser.

If you're using Chatzilla with Firefox 3.0, you will have to first connect to https://irc.indymedia.org/ and accept the "invalid" security certificate before connecting to ircs://irc.indymedia.org:6697/.

A better way, though not as simple, is to use the following to add a new command for managing SSL certificates to Chatzilla:

/alias certificates eval getService("@mozilla.org/embedcomp/window-watcher\;1","nsIWindowWatcher").openWindow(null,"chrome://pippki/content/certManager.xul","mozilla:certmanager", "", null)

You can then download CACert.org's class 3 CA Certificate (PEM format), invoke /certificates and import the downloaded certificate there.

This hint was found at bitsofarmor.blogspot.com.

Stunnel

Stunnel is type of program called a wrapper. It allows programs that normally don't have SSL support to connect through it, after which stunnel takes care of the SSL. If your IRC client isn't mentioned above, or if you use a version of a client that doesn't have support for SSL, what you can do is either upgrade the client or use stunnel.

Another, and perhaps more flexible, way to connect is to use 'stunnel' together with the IRC client of your choice. Source code for stunnel, as well as binaries for other Operating Systems can be obtained at http://www.stunnel.org/download/. If you are using Debian GNU/Linux, you can simply do 'apt-get install stunnel'. Stunnel also works in Windows.

The first step is to create the secure tunnel between your computer and irc.indymedia.org [...] (instructions in SecureIrcStunnelWindows and SecureIrcStunnelUnix)

General hints for MacOS X

You can use one of many IRC clients on Mac OS X (many of the previously mentioned clients can be compiled on OS X, if you have the developer tools installed). You may also prefer the more "mac-like" versions of these clients, and other clients, which come as GNU as it can get, and in closed-source shareware flavors as well. Whichever you choose, setting up stunnel on Mac OS X can be very easy.

Be sure to read the explanation of how stunnel works above and then get "SSL Enable" from Apple:

http://www.apple.com/downloads/macosx/unix_open_source/sslenabler.html

It is a very simple user interface that configures stunnel for you to then use any application you want to take advantage of it, such as an IRC client.

To get and install and unix/linux type programs on Mac OS X, you may want to try Fink http://fink.sourceforge.net/

Securing Your #channel

You can require that users be connected via SSL to your channel before they can join. If any user is in your channel without a SSL connection, then the entire channel's communications are leaked over a compromisable medium. It doesn't matter if everyone else is connected over SSL, if one person is not, then all public channel traffic is transmitted in the clear to that user. To stop this problem, you can setup the channel to only allow people to join if they have connected to the server with SSL. NOTE: You can only do this on a channel where everyone currently is already connected via SSL! If you try to do it when someone is not, it will not take. You will need to find out who is not connected via SSL and have them leave the channel (or reconnect with SSL) before you can do this.

To enforce SSL connections as a pre-requisite for joining the channel, follow these steps:

1. First create a forward channel, where you will send people who try to join your channel without SSL, this channel is intended to give people information about what they need to do in order to properly join your channel. If you do not do this, then people will get a rude and uninformative message, "You are not invited". So create a new channel, and use the standard convention for forwarded channels by pre-pending a double ## infront of the channel name, e.g. /join ##riseup-notssl
2. Set the topic on the forward channel so people will see it and get useful information: /topic ##riseup-notssl You have automatically been redirected to this channel because you tried to join #riseup without SSL encryption. You need to reconnect with SSL to join the channel, here is how: https://docs.indymedia.org/Sysadmin/SecureIRC if you need more help /join #ircd and ask
3. Register your forwarded channel with chanserv: /msg chanserv register ##riseup-notssl
4. query chanserv so you can set a few options: /query chanserv
5. Set the chanserv guard on: set ##riseup-notssl guard on
6. Set the topic to stick: set ##riseup-notssl keeptopic on
7. Set an entry message so that people will be told this information on joining, which is often better than /topic, which people tend to miss: set entrymsg ##riseup-notssl You have automatically been redirected to this channel because you tried to join #riseup without SSL encryption. You need to reconnect with SSL to join the channel, here is how: https://docs.indymedia.org/Sysadmin/SecureIRC if you need more help /join #ircd and ask
8. Set the channel to be "secure": set ##riseup-notssl secure on
9. Now set the mode on your channel you wish to secure (this channel must already exist): /mode #riseup +f ##riseup-notssl +iI $z
10. Be sure to test that things work! Connect to IRC without SSL and then try to join your SSL-restricted channel. You should be redirected, if not, try again.

You may wish to set the mlock on your channel so that this SSL forwarded channel mode is always set.

Note: One person using chatzilla found that the mode command didn't work properly. They were able to get it to work by splitting it up into two different ones, so if you are having this problem, then try to do the mode commands one at a time like this: /mode #riseup +iI $z (this sets #riseup SSL-only); /mode #riseup +f ##riseup-notssl +iI $z (this sets the forward channel).

---

-- ChristopherMitchell - 04 Jun 2002

-- KellanKellan - 11 Jul 2002

-- ChristianBolstad - 10 Nov 2002

-- MarcinDeKaminski - 15 jan 2003

-- EdinhoFeli - 25 Feb 2003

-- link to SecureIRCde + SecureIRCcaesen -- SrI - 06 Oct 2003

-- Added link to SecureIRCcas -- TxopiTxopi - 3 Jan 2004

-- Added new description how to use plugin dll for mIRC -- ClarA - 7 March 2004

added link to back to irc how to -- AnA - 28 Apr 2004

-- Added link to SecureIRCpt -- EdinhoFeli - 02 May 2004

-- Added note about BitchX being obnoxious ShayneOneill - yeah yeah

-- added TOC -- AnNa - 15 Aug 2004

-- added mirc 6.14 + openssl -- AleX - 24 Aug 2004

-- added Mac OS X stunnel information on 2 sep 2004 InditeK

-- added information on X-Chat Aqua and a mirror of ssl.zip -- ChristianBolstad - 16 Nov 2004

-- minor edits -- PatrickPatrick 25 Aug 2005

-- added top section linking to quickie ssl web version -- PatrickPatrick 23 Sep 2005

-- rewrote the structure of the page so it sorts after IRC clients rather than operating system, added some easier to understand explanations and fixed a few typos. -- SimonShine - 08 Jan 2006

-- SimonShine - 27 Jan 2007 Added link to XChatInstall which will be created on this day as well.

-- SSL is now on port 6697, and hostnames are always obscured now. -- WilliamPitcock

-- Added details about setting up a secure channel -- MicahA - 20 Feb 2010