IRC with SSL and OTR encryption
Antonio Gioia, 2015
IRC is a chat protocol active since early nineties, it belongs to a time when internet services were developed for the sake of communication rather than for profit, intrusive advertising and social control.
You can chat on IRC with people all around the world, using strong encryption, in a matter of minutes.
There are plenty of IRC servers with hundreds active channels each, all you need is a IRC client to access them. This article shows how to properly configure the open source IRC client Irssi to achieve an encrypted connection between your client and the server you connect and even more between you and the people you chat with.
Irssi is a minimal command line IRC client available for most Linux distributions, on recent Ubuntu and Debian is already compiled with SSL support but to enable OTR you need to install a plugin:
apt-get install irssi irssi-plugin-otr
After installation start the client typing:
Specify your identity with those commands:
/set real_name your_nickname /set user_name your_nickname /set nick your_nickname
Official documentation of the OTR plugin suggests to set the following option to speed up sessions:
/set cmd_queue_speed 1msec
To save configuration enter:
You can now connect to a server and chat on IRC. Use the commands
/connect to connect to a server,
/join to join a channel (or create a new one if does not exist) and
/query to start a private conversation with somebody.
By default IRC establish a not secure connection but is very easy to improve security using SSL and OTR.
SSL creates an encrypted connection between your client and the IRC server. Assuming you want to connect to Indymedia IRC server, you would type:
Improve this command with SSL: you need to add the
-ssl option and the server port:
/connect -ssl irc.indymedia.org 6697
That’s it. To verify the secure connection you can whois your self typing:
Press Alt + 1 to go to the main window of Irssi and read the response, press Alt + Left (or Right) Arrow to jump between open sessions.
If you cannot install an IRC client or your client does not support SSL, a few most popular IRC servers allow you to connect directly via web browser using HTTPS (secure HTTP connection with SSL). For example you can access Indymedia IRC server via https://chat.indymedia.org as well.
Check the homepage of your favorite IRC server for instructions about SSL configuration.
OTR (Off-the-Record Messaging)
OTR protocol provides encryption, authentication, deniability and perfect forward secrecy for instant messaging chat sessions. It works with IRC, Pidgin, Adium, Jitsi, WeeChat and many others.
In Irssi to enable OTR plugin you must load it from main window (press Alt + 1), type:
It’s handy to add in the status bar a notification that tells you the state of the OTR session, type:
/statusbar window add otr
A session can have 4 different states:
Remember to save the configuration with:
You can automatically load OTR at startup adding the load command in Irssi startup file, type in a separate terminal:
echo “load otr” >> ~/.irssi/startup
Last step is to create a key to be used by your account on a certain IRC server. Once OTR is loaded type:
/otr genkey email@example.com
Verify the status of the process (might take a while) typing:
You need to wait until the key is generated to start using OTR.
OTR only works if both you and the person you want to chat have it installed and enabled. Assuming you are both connected to same server, open a private chat session and then start OTR typing:
Once you want to finish th OTR session type:
But are you really sure the person you are chatting with is the person you think he/she is?
You can authenticate each other in 3 different ways, remembering that the best way to verify a key fingerprint or share a secret for authentication is to meet face to face or through encrypted email (GPG).
1. Use a shared secret that you both know
Use the command:
/otr auth secret
Example: both you and the other person like the same punk band. You both agree to authenticate using the name of the band as secret. In real world scenario you would say something like:
you > let’s check if it’s really you, let’s authenticate with the name of our favorite punk band
person > ok, let’s do it ;)
Assuming the favorite band name is Wolfbrigade, now you both type in your own client:
/otr auth wolfbrigade
If you both type the same band name, you can assume that person is really your friend.
2. Ask a question to verify if the other person can answer correctly.
/otr authq [question] secret
For example, I know that the person I want to chat knows my favorite punk band is Wolfbrigade. I can use this to verify he/shw knows that:
/otr authq [what’s the name of my favorite punk band?] wolfbrigade
If the person’s answer is correct (in this case wolfbrigade) you can authenticate that person.
3. Trust the fingerprint
/otr trust fingerprint
You can print on screen the key fingerprints to verify:
Or your own key fingerprint:
For example you can share the fingerprints via GPG-signed emails, if the person fingerprint matches with the one visualized on your client then you can assume you can trust that user.
/otr trust 6DAB45AA 5569FFAC EEFA5122 C5C501FF ECEC4BFC
Of course the fingerprint above is not real. You should never copy / paste your fingerprint anywhere, share it only with secure means of communications.
You can abort an authentication with:
Distrust a fingerprint:
/otr distrust fingerprint
And remove it from fingerprints file:
/otr forget fingerprint
Feel free to save or share this article. If you notice a mistake or want to contribute to a revision of the article contact me at firstname.lastname@example.org.