Is NSA watching?

With all the recent news in the media regarding the US government and NSA backbone wiretapping, we though it would be a good time to clarify what can and what cannot be intercepted on the ZEnet IRC Network.

ZEnet and it’s server admins takes user privacy and integrity very seriously. We will never listen in on private or channel conversations (unless we are in the channel :)), your services passwords are hashed and salted, all internal communications between our servers are encrypted.

Unfortunately though, IRC is an old protocol (dating back to the late 80s). Back when IRC was created, there was no widespread use of encryption on the Internet.
Today, 25 years later, most people still don’t use encryption when connecting to IRC. Even if you already encrypt your IRC connection you should read the rest of this blog post to find out how to make sure that your messages are encrypted all the way to the recipients.

Who can intercept?

Anyone who is able to place a tap anywhere in path between you and the IRC server you connect to could potentially be listening in on your conversations.

This includes, but isn’t limited to, the following entities

  • Your network operator (family member, workplace)
  • Your ISP (internet service provider)
  • Your ISPs upstream provider(s) (and their providers)
  • Governments
  • VPN provider (when using VPN)
  • BNC provider (when using BNC)
  • Tor exit nodes (when using Tor)
  • Proxy operator (when using a proxy service)
  • ZEnet sponsors/ISPs and their upstream providers
  • ZEnet

(This is also true for any other unencrypted traffic, including web surfing (non-https))

Encrypting your IRC traffic

We strongly encourage using encryption when connecting to our IRC servers.
All our servers accept SSL connections on port 6697

  • mIRC: /server irc.zenet.org:+6697 (OpenSSL needs to be installed first)
  • X-Chat/HexChat: /server -ssl irc.zenet.org 6697
  • Irssi: /server -ssl irc.zenet.org 6697
  • ZNC (bnc): /znc AddServer irc.zenet.org:+6697
    Please note: when using a BNC provider, the provider is able to intercept all your IRC traffic – even if it’s encrypted both ways. Only use BNC providers you can trust and never use free/public BNC services

After reconnecting, do a /whois on yourself and make sure the reply contains “is using a Secure Connection”
Note: When using a secure connection to IRC, you will automatically get user mode +z

Okay, I’m encrypting the IRC connection, am I in the clear?

The short answer is no.

For an IRC network to have any purpose, messages you send to the network must exit somewhere to reach everyone who should see that message – if any of the recipients of the message isn’t using an encrypted connection to IRC your message will be sent in plain text to that recipient (and anyone in the path between ZEnet and them could intercept the messages).

When talking one-on-one in a query, you can check if the outgoing messages are encrypted by doing a /whois on the person you’re talking to. If they use SSL, the message “is using a Secure Connection” will show up in their whois reply

If you want to enforce encryption in your channel, you can set channel mode +z (/mode #channel +z) to disallow anyone who isn’t using an encrypted connection from joining the channel.
Note: As with most other channel modes that affects who can join a channel (+i, +l, +k, etc), +z won’t affect anyone who already is in the channel when the mode is set. You must manually check that everyone is using a secure connection using /whois when initially enabling +z

Leave a Reply