How to safely use Hexchat and other IRC clients?

I am not familiar with Hexchat and whether there are any security settings. I noticed, for example, that @ouroumov uses a secure connection while others don't. What is there to know about security when using Hexchat?

You gotta connect to the server using TLS on a non-standard port:

1 Like

Thanks for looking into this. I wrote a couple of follow-up questions so that others may check their Hexchat security as well. I think this is important because many beginners such as myself may have never used Hexchat, yet need to use it to find help on the #ubuntu-mate channel.

So in case I want to safely connect to the Ubuntu-Mate network, I first click on Ubuntu Servers (freenode) and then on the Edit button on the right to reach this menu.

  1. If I want to join another network, do I have to set it manually each time or is there some way to make Hexchat secure by default, independently of a specific network setting?

  2. What is the difference between the three options in the upper corner of your screenshot? Does the first one ( refer to the non-standard port that you mentioned and why would this be considered a better option than the other two in terms of security?

  3. Do I understand it correctly that ticking the box Use SSL for all the servers on this network refers to the cryptographic protocol TSL that you mentioned?

No, because every server won’t be using the same ports for their SSL connections.
freenode uses 6697, but some other servers I use are listening on 6600, 7000, etc.

Yes, this is the non-standard port. Default (unencrypted) port for IRC protocol is 6667.
This is a better option regarding security only if you register a nickname on the network.
SSL secures the communication between you and the server, BUT only that.
When you send your nickname’s password to the server, that password is therefore encrypted, but everything you say on the chat will only be encrypted until it reaches the server.
The server then forwards your message to every other person on the channel, therefore if only one of those is connected using a non-secure connection, your message will effectively be public.
Actually, it’s always the case even if everyone on the channel has a secure connection because that channel is logged publicly as is every Ubuntu official support channel.

Yes. SSL is a language abuse: it’s the old version of the actual protocol in use nowadays: TLS

Edit: you got it!

* [maro] :Washington, DC, USA
* [maro] is using a secure connection
* [maro] idle 00:15:12, signon: Fri Aug  5 12:21:56
* [maro] End of WHOIS list.

One feature Hexchat is missing (and I think all GUI IRC clients?) is the ability to log on with your own client certificate. I prefer CLI irc clients myself, but never understood why GUI clients don’t implement it.

There are two advantages to it. One is no more passwords need to be exchanged between client and server. This may be a bit redundant considering the password would be encrypted anyways. But it saves the trouble of yet another password you need to remember or store in your password manager. The second advantage is that you can’t really forge an SSL certificate, which makes identity theft nigh impossible.

The only annoying thing about it is that some servers (freenode is NOT one of them, thank goodness) don’t support cloaking if you don’t authenticate normally through NickServ. So you find yourself in the odd situation that, if you want hostname cloaking, you still need to login to NickServ with a password after you authenticated with your certificate. If you don’t need or care for cloaking, then the certificate will be enough.

Client certificates are fairly easy to issue on linux. Here’s a recipe:

# The following issues and stores a client certificate valid for 2 years:
$ openssl req -newkey rsa:2048 -days 730 -x509 -keyout mycert.key -out mycert.crt -nodes 
$ cat mycert.crt mycert.key > ~/.certs/mycert
$ chmod 600 ~/.certs/mycert
$ rm mycert.crt mycert.key

#And this is how to get the fingerprint that is requested by a server
#when first registering the certificate:
$ openssl x509 -sha1 -fingerprint -noout -in ~/.certs/mycert | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'

This certificate can be used anywhere that accepts SSL client certificates, not just IRC.

Pro tip: don’t name your certificate like I did. And don’t store it in a .certs folder or anything of the kind. Instead make it completely non obvious what the file is. A certificate can’t be forged, but can be stolen.

I’m “rahtgaz” on the ubuntu-mate channel, btw.

1 Like

I expanded the original title a bit (+ and other IRC clients). Instead of starting a new thread I think it is helpful to allow comparison of different IRC clients in terms of security and to have this information easily accessible at one place.

When clicking on an IRC link or typing this one (irc:// into Firefox, I am presented with two options: to open it with Hexchat or with

What are the advantages and disadvantages of using a web-based IRC client such as Mibbit compared to a desktop-based IRC client such as Hexchat?

Basics: When to use IRC? In what cases would you discourage using IRC-based client software? I guess my question is also somewhat related to what type of technology IRC is, why it has been around for such a long time, and how this protocol is different from others used in more privacy-conscious chat software.