About the security of (unaffiliated) cloaks on freenode

Security of cloaks.md

Copyright (c) 2014, 2016, 2017 M. Teufel

Unlimited redistribution and modification of this document is allowed provided that the above copyright notice and this permission notice remains in tact.

---

If you are reading this, you probably asked for a (unaffiliated) cloak on freenode because you wanted to hide your IP or hostname.

This text is here to tell you that cloaks and vHosts don't hide your IP very well. Cloaks on freenode show your (lack of) affiliation with a project or a group being hosted on freenode.

There are many reasons how a cloak can leak your IP:

• Your IP will still show up when a freenode staffer does a /whois on you.
• Your IP will still show up when you don't identify using SASL, and don't have the cloak when joining channels. Even if your client is configured to wait before joining, a user can still get your IP with /monitor.
• Your IP will still show up when you use SASL/NickServ authentication, but the services (NickServ, SaslServ) are down or on another side of a splitted network.
• Your IP will still show up when you click on a link or accept a DCC file transfer.
• If a normal user really wants to get your IP, it is still possible to use services or the IRCd to get your IP (not a bug).

How to prevent these leaks:

• Use freenode's Tor hidden service or a VPN.
• If you just care about your private IP, but not about the IP of a VPS, you can also run a private bouncer to prevent the leaks.

Both ways won't prevent you from clicking a link or accepting a DCC file transfer which will still leak your IP.

If you still have questions on this, ask a staffer or a helper in #freenode.

Feel free to send a private message or a memo to mt on freenode about any corrections on this gist.

• http://decal.sdf.org/spotfedsonline/Uncloaking-IP-Addresses-on-IRC.pdf
• mirror + video https://cloudflare-ipfs.com/ipfs/QmccMd8ycijBe4TUsKAq3yEV96MTU91aC47GFPReUgUwRY

has been mentioned on #freenode sometimes and could probably be mentioned here for those wondering it. It's not impossible to google filetype:pdf irc uncloak.

Might want to make a note here, that Freenode TOR services are indefinitely suspended

@ntchambers Thanks, I've added a note about that.

Note that it's usually better to send me a private message or memo on freenode (see the last paragraph of the document), I often won't notice comments on this gist (they aren't sent per email).

Thanks! Will do in the future

http://freenode.net/irc_servers.shtml#tor
404

Freenode's Tor hidden service is back: https://freenode.net/news/tor-online

(an official version has now been on freenode.net for a while http://freenode.net/kb/answer/cloaks)

@tobsn please try and use, either: 1) freenode.net/ without the preceding protocol, or 2) https://freenode.net/ for the links, thanks!..:) Probably not in any etiquette, but it is a comm. site; dealing, with

@Mikaela "Both ways won't prevent you from clicking a link or accepting a DCC file transfer which will still leak your IP", is what that means (right!?)

Anyway, besides not enabling DCC and links in the IRC client, many -also- have an option to ignore: including CTCP; so, those are basically the three things to pay attention to. :)

^^ Plus, ofc., using (NickServ) umodes to block /query && these can be different depending on server software and config. +Rg on Freenode to not accept /msg from unidentified accounts and those not on the caller-id list /accept *

Found this by accident, I was surprised and confused at the revelation at how cloaks work. Side channel attacks and staff intervention aside, it should not be possible to determine a users IP yet the answers I keep getting are that it is.

I've yet to find -how-. Freenode staff certainly will not talk about it.

If a normal user really wants to get your IP, it is still possible to use services or the IRCd to get your IP (not a bug).

?

The PDF linked in the first comment seems boring at first glance, but further down it claims that it was possible to find one's address by basically enumerating IP addresses in bans on channel and then asking services to unban the targeted nick and observing which masks are removed.