💾 Archived View for tilde.town › ~dzwdz › b › ctcp.gmi captured on 2024-08-31 at 12:11:12. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-07-10)

-=-=-=-=-=-=-

fingerprinting people on IRC with no privileges

TL;DR If you want to join an IRC server anonymously, your best bet is to use an e.g. Tails VM. Conventional IRC clients allow correlating seemingly isolated connections to different servers.

Let me clarify the threat model. Let's say I'm "dzwdz" on one server, and "notdzwdz" on another. I'm using a single client for both, but "notdzwdz" is proxied through Tor, has distinct default nicknames/quit messages/etc, all the obvious privacy leaks are taken care of. I don't want anyone to be able to tell that I'm behind both those identities.

https://modern.ircdocs.horse/ctcp.html

Basically - IRC supports this thing called CTCP. It's usually used for `/me`, but there are two other interesting messages:

They're not immediately critical, but as the responses are the same for all connections, they allow easy correlation of people between servers. So far I only tested this on ergo -- not only did I not need any privileges to send those commands, I was even able to send them to a public channel -- and quickly gather back responses from everyone there. If I suspected anyone in that channel was also on some other server under another identity, I could go to that server, join the suspected channel, run the same commands, and compare. Yes, this isn't a big information leak -- but for fingerprinting purposes even small leaks are very useful.

This is mostly a PSA, I guess. I'll also send this to the admins of tilde.chat to ask if I could experiment there, and to estimate just how bad this is. Also sorry for the shit writing but it's almost 1AM here. Cya~