Iet uz failu
hgc 8b621c16d4 patch impersonation bug 2021-03-30 23:59:55 +11:00
.gitignore add typer and remove non pycrypto code 2021-03-18 21:58:21 +11:00
.travis.yml You should use Travis CI 2013-05-21 21:30:07 +03:00
LICENSE Add explicit public domain license 2015-03-11 21:48:09 -07:00
README.md Add explicit public domain license 2015-03-11 21:48:09 -07:00
Requirements.txt add typer and remove non pycrypto code 2021-03-18 21:58:21 +11:00
croxy.py patch impersonation bug 2021-03-30 23:59:55 +11:00
test.py Handle short unencrypted messages 2013-05-21 17:49:58 -07:00

WARNING: Currently the salt that croxy uses is hard-coded. This reduces the safety of the encryption. Contributions welcome :-)

Croxy: Encrypting IRC proxy

Croxy sits between your IRC client and the IRC server, encrypting (AES-256) and decrypting all messages as they go through. People in the public channel without croxy, or with the wrong password, will see things like 3kOUXrxZzdJbqan21MpxNcycfrwylXNABtGSLyNCKWU= instead of your messages.

Build Status

Install

There is no install, you just run the script. You must have Python v3.2+ (you probably already do).

Download croxy.py.

Run

Just run the script, giving the address of the IRC server you want to connect to.

python3 croxy.py irc.freenode.net

For other networks substitute irc.freenode.net. The default port used is 6697, which is the default IRC SSL port. To use a different port (must support TLS/SSL) add to the end of the line like this: python3 croxy.py irc.example.com 7778. Croxy will only connect over TLS/SSL, not over plaintext.

It will ask you for the password to use for encryption. Everyone in the channel will need to use the same password to communicate.

Then point your IRC client to localhost (default port 6667), and away you go.

The window in which you started Croxy will display the traffic as the remote server sees it. If it's encrypted in that window, it's encrypted on the server. Only PRIVMSG are encrypted - that's the messages you type into your client. Nicknames changes, joining a channel, etc, are NOT encrypted (otherwise the remote IRC server would get very confused).

Correct usage

Security of your messages depends on the security of the shared password. You need a way to exchange the password so that the recipients know it came from you, and only the recipients can read it. The answer is GnuPG. Try GPG Quick Start.

A. Exchange public keys with all the people who will be in your channel.

  • Generate your own key, if you haven't already: gpg --gen-key
  • Export your public key: gpg --armor --output pubkey.txt --export 'Your Name'
  • Upload that public key: gpg --keyserver pgp.mit.edu --send-keys 'Your Name'
  • Get all your friends to do that too
  • Import your friends keys: gpg --keyserver pgp.mit.edu --search-keys 'myfriend@example.com'

B. Every day, send the password in an encrypted, signed message to those people.

  • gpg --encrypt --sign --armor -r friend1 -r friend2 password.txt

C. Start Croxy!

Smallprint

Vulerability to traffic analysis

Croxy protects what you say, not who you say it too. In other worlds people watching will be able to see who you are talking to, and when, but not what you are saying. If this concerns you, you should connect to the IRC server using Tor. It also makes sense to use a nick different than your usual one.

Ensuring forward secrecy

You should change the password every day, so that if the password is compromised you lose a single day of logs. Ideally someone from your channel should send the new password (GnuPG encrypted and signed) to all participants, each morning.

Can I trust the crypto?

Honestly, I can't say, but here's some things that might make you feel safer:

  • The AES / Rijndael implementation (which does the actual cryptography) comes from tlslite. It is used by both Google for it's official GData Python API and by Opera.

  • The PBKDF2 implementation is from Django.

  • If you install pycrypto 2.6+ (sudo pip-3.2 install pycrypto) croxy will detect and use that automatically for AES. The built-in AES implementation is compatible with pycrypto.

License

Croxy is free software. It includes code from different sources. All code is either dedicated to the public domain by its authors, or available under a BSD-style license. In particular:

Code written by Trevor Perrin (AES) is free and unencumbered software released into the public domain.

Code written by Bram Cohen (rijndael) was dedicated to the public domain by its author.

Code from Django Software Federation (pbkdf2) is BSD licensed.

All other code in Croxy is (c) 2013-2015 Graham King, released into the public domain. See LICENSE file.

Testing

To run the unit tests:

python3 test.py

For code coverage (first pip-3.2 install coverage):

coverage3 run test.py
coverage3 report --include=croxy.py --show-missing

Happy safe chat!