Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
About the security of (unaffiliated) cloaks on freenode

Copyright (c) 2014, 2016, 2017 M. Teufel

Unlimited redistribution and modification of this document is allowed provided that the above copyright notice and this permission notice remains in tact.


If you are reading this, you probably asked for a (unaffiliated) cloak on freenode because you wanted to hide your IP or hostname.

This text is here to tell you that cloaks and vHosts don't hide your IP very well. Cloaks on freenode show your (lack of) affiliation with a project or a group being hosted on freenode.

There are many reasons how a cloak can leak your IP:

  • Your IP will still show up when a freenode staffer does a /whois on you.
  • Your IP will still show up when you don't identify using SASL, and don't have the cloak when joining channels. Even if your client is configured to wait before joining, a user can still get your IP with /monitor.
  • Your IP will still show up when you use SASL/NickServ authentication, but the services (NickServ, SaslServ) are down or on another side of a splitted network.
  • Your IP will still show up when you click on a link or accept a DCC file transfer.
  • If a normal user really wants to get your IP, it is still possible to use services or the IRCd to get your IP (not a bug).

How to prevent these leaks:

  • Use freenode's Tor hidden service or a VPN.
  • If you just care about your private IP, but not about the IP of a VPS, you can also run a private bouncer to prevent the leaks.

Both ways won't prevent you from clicking a link or accepting a DCC file transfer which will still leak your IP.

If you still have questions on this, ask a staffer or a helper in #freenode.

Feel free to send a private message or a memo to mt on freenode about any corrections on this gist.

@Mikaela

This comment has been minimized.

Copy link

Mikaela commented May 9, 2015

has been mentioned on #freenode sometimes and could probably be mentioned here for those wondering it. It's not impossible to google filetype:pdf irc uncloak.

@ntchambers

This comment has been minimized.

Copy link

ntchambers commented Jan 11, 2016

Might want to make a note here, that Freenode TOR services are indefinitely suspended

@maxteufel

This comment has been minimized.

Copy link
Owner Author

maxteufel commented Feb 7, 2016

@ntchambers Thanks, I've added a note about that.

Note that it's usually better to send me a private message or memo on freenode (see the last paragraph of the document), I often won't notice comments on this gist (they aren't sent per email).

@ntchambers

This comment has been minimized.

Copy link

ntchambers commented Feb 12, 2016

Thanks! Will do in the future

@tobsn

This comment has been minimized.

Copy link

tobsn commented Aug 29, 2016

@yan12125

This comment has been minimized.

Copy link

yan12125 commented Sep 25, 2016

Freenode's Tor hidden service is back: https://freenode.net/news/tor-online

@svbeon

This comment has been minimized.

Copy link

svbeon commented Jan 13, 2017

(an official version has now been on freenode.net for a while http://freenode.net/kb/answer/cloaks)

@kgbm3

This comment has been minimized.

Copy link

kgbm3 commented Jul 28, 2017

@tobsn please try and use, either: 1) freenode.net/ without the preceding protocol, or 2) https://freenode.net/ for the links, thanks!..:) Probably not in any etiquette, but it is a comm. site; dealing, with

@kgbm3

This comment has been minimized.

Copy link

kgbm3 commented Jul 28, 2017

@Mikaela "Both ways won't prevent you from clicking a link or accepting a DCC file transfer which will still leak your IP", is what that means (right!?)

Anyway, besides not enabling DCC and links in the IRC client, many -also- have an option to ignore: including CTCP; so, those are basically the three things to pay attention to. :)

^^ Plus, ofc., using (NickServ) umodes to block /query && these can be different depending on server software and config. +Rg on Freenode to not accept /msg from unidentified accounts and those not on the caller-id list /accept *

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.