Freenode is interested in your security. As such, they have two hidden Tor servers available for you to use. They have actually been using the hidden servers for a while now, but they just added a new one, and the added security benefits are great!
First, aside from end-to-end encryption, which is a bonus of connecting to hidden servers in general, when connecting to the new hidden server, you won’t be blocked when there is Tor abuse on the network. From time to time, spammers and such will abuse the Freenode network using Tor. They’ll join-flood channels, post tons of vulgarity, and use other methods to make the experience unpleasant for others. So, because using Tor makes you exempt from K-lines and the such, the spammers are just relentless in their pursuit to make others miserable. The answer? Block Tor connections until the spammers get bored, then reopen them for honest users.
But, what does this mean for you when you get disconnected? You won’t be able to connect either. As such, you either join exposing your identity and IP address, or you wait until it blows over, which could be a great deal of time.
The Freenode staff was concerned with the honest users not being able to connect, so they setup a second server with some extra security. The idea is to create a MD5 hash of your connecting password and digitally sign it with your GPG key, thus saying you are who you say you are. This gives up a little bit of your privacy when using Tor. You are no longer 100% anonymous. But, you aren’t giving up your IP and you still have the end-to-end connection.
So what’s the benefit? The benefit is being able to still connect to the network, when they are blocking Tor connections due to abuse. I know what you’re thinking? Can’t the spammers and abusers use that service also? Yes, but once they start spamming again, they are revoked their privilege, K-lined, and won’t be able to reconnect. This gives the control back to the network staff, while your privacy is still in tact.
So, let’s look at how to connect to the new hidden server. This post aims to be a brief tutorial on connecting to the new hidden server that Freenode offers, as the tutorial on their page could use a little polish.
First, if you haven’t already, install Tor and Privoxy. If you are using irssi, you won’t need Privoxy, as irssi doesn’t leak DNS packets. Other apps, like XChat and Gaim will need it.
Next, you need to add a line to your /etc/tor/torrc file. I just add it right at the top. No need to add it elsewhere in the file. You are going to take advantage of MapAddress as irssi (the client I use) is completely IP based, and doesn’t understand the *.onion addresses.
mapaddress 10.40.40.41 5t7o4shdbhotfuzp.onion
Now, when connecting to the hidden server, you just ‘/connect 10.40.40.41′ and your set. If you’re good, you can add a server or alias in irssi that will make it even easier to connect.
Next, we need to create an MD5 hash. We are going to hash the password that we are going to use to connect to the hidden server. Yes, connections to this server are blocked without a password. You need a password for access. Pull up a terminal, and type:
mkpasswd -H md5
Now, I prefer to also have the -s switch, so I can see what I am typing. It’s entirely up to you whether or not you want to see it. Just makes it easier to know whether or not I typed a mistake.
Now, you have your hash. You should already know the nick that you use when connecting to irc, so we need add our nick and our hash in one file, digitally sign it using our GPG key, encrypt and send it to the Freenode staff. So, my nick is atoponce, and let’s say I chose ‘mypass’ and my password. Here is how I would go about it:
aaron@hercules:~$ mkpasswd -s -H md5 Password: mypass $1$9tULXlDd$6tMxOMPELST288GB2EaYV/
Now I have my hash. I need to get that and my nick into a text file, sign it then encrypt it. First, I need a GPG key pair. If you don’t have one, stop and create one. Also, you will need the Freenode staff shared public key. You can find their key here. One you have everything, and are ready to continue, in your terminal:
aaron@hercules:~$ echo 'atoponce $1$9tULXlDd$6tMxOMPELST288GB2EaYV/' | gpg --gnupg -sea -r 035D6B1D
After you enter your GPG passphrase, and ensure the program that you want to encrypt using their key, you will have a GPG ascii-armored block of text. That text block is the digitally signed and encrypted nick and hash that you provided. This block of text is what Freenode needs to verify you are who you say your are. They will decrypt the file and verify your signature.
Either copy that text into a separate text file, or into the email directly, sign and/or encrypt your new email that you are typing, and send it off to staff at freenode dot net, and wait for your reply.
It’s crucial that you don’t forget your pass that created your hash, as this is your entry ticket to the new hidden server. Also, I would not recommend that your password hash be the same as your NickServ pass. This pass is absorbed upon connection, so it won’t reach services anyway.
There you go. You should be able to connect to the new hidden server, even when Freenode is blocking Tor connections due to abuse.