fingerprinting people on IRC with no privileges
TL;DR If you want to join an IRC server anonymously, your best bet is to use an e.g. Tails VM. Conventional IRC clients allow correlating seemingly isolated connections to different servers.
Let me clarify the threat model. Let's say I'm "dzwdz" on one server, and "notdzwdz" on another. I'm using a single client for both, but "notdzwdz" is proxied through Tor, has distinct default nicknames/quit messages/etc, all the obvious privacy leaks are taken care of. I don't want anyone to be able to tell that I'm behind both those identities.
Basically - IRC supports this thing called CTCP. It's usually used for `/me`, but there are two other interesting messages:
- VERSION is mandatory, and it responds with information about the client you're using -- e.g. "WeeChat 3.8 (Jan 8 2023 15:18:31)". By itself, that isn't a huge leak of information - it just depends on the distro you're using.
- TIME isn't mandatory, but clients "SHOULD" implement it -- and they do. It returns your local time in an "unspecified human-readable format". Thus, it depends on (and leaks) your: locale, timezone, possibly clockskew if it's large enough.
They're not immediately critical, but as the responses are the same for all connections, they allow easy correlation of people between servers. So far I only tested this on ergo -- not only did I not need any privileges to send those commands, I was even able to send them to a public channel -- and quickly gather back responses from everyone there. If I suspected anyone in that channel was also on some other server under another identity, I could go to that server, join the suspected channel, run the same commands, and compare. Yes, this isn't a big information leak -- but for fingerprinting purposes even small leaks are very useful.
This is mostly a PSA, I guess. I'll also send this to the admins of tilde.chat to ask if I could experiment there, and to estimate just how bad this is. Also sorry for the shit writing but it's almost 1AM here. Cya~
Source