summaryrefslogtreecommitdiff
path: root/README
blob: ba9b4c9a205f4b0e4440ea8c5b45fa336392b9f9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91


                                FiSHLiM

                       http://fishlim.kodafritt.se/


FiSHLiM is a HexChat plugin for FiSH IRC encryption. It's my attempt at making
a simple and lightweight plugin for this encryption protocol.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! WARNING: FiSH encryption is not secure. See the security section below. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

NOTE: A modified version of FiSHLiM is now bundled with HexChat. If you
use HexChat you should generally not install this plugin (and if you do
you need to remove the bundled version of FiSHLiM).

For installation instructions, see the INSTALL file.


Features
--------

Working:
  * Sending/receiving messages
  * Topic decryption
  * Using unecrypted keys / keys without a password from blow.ini
  * Pure protocol-level filtering (works with highlighting, nick coloring etc)
  * Partially encrypted messages (i.e. prefixed with nickname by a bouncer)
  * CBC mode

Not working:
  * Key exchange
  * Password-protected key storage
  * Topic encryption
  * Remote exploitation (hopefully!)
  * Plaintext content that contain +OK is decrypted twice
  * Very long messages (more than ~200 characters)
  * encryption of /me messages
  * Message authentication


Commands
--------

/setkey  [nick or #channel]  [mode:]password

    Sets the encryption key for the nick or channel to password. The keys
    are stored in the configuration file in ~/.config/hexchat/blow.ini

    Optionally, the block cipher mode for outgoing messages may be specified.
    If unspecified it will be ECB for backwards compatibility, but for
    greater security, please use CBC mode if possible.

    For incoming messages, the block cipher mode is auto-detected, regardless
    of which mode was configured with this command.


/ciphermode  [nick or #channel] mode

    Sets the cipher mode to ECB or CBC. See /setkey.


/copykey  from [to]

    Copies the key from the given channel or nick. If no "to" nick or channel
    is given, then it copies to the one which is currently open.

    This command can be used to use an existing channel key when chatting
    with a single user. To do so, open a dialog with the user and type
    /copykey #nameofchannel


/delkey  nick-or-#channel

    Deletes the given nick or channel from the configuration file.


Security warning
----------------
FiSH encrypts your messages in ECB mode (in other words, in independent
blocks). If the same block appears two times it will be encrypted the
same way both times.

So, never give untrusted people unencrypted chat logs if they also have
the encrypted version! Then they can decrypt the messages if they appear
again. Also, it's possible to make statistical attacks or replay
attacks. The CBC mode is somewhat better, but does not use a HMAC and no
timestamp/nonce, so it is still not secure against message manipulation
or replay attacks.