Adding OTR to your ZNC server
While BitlBee has our XMPP and chat networks covered with OTR, our IRC networks are
OTR-less at the moment. If you don't plan on using OTR, then you can still use the BBB as
your IRC gateway and enjoy a consolidated IRC platform. Since OTR has to be initiated by
one of the communicating parties, this chat configuration will interoperate with any IRC
system. But, if you want OTR over your other IRC channels, then there are two methods to
resolve this. First of all, you can use OTR from your IRC client. This will provide an end-
to-end OTR session from your client to your communicating party, assuming they are using
OTR from their client. However, most, but not all clients have an OTR-plugin. The other
approach, the one that will be presented here, is to use OTR inside ZNC.
There are pros and cons to this approach. The benefit is that for all of your chat networks,
regardless of your client, you will have the same OTR key. Therefore, once your buddies
authenticate you and trust your key, they can keep that trust even when you switch to a dif-
ferent IRC network. Also, you will no longer need to run an OTR plugin on your client.
However, the OTR session is terminated at ZNC. Therefore, it is extremely important to
have a secure connection from your client to ZNC. At minimum, you should turn on the
SSL option as previously mentioned. With that self-signed certificate, you are susceptible
to a MITM attack, though, so it may be worth your time to generate a certificate authority
and issue a certificate to your ZNC server. The reason you are at risk is that it's fairly easy
to generate a self-signed certificate as ZNC does. At minimum, you should take note of the
public key generated in the self-signed certificate and only trust the SSL connection if your
ZNC server presents that known key. This technique is known as certificate pinning . As
previously mentioned, generating PKIs is a nuanced task, so I'll leave this as a (moderately
difficult) exercise for the reader.
Another option, if you don't want to deal with SSL, is that you can ssh into your BBB and
run an IRC client on localhost. This will still provide confidentiality for your messages
between your computer and the server (the BBB) but it will restrict the IRC clients avail-
able to you since the IRC client would be running on the BBB. For the rest of this chapter,
we will continue with the SSL approach.
The ZNC OTR module is fairly new, so it must be built from source. It also depends on a
version of OTR that is not available in Debian wheezy, but it is available as a backport.
Edit your apt-sources file to add the backport repository:
sudo nano /etc/apt/sources.list