i was wondering if we can harden hexchat even more, though im not sure if im correct upon this.
- Disable Time Stamps so by this time will not fetch through irc
- Disable Tracking users as it may send user traffic or requests to them in order to discover their status (but not sure about this)
- This is something different from hexchat default and i wonder why its enabled by default to log chat + the time stamps of the chat ?? this should be optional to the user and also its disabled by default installation of hexchat.
- its better to use user time from whonix since its connected to tor + its UTC. otherwise there might a possibility that the server is not using UTC time which causing time differentiation between user and server leading to deanonymization time attack (but not sure about this method).
In the meanwhile, the HexChat wiki page could use a hardening section to address these issues + adopt relevant steps from tempest’s guide as well (chapter 4.4)
On the TODO list…
It’s a local feature not fetching from server.
It’s a local feature using information it already has from server anyhow.
Whonix is not anti local logging by default. There are too many logs so I am not accepting bug reports to partially disable logging for some components. That would result in an inconsistent experience and should not be relied upon. If you want log free, use Whonix Live mode and/or disposable VMs.
Use server time if supported: That also only influences local logs. The server keeps sending the time to irc clients with each incoming message anyhow. Nothing gets requested from the server. See irc protocol.
Using utc or server time is more of a personal preference.
No changes needed.