Though every connection is encrypted, it is up to the user to ensure she isn't intercepted by a Man-In-The-Middle or leaks private conversation data by other means. You have to trust your conversation partner to set up everything correctly as well. This is also true for conversations with many partners. We just try to provide communication infrastructure that makes secure communication possible in all conscience and knowledge. We can't be held liable for any harm that results in using or misusing this service. Use OTR! Use end-to-end encryption wherever possible!
Please verify the certificate fingerprints!
This can be done automatically by some IRC client (e. g. irssi1) has DANE support)
They can also be verified manually: (IMPORTANT: The first step is only necessary if your local resolver isn't DNSSEC aware. If your traffic is already being intercepted, the retrieval of the root.keys file can/will also be manipulated.)
% dig . DNSKEY | grep -Ev '^($|;)' > root.keys % dig +short +noall +sigchase +trusted-key=./root.keys -tTLSA _6697._tcp.irc.darkfasel.net.
To protect our users' privacy, host names are hidden by default. To reveal your real host name, unset usermode x:
/mode yournick -x
The hidden hostname is either users.darkfasel.net or, if a client certificate is supplied, the fingerprint of this certificate.
The cloaking algorithm produces a salted sha512 hash2).
Our servers run on dedicated hardware. Connections between the servers are additionally secured with VPN tunnels using salsa2012+umac+ec25519-fhmqvc based on fastd or curve25519xsalsa20poly1305 with quicktun.