Also called CGI:IRC. This specification, written by an unknown person (if you know, tweet to @Mibbit or @Havvy), details how to make a client's IRC connection be a transparent proxy to the server. It requires trust encoded as a shared password. Everything after this paragraph is the original specification.
What it is
IRC is a client to server protocol. Multiple clients connect to one server, called the IRC Server, and the server handles communications between the clients. Each client announces who it is through its hostmask. When a user connects through a client that connects directly to the server, the hostmask shows their nick and their IP, though the IP is usually obfuscated before sending to other users (default mode +x). When a user connects through an indirect method, such as through Mibbit.com, the indirect client sends its own IP instead of sending the normal user unless WebIRC is implemented by both the client and the server. For IRC, IPs are extremely useful for making sure users do not disbehave. Without WebIRC implemented, the users of the indirect client will be banned more often for the actions of others or might not be allowed to join the server because too many users of that IP are connected at once.
Before the client sends the PASS, USER or NICK commands it should send:
WEBIRC password user hostname ip
Where each of the tokens in the above is replaced with the following:
- password: Password that authenticates the WEBIRC command from this client.
- user: User or client requesting spoof (cgiirc defaults to cgiirc).
- hostname: Hostname of user.
- ip: IP address either in IPv4 dotted quad notation (e.g. 192.0.0.2) or IPv6 notation (e.g. 1234:5678:9abc::def). IPv4-in-IPv6 addresses (e.g. ::ffff:192.0.0.2) should not be sent.
The password should be agreed previously with the IRC server that the client is connecting to. Normally this will be defined in the configuration file.
- Perform any proxy resolution (TrustedProxies in CGI:IRC)
- Check the reverse DNS and forward DNS match
- Check the IP against suitable access controls (ipaccess, dnsbl in CGI:IRC)
- Check the connecting host and password
- Set the host and IP address to the given address
- Enforce bans (server-wide and channel) against the addresses given in the WEBIRC command
The server should limit the hosts from which a WEBIRC command is accepted from. Anyone with a valid password and host to connect from can spoof any hostname they desire, this is mostly by design. (It would be possible for the IRCD to check that the IP matches the hostname to stop spoofing of any host.) It is therefore possible to use this to bypass most kinds of ban. It is recommended the IRCD provides a method to find the original host and shows that WEBIRC is in use (to IRC operators at least) in order to provide a way to deal with abuse.