How to use IRC chat for a website chat room

Articles in this series:

1. Introduction to Internet Relay Chat (IRC)
2. How to configure ChatZilla preferences
3. Using IRC for a website chat room

Best chat script for your website?

Many webmasters want to provide a live chat feature on their websites. A common question in forums is, "Which chat script should I use?" Based on the research I did, the answer is None.

What do the "chat scripts" do?

There are two parts to chat, a server and a client.

Chat servers

A "chat server" program (script), also known as a "daemon", runs on your website server. It receives input from each chat participant and relays it to all the other participants in real time. The chat scripts offered through cPanel and elsewhere for your website are simple chat server programs. On a shared server, they are installed at the system level (above your webspace), not inside your site.

Chat clients

In normal IRC chat, each participant uses a "chat client" program. The client sends a participant's input to the chat server. It also receives and displays the messages relayed through the chat server from the other participants.

However, most website visitors aren't initially there to chat, so they are using a web browser instead of a chat client.

Thus, most small-site chat server scripts interact with the participants on web pages (simulating a chat client) or by installing and activating an object such as a Java applet that acts as a chat client.

Security problems

Security problems arise because a chat server script accepts input from a user (who might be malicious), constructs a web page containing what the user typed, and then sends that web page to all the other users.

A malicious user, instead of typing ordinary text, might type programming code. If the chat server program copies that code verbatim onto the web pages it sends out, those pages will be defective, vulnerable to a cross-site scripting (XSS) attack by the malicious user, who might then be able to steal a user's cookie data and log into the website as that user. If the user is an admin, administrative access is obtained. Thus, a chat server program must carefully prevent program code from being passed through to web pages. This is called "cleaning" or "filtering". If it fails to do this, it is insecure.

A malicious user, instead of typing ordinary text, might send to the chat server a gigantic text block much larger than the server was intended to handle. If the server is not designed to guard against it, this can have the effect of "overrunning" the allotted text buffer and injecting malicious code into memory locations on the server computer where valid code or data used to be. If that malicious code gets executed, it can corrupt, crash, or crack the security of the server. This is a buffer overrun vulnerability.

All the server scripts installable through cPanel are vulnerable, and none of the others I looked at pass all tests. In the list below, each link goes to that program's advisory report at Secunia.com so you can read what its problems are:

• phpMyChat (cPanel)
• Entropy Chat (aka Entropychat) (cPanel)
• JavaChat (aka mChat, Melange Chat) (cPanel)
• FlashChat
• X7 Chat

This website's current host says they have disabled all the cPanel ones because in their opinion they compromise server security. 

I looked at the remaining two non-cPanel ones based on positive user comments in forums, but decided that they, too, are unusable.

If you do use one of the above scripts for the occasional interaction with a customer or potential customer, your luck might hold out for a long time, but if a competent hacker sees that you are using one of the vulnerable scripts and poses as a customer to lure you into a conversation so they can execute an exploit, they can succeed. In cases where a site is compromised and no obvious avenue of attack can be determined, this obscure avenue could be a suspect.

That seemed to leave me with no common, popular, free chat server script fit for use. If you know of one, then I and no doubt many other people would like to know about it.

Alternative chat scripts not offered through cPanel

Following is a list of potential candidates that I will add to as I run across them. These are free chat scripts supposedly usable on shared hosting, with no unpatched vulnerabilities listed at Secunia.com, as of the date shown. I have not tried them:

• 11/25/2007  BlaB! Lite 4.x  Secunia advisory report

Dedicated hosting... try major chat daemons

Most webmasters, including myself, want a free chat server that can be used on shared hosting, so I didn't take my search any further. If you have your own webserver or dedicated hosting, you have more options because there are numerous chat daemons listed at Wikipedia that might be worth a try.

Alternatives to a chat script installed on your server

Because all plaintext communication can be intercepted as it travels across the internet, these all share that insecurity. In other respects, they differ.

1. Personal messages in your website forum
   Communications are handled only on your website's server.
2. Instant messaging
   Communications pass through an IM network of unknown repute.
3. IRC chat
   Communications pass through one or more IRC servers of unknown repute. Eavesdropping by network operators is certainly possible, but yours is one of thousands of channels.

I decided to try IRC for website chat, or at least learn enough to know how to do it. Here is what I found...

How to create an IRC chat room for your website

Preparation

1. Choose a network to use (see network list in a previous article)
2. Choose a name for your channel, for example, #yourdomain.com
3. Create on a web page an IRC hyperlink for your users to follow. It specifies the network you chose and the name of your channel: irc://network/%23yourdomain.com
4. On the web page, instruct users to go to the link using an IRC client or to click on the link while using Firefox with ChatZilla installed.

Creating the channel

A small IRC channel is usually dynamic, not permanent. It is created when the first person /joins it and destroyed when the last person /leaves it, so...

When you open your channel for use, make sure you are the first to arrive. This makes you the channel operator ("op"). Then enter these commands:

• /mode +stn
  +s Makes the channel secret. Users must know the channel name to join it. Your users will know it because they are clicking on a link. +t means only you (the channel operator) can change the topic. +n prevents outsiders from sending messages in to the people on your channel.
• /topic Live chat for [your domain name]
  Sets the channel topic to orient your users when they arrive.
• /mode YourNickname +i
  Makes you mostly invisible on the network.

IRC chat isn't secure

IRC chat is not secure in the sense of being free from the risk of eavesdroppers, but no method is, unless it's encrypted.

What seems to me to make IRC a good choice is that:

• It interacts with standard IRC client programs. Good client programs with no unpatched vulnerabilities do exist.
• It really is IRC chat. It doesn't simulate it with web pages, so it doesn't create faulty, vulnerable, hackable web pages.
• The IRC server daemons used by the big networks are old, stable, tested programs.
• IRC chat doesn't take place on my website, so my browser cannot be tricked into divulging my website's cookie. 

For these reasons, IRC chat doesn't put my website's server at risk, so it avoids the dangers posed by the small free chat scripts.

Help

Best help reference to almost every aspect of IRC chat, including tutorials and command references, is http://irchelp.org/.

Comments welcome in the Forum.