Secure Instant Messaging with OTR

How to use OTR to encrypt your instant messages.

Introduction to OTR

Off-the-Record Messaging (OTR) adds end-to-end encryption for chat messages. It has many features:

  • Encryption: All the encryption takes place on your devices. This protects your conversation from being read by others, even over insecure networks and untrusted chat providers.
  • Authentication: You know if the person is who they say they are.
  • Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages she sees are authentic and unmodified.
  • Perfect forward secrecy: If you lose control of your private keys, no previous conversation is compromised.

Installing OTR

In this tutorial, we will be using OTR with pidgin. Pidgin has the most mature implementation of OTR, and runs on Windows, Linux, and Mac.

Linux

  1. Press Alt+F2 and run:
    gnome-terminal
  2. Copy the following line into the new terminal window and hit Enter:
    sudo apt-get install pidgin-otr
  3. To Run Pidgin press Alt+F2 and type:
    pidgin

Windows

Visit pidgin.im/download

Mac

Pidgin can be run on the Mac, but it is much easier to run Adium instead. Adium is a native port of pidgin to the Mac OS. Download Adium.

Adding an Account to Pidgin

Check out our pidgin tutorial for instructions on adding your riseup.net account to pidgin.

Setting up OTR

Now with both Pidgin and OTR installed

  • Select Tools > Plugins from the main window
  • Enable Off-The-Record Messaging plugin and click the Configure button
  • Select your riseup.net account from the list and click Generate
  • IMPORTANT NOTE!: Under “Default OTR Settings” select both Require private messaging and Don’t log OTR conversations. This guarantees that you only have encrypted conversations and that you aren’t logging your past conversations. Remember that it is always possible for the person you are talking with to log the conversation. It is a good idea to ask whether that person logs OTR conversations.

Adding Buddies to your Contacts

  • To add a Buddy, from the main Pidgin window select Buddies > Add Buddy.
  • Make sure to select your account and to spell your buddy’s username correctly when filling it in. You have the option of creating groups to categorize your buddies.
  • Click Add.
  • Once your buddies have been added and are available to chat they will appear in the main pidgin window. To start chatting double-click on a buddy’s username from the list.

Authenticate Buddies

  • Click Start Private conversation and follow the instructions to authenticate each other to start a private conversation. The easiest method to authenticate someone is the Question and Answer method in which you ask the other person a question that only they could answer. This is an important security step to verify that you are talking to who you think you are talking to. Examples of acceptable questions:
     Q: What did you and I talk about at Jad's last night in the front room?(lower case, one word)
     A: welding
    * There was just the two people involved in the past conversation, so this is a secure question.
    
     Q: What poster is on the wall of my bedroom? (lower case, two words)
     A: beehive collective
    * This is a secure question assuming you trust the people that have been in your bedroom.
    

Questions like “What is my hair color” or “What’s my dog’s name” are insecure because most anyone could easily discover the answers to those questions.

 

Nice tutorial, i wonder if this is related to the idea of creating jabber rooms parallel (or something like that i understood) to crabgrass groups.

It would be nice, since even interesting things like edition of handouts, graphics and so, can be done through xmpp with clients like Coccinella or Inkscape.

 
   

yeah, we have now a jabber service running. the next step is to integrate crabgrass groups. i picked openfire for the jabber server because i think it will be easier than the other jabber programs for customizing it to hook in with crabgrass groups.