OTR Encryption Tutorial | How to use Off The Record MessagingCategory: messaging
A 3 Minute Read
12 Jan 2014
Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!
We've learned how to encrypt our emails, but what about encrypting our instant messages. Many of us send more data through IM programs than through email, as it can be far more convenient for casual conversations and ongoing dialogue. Instant messaging, however, can be spied upon just as much as email, especially when we use services like Facebook Chat, which stores the entirety of our conversations forever. Fortunately for us security-inclined (read paranoid) individuals, there exists a piece of software that is, in some areas, better than PGP, and even more seamless.
Off The Record
Off The Record Messaging (OTR) is a cryptographic protocol that is designed quite ingeniously. The way that it works is a bit much for this post, but essentially every time two people chat with each other new encryption keys are created and destroyed. This is what makes Off The Record so powerful; even if someone held a gun to each of their heads, no matter what they wouldn't be able to decrypt the old messages because the keys were destroyed.
Another awesome property of OTR is plausible deniability: after the chat session is ended a certain key (called the HMAC) is made public, making it impossible to prove that the messages weren't forged by someone else. Of course, this all happens almost seamlessly. When you start a private session with OTR, you each click a button and just start talking, and everything that is said from there on in is encrypted. It's that simple. Hell, it can even be used with Facebook chat!
Installing Off The Record messaging, like most other things, depends on which platform you are on. If you are on a Mac, I'd suggest going to this website from the Pirate Party which has a comprehensive guide on setting up OTR using Adium (OS X software). If you are on Linux or Windows, go and download a chat client called Pidgin Messenger. Once installed, setting up Pidgin is easy. Just go to the top menu and click Accounts>Manage Accounts>Add. From here you can select what type of chat you want to use, whether it be AIM, Facebook, XMPP, Yahoo, etc. I recommend XMPP. To set up an XMPP account, just select the XMPP protocol, then type in a desired username and password. For the domain, check out this list of servers and select one that you like. Copy and paste the server name into the domain box of Pidgin, and check off the box saying "Create this new account on the server". This will make the account for you. It's that simple.
Next, install the Off The Record plugin for Pidgin, which is available on the Cypherpunks' website. If you are using a Debian based Linux distribution (which includes Ubuntu and Mint), you can just type into your terminal "sudo apt-get install pidgin-otr". This will install everything you need. After the plugin is installed, restart Pidgin and then go to the Tools menu, then Plugins, and check to make sure that the Off-The-Record Messaging plugin is installed and enabled.
You're pretty much set. The next thing you need to do is just evangelize encryption like a 10AM preacher to get your friends to install OTR as well. Once you get your friend using it, you can just open up a chat window and click the OTR menu button, and start the private conversation. When using OTR for the first time with someone it will take a few seconds to exchange the keys, and then will want you to ask them a question only they can answer to verify that it is actually them and not a dude from Wisconsin. This part can be a bit annoying, but you only have to do it once, and it will be set forever. Another 'best practice' for the paranoid is to compare fingerprints, which can be found in the OTR plugin settings page in Pidgin. Comparing eachother's fingerprint over a second channel (such as over a phone call) ensures that there isn't anybody in the middle intercepting the conversation.