Chapter 6: Instant Messaging
Instant messaging is a great way to start and maintain conversations with a source. It is very quick and easy to set up encrypted, ‘off-the-record’ (OTR) instant messengers (IM) – especially compared to setting up encrypted mail. Using an OTR IM, you can discuss necessary security protocols before you continue conversing, meeting, emailing, sharing documents/information, and so on. It is also a useful tool for talking to colleagues if you are collaborating remotely on a project.
Off-the-record instant messaging allows you to have private conversations that are not only encrypted, but that are not stored, and therefore ‘deniable’. That is to say, it is plausible that a chat purportedly including a chat account associated with you, is not actually you.
Expert info: Like encrypted emailing, OTR IM uses public keys that are used to verify a contact really is who they purport to be. However, every time you begin a new chat with a contact (who has been verified by their public key), the chat is encrypted using new, throwaway keys. Don’t worry – you don’t have to do or even see this yourself – this is under-the-bonnet encryption that the messenger client does it for you.
If you are using Linux or Windows, we recommend that you use an IM client called Pidgin, with an OTR plug-in.
If you are using Mac, we recommend an IM client called Adium.
Users of Pidgin and Adium can communicate easily with one another. However, in the current versions, the verification methods for the two messenger clients are different. See ‘Verifying contacts’.
- Download Adium
Download and install ‘Adium’ for Mac – http://adium.im/
- Create and configure an IM account
Once downloaded, open Adium and go to (at the top) ‘File’ > ’Add account’ > ’XMPP’.
- First, you may wish to configure Adium to only connect your IM account via Tor, thus shielding your real location – particularly useful if you want to use the account anonymously. Under the ‘Proxy’ tab, tick ‘Connect using proxy’ and choose ‘SOCKS5’ from the dropdown list. In the Server field type ‘127.0.0.1’ and in the Port field type ‘9150’. The username and password fields are optional, but if you use them Tor will use different circuits for this account in Adium than it will for everything else, increasing your anonymity. Note that you will now need to have the Tor browser open (see chapter 3) in the background when you wish to connect with this account.
- In the ‘Account’ tab choose an (anonymous) name and add a domain at the end of it for your Jabber ID (for example, @jabber.ccc.de is popular – see a full list of options here https://list.jabber.at). A full Jabber ID may be, for example, firstname.lastname@example.org. Under ‘password’, choose a strong password. Do not ‘register account’ yet.
- In ‘the Options’ tab tick ‘Require SSL/TLS’ and tick ‘Do strict certificate checks’. Under ‘Resource’, type ‘anonymous’.
- In the ‘Privacy’ tab and in the ‘encryption’ drop down menu click on ‘Force encryption and refuse plain text’ (last one on the list).
- Go back to the Account tab and click ‘register account’. A new window appears: in ‘server’, type the domain you previously selected (e.g. ‘jabber.ccc.de’ if you went for that) then click ‘Request new account’. In a moment, your account should be successfully created.
- Configure Adium
Go to Adium > Preferences > General > untick ‘Log messages’
- Download Pidgin and OTR plug-in
Pidgin and OTR are often included software in Linux distributions, so simply search in your Ubuntu (or other Linux distribution) Software Centre.
Download and install Pidgin at www.pidgin.im (Windows); if you’re on Ubuntu, you will be directed from that page to the Pidgin PPA package, so download that.
For Windows, then download the OTR plug in from https://otr.cypherpunks.ca. On Ubuntu, go to the Ubuntu Software Centre, search for Pidgin OTR, and install the ‘Pidgin Internet Messenger Off-the-record Plug-in’.
Open Pidgin. If this is the first time you are opening Pidgin, you will not have an account configured and will be prompted to ‘Add an account’. Click ‘Add’ (if you are not prompted, you can find this at Accounts > Manage Accounts > Add).
First, you may wish to configure Pidgin to only connect your IM account via Tor, thus shielding your real location – particularly useful if you want to use the account anonymously. Under the ‘Proxy’ tab, tick ‘Connect using proxy’ and choose ‘SOCKS5’ from the dropdown list. In the Server field type ‘127.0.0.1’ and in the Port field type ‘9150’. The username and password fields are optional, but if you use them Tor will use different circuits for this account in Pidgin than it will for everything else, increasing your anonymity. Note that you will now need to have the Tor browser open (see chapter 3) in the background when you wish to connect with this account.
In the ‘Basic’ tab, select XMPP/Jabber (NOT Facebook XMPP) under ‘Protocol’ and choose an (anonymous) username. Under domain, type your selected domain (for example, jabber.ccc.de) – see a full list of domain options here https://list.jabber.at. In the ‘Resource’ field, type ‘anonymous’. Make a strong password.
Click on the ‘Advanced’ tab and for ‘Connection security’, ensure ‘Require encryption’ is selected.
Click back on the ‘Basic’ tab and be sure to tick ‘Create this new account on the server’ (bottom of the window) before you click ‘Add’.
- Create an IM account
Your Jabber address should appear in an ‘Accounts’ window. Tick the ‘Enabled’ box and then click ‘register’ in the ‘Register New XMPP Account’ window that appears.
- Configure OTR
In Pidgin, go to Tools > Plug-ins > tick ‘Off-the-record messaging’. Then click ‘Configure plug-in’. Tick all the default OTR settings: Enable private messaging; Automatically initiate private messaging; Require private messaging, and Don’t log OTR conversations. Now click ‘generate’ to generate a key for your account.
Go to Tools > Preferences > Logging, and untick all logging options – you do not want to log chats.
Congratulations! You can now enjoy off-the-record, encrypted chat.
Add a contact
In Pidgin, go to Buddies > Add a buddy and type in their full address before clicking ‘Add’. When your contact is next online, they will receive an authorisation request from you.
To start a conversation with an online contact, double click on a buddy/contact in your list, and click OTR > ‘start private conversation’ in the chat window.
In Adium, go to Contact in the top toolbar > Add contact. Under ‘Contact type’, assuming your contact is also using Jabber, select XMPP/Jabber, enter their full address in ‘Jabber ID’, and click ‘Add’.
Authenticating/verifying a contact
Ideally, you will use fingerprint verification and if you know the person well enough, you will also ask a question of each other, that only the other person would know the answer to.
A question and answer
A good, personalised method
A shared secret
Has to be pre-arranged via a different communication method so this is less useful
Manual fingerprint verification.
A useful and strong method
The only method by which Adium and Pidgin users can authenticate one another
If you have not yet authenticated your contact, double click on their address to open a chat window with them (even if they appear to be offline – they will appear offline and ‘not authorised’ until you verify them). Click the lock icon and select ‘Initiate Encrypted OTR chat’. The lock should close. With the chat window still open, go to the top toolbar in Adium, click Contact > Encryption > Verify. You will then see your contact’s purported fingerprint.
You should ideally check one another’s fingerprints by a communication method other than IM (email, phone). If there is not a secure means by which to do this, a mutual friend/third party on IM can pass on a partly redacted version of your fingerprint to the contact (e.g. 0---A7-0 D—706-D 2—65--1 --3D-9C2 0-57B—1), and the contact’s fingerprint to you, for you both to check alongside the purported fingerprint shown. Redacting parts of your fingerprint may help prevent a ‘man-in-the-middle’ impersonation attack.
Finding your own fingerprint
Adium users can find their own fingerprint in Adium > Preferences > Advanced (horizontal tab) > Encryption (tab on the left hand side column).
Pidgin users can find their own fingerprint by opening a chat window with a contact, clicking the small buddy icon (right of ‘OTR’) > Re/Authenticate buddy > Manual fingerprint verification.
Please note: do not allow Adium or Pidgin to automatically remember your Jabber password, as it may not be saved securely. You should enter you Jabber password manually, each time you log in.