Chapter 6: Instant Messaging

Instant messaging is a great way to start and maintain conversations with a source. It is very quick and easy to set up encrypted, ‘off-the-record’ (OTR) instant messengers (IM) – especially compared to setting up encrypted mail. Using an OTR IM, you can discuss necessary security protocols before you continue conversing, meeting, emailing, sharing documents/information, and so on.  It is also a useful tool for talking to colleagues if you are collaborating remotely on a project.

Off-the-record instant messaging allows you to have private conversations that are not only encrypted, but that are not stored, and therefore ‘deniable’.  That is to say, it is plausible that a chat purportedly including a chat account associated with you, is not actually you.

Expert info: Like encrypted emailing, OTR IM uses public keys that are used to verify a contact really is who they purport to be. However, every time you begin a new chat with a contact (who has been verified by their public key), the chat is encrypted using new, throwaway keys. Don’t worry – you don’t have to do or even see this yourself – this is under-the-bonnet encryption that the messenger client does it for you.

If you are using Linux or Windows, we recommend that you use an IM client called Pidgin, with an OTR plug-in.

If you are using Mac, we recommend an IM client called Adium.

Users of Pidgin and Adium can communicate easily with one another. However, in the current versions, the verification methods for the two messenger clients are different. See ‘Verifying contacts’.

Adium instructions for Mac

  1. Download Adium
    Download and install ‘Adium’ for Mac – http://adium.im/
  1. Create and configure an IM account
    Once downloaded, open Adium and go to (at the top) ‘File’ > ’Add account’ > ’XMPP’.
  •  First, you may wish to configure Adium to only connect your IM account via Tor, thus shielding your real location – particularly useful if you want to use the account anonymously. Under the ‘Proxy’ tab, tick ‘Connect using proxy’ and choose ‘SOCKS5’ from the dropdown list. In the Server field type ‘127.0.0.1’ and in the Port field type ‘9150’. The username and password fields are optional, but if you use them Tor will use different circuits for this account in Adium than it will for everything else, increasing your anonymity. Note that you will now need to have the Tor browser open (see chapter 3) in the background when you wish to connect with this account.
  • In the ‘Account’ tab choose an (anonymous) name and add a domain at the end of it for your Jabber ID (for example, @jabber.ccc.de is popular – see a full list of options here https://list.jabber.at). A full Jabber ID may be, for example, kissinger@jabber.ccc.de. Under ‘password’, choose a strong password. Do not ‘register account’ yet.
     
  • In ‘the Options’ tab tick  ‘Require SSL/TLS’ and tick ‘Do strict certificate checks’. Under ‘Resource’, type ‘anonymous’.
     
  • In the ‘Privacy’ tab and in the ‘encryption’ drop down menu click on ‘Force encryption and refuse plain text’ (last one on the list).
     
  • Go back to the Account tab and click ‘register account’. A new window appears: in ‘server’, type the domain you previously selected (e.g. ‘jabber.ccc.de’ if you went for that) then click ‘Request new account’. In a moment, your account should be successfully created. 
  1. Configure Adium
    Go to Adium > Preferences > General > untick ‘Log messages’

Pidgin instructions for Linux (Ubuntu)/Windows

  1. Download Pidgin and OTR plug-in
    Pidgin and OTR are often included software in Linux distributions, so simply search in your Ubuntu (or other Linux distribution) Software Centre.
    Download and install Pidgin at www.pidgin.im (Windows); if you’re on Ubuntu, you will be directed from that page to the Pidgin PPA package, so download that.
    For Windows, then download the OTR plug in from https://otr.cypherpunks.ca. On Ubuntu, go to the Ubuntu Software Centre, search for Pidgin OTR, and install the ‘Pidgin Internet Messenger Off-the-record Plug-in’.
  1. Configure Pidgin
    Open Pidgin. If this is the first time you are opening Pidgin, you will not have an account configured and will be prompted to ‘Add an account’. Click ‘Add’ (if you are not prompted, you can find this at Accounts > Manage Accounts > Add).
  • First, you may wish to configure Pidgin to only connect your IM account via Tor, thus shielding your real location – particularly useful if you want to use the account anonymously. Under the ‘Proxy’ tab, tick ‘Connect using proxy’ and choose ‘SOCKS5’ from the dropdown list. In the Server field type ‘127.0.0.1’ and in the Port field type ‘9150’. The username and password fields are optional, but if you use them Tor will use different circuits for this account in Pidgin than it will for everything else, increasing your anonymity. Note that you will now need to have the Tor browser open (see chapter 3) in the background when you wish to connect with this account.
  • In the ‘Basic’ tab, select XMPP/Jabber (NOT Facebook XMPP) under ‘Protocol’ and choose an (anonymous) username. Under domain, type your selected domain (for example, jabber.ccc.de) – see a full list of domain options here https://list.jabber.at. In the ‘Resource’ field, type ‘anonymous’. Make a strong password.
  • Click on the ‘Advanced’ tab and for ‘Connection security’, ensure ‘Require encryption’ is selected.
  • Click back on the ‘Basic’ tab and be sure to tick ‘Create this new account on the server’ (bottom of the window) before you click ‘Add’.
  1. Create an IM account
    Your Jabber address should appear in an ‘Accounts’ window. Tick the ‘Enabled’ box and then click ‘register’ in the ‘Register New XMPP Account’ window that appears.
  1. Configure OTR
    In Pidgin, go to Tools > Plug-ins > tick ‘Off-the-record messaging’. Then click ‘Configure plug-in’. Tick all the default OTR settings: Enable private messaging; Automatically initiate private messaging; Require private messaging, and Don’t log OTR conversations. Now click ‘generate’ to generate a key for your account.
    Go to Tools > Preferences > Logging, and untick all logging options – you do not want to log chats.

Congratulations! You can now enjoy off-the-record, encrypted chat.

Getting started with OTR chat

Add a contact

Pidgin
In Pidgin, go to Buddies > Add a buddy and type in their full address before clicking ‘Add’. When your contact is next online, they will receive an authorisation request from you.

To start a conversation with an online contact, double click on a buddy/contact in your list, and click OTR > ‘start private conversation’ in the chat window.

Adium
In Adium, go to Contact in the top toolbar > Add contact. Under ‘Contact type’, assuming your contact is also using Jabber, select XMPP/Jabber, enter their full address in ‘Jabber ID’, and click ‘Add’.

Authenticating/verifying a contact
Ideally, you will use fingerprint verification and if you know the person well enough, you will also ask a question of each other, that only the other person would know the answer to.

Pidgin
If you have not yet authenticated your contact, double click on their address to open a chat window with them, go to OTR in the chat window and click ‘Authenticate buddy’. You can authenticate either by
  • A question and answer
  • A good, personalised method
  • A shared secret
  • Has to be pre-arranged via a different communication method so this is less useful
  • Manual fingerprint verification.
  • A useful and strong method
  • The only method by which Adium and Pidgin users can authenticate one another
In that window, select ‘Manual fingerprint verification’ as the method, and you will then see your contact’s purported fingerprint. Check the fingerprint – if it is ok, select ‘I have’ verified that this is in fact the correct finger