How do you talk to someone over a common, instant message client (Gtalk, MSN) securely, with encryption

Contents

    How do you talk to someone over a common, instant message (IM) client (gtalk, MSN, ect..) securely, with encryption. This was my question when I went to the Practical intro to computer security at Vancouver Hackspace.

    Off the record (OTR) is a plugin for most IM clients that sets up a secure connection between two computers that you can use to ensure that no one else is listing in and that you are talking to the person you intend to. The problem is that there is no OTR plugin for my perfered IM client Digsby. Infact there are not a lot of clients that support the OTR plug-ins. The OTR people do provide a tool kit to devlope plug-ins for other clients but thats a lot of work.

    The ORT developers suggest Pidgin. A cross platform, multi protocol (MSN, GTalk, Jabber, ect..), opensource, Free, IM client that can run without being installed. I have looked at Pidgin before but i didn’t like it as it was too plain for me. This talk gave me the opportunity to look deeper in to this application and I found that its is has many plugins and themes for it that make it much more usable.

    Instructions 

    1. Download and install Pidgin 
    2. Download and install the OTR plugin
    3. Start Pidgin, from tools menu select "plugins"
    4. Select the Off The Record "OTR" plugin from the menu and click configure.
    5. Select a account on the Off the record configuration dialog and click the "Generate" button.
    6. Start a conversation with a friend that has the OTR plugin installed. You should see a new button called 
    7. Click this button and it will send your friend a message starting the secure communication.
      • If your friend does not have the OTR plugin installed they will see a message that looks like this "?OTR?v2? [email protected] requested an Off-the-Record private conversation <http://otr.cypherpunks.ca/</wbr>>.  However, you do not have a plugin to support that. See http://otr.cypherpunks.ca/</wbr>for more information."
      • If your friend does have the OTR plugin installed correctly they should see a message similar to this "(12:34:26 PM) The privacy status of the current conversation is now: Unverified, Conversation with __FRIENDS_NAME___ on 3/28/2012 12:34:26 PM: (12:34:26 PM) The privacy status of the current conversation is now: Unverified" What this means is that the communication between you two are now encrypted but you can't be sure that your friend is who they say they are.
    8. You can then verify your friends by click the unverified button and select "authenticate buddy" from the menu
    9. On this page you can ask your friend a question that only they would know.
    10. Once you have verified that your friend is who they say they are then the icon will change to
    Notes:
    • Most clients will allow for logging of the chat session, if you are using OTR this defeats the purpose of the system. You will never know if your friend is logging the conversation. This is a a possible attack/vulnerability
    • If you are talking over GTalk you may notice that the logs show random chars for your communication. This is good this is your encrypted conversation.
      me:  "?OTR:AAIDAQAAAAMAAAADAAAAwOP8n7lerGtKSO/sT5C5cC1uYPOaFsBxPgesW1aXmmldhO510p+k7eCw/PxWyersVzOc5iyul3xqeHkbZ9rlr8lP2CLYadi1rb2sw+JneD54tEgt/EFcT8CBZ4JcdyNeAI0TtsByn08g6EkeMPSMrln56Lb32Vl8aBdddioeiwqwDSDFsdfsekb6RqXvhNVsLMiogBPiyRk3UarwsJ3tUHdpWuIsW2yv0HmAb4QWxlVPaehNdWl9itVBveWawtQZaqd8eu2aalvi9/+JSeyawAAAAAAAAABAAAABSQVb9d9BNaZAKwdVsJQH3Wgcgeb7E3ozMoAAAAUkIlPXeG/HYLDXS1qC/h9epdhBpo=". Sent at 12:43 PM on Wednesday</wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr></wbr>

     External links