Encrypted IM

November 13th, 2011   Submitted by Ryan Taylor

Rather than getting into reasons why encrypting online communication is good practice, I’ll leave it at this: The technology is readily available and extremely easy to use.

In the past I’ve been told, and was convinced, that it is not possible to encrypt instant messaging(IM). Recently, however, I found out that it is possible and quite simple to implement. By no means am I a security expert, but I am always excited to share the learning experiences I gain from others I consider to be more knowledgeable than myself. If you have alternatives, relevant information, resources, or input on this topic, please share as well.

Jabber

First you’ll need an IM account. For the purpose of this guide I suggest creating a Jabber account which is free at Jabbim.com. There’s a huge list of Jabber servers to choose from. Any jabber server will do. You may be more comfortable creating an account in a country that is less likely to seize private information. It’s up to you. With Jabber, all that you need to do to get an account is create an ID and password for yourself.

Pidgin

Once the account is created, you’ll need an IM client. I’ve found that the most recommended IM client is Pidgin IM, which exists for every major operating system. It’s available in the Ubuntu Software Center. For Mac users, Adium IM is generally recommended. If you want to use a Windows computer that you don’t have administrator access to, there’s a portable version that can be used from a USB drive.

With the client installed, run the program and setup your IM account:

  • Protocol: XMPP (or “Jabber” if available)
  • Username: For the account that you created, not including
    @yourdomain
  • Resource: Use a descriptive term for this computer. Don’t use the
    same resource name on different computers.
  • Domain: Jabber server. Given at time of account creation
    (username@domain…)

Off-the-Record

To encrypt IM communications with Pidgin an encryption plugin needs to be installed. The plugin is “Off the Record” (OTR). It’s also available from the Ubuntu Software Center. OTR comes pre-installed with Adium.

In Pidgin, after the plugin is installed:

  1. Find the plugins preferences under the “Tools” menu.
  2. Check the box to enable “Off the Record Messaging”.
  3. Before closing the plugins window, click “Configure Plugin” (with
    OTR selected). These settings are optional but you should definitely take a glance and set them to your preference.
  4. Click the “Generate” button to create an encryption key for
    yourself.

With everything setup, the last step is finding someone to talk with. When you find a friend, you can “Add a Buddy” to initiate a chat. When using OTR for the first time with someone new, both parties have to authenticate each other in one of various ways: Question and answer, shared secret, or manual fingerprint verification. And, that’s it! Your conversations will be encrypted from that point forward. Digital fingerprints only need to be verified once per user.

There is a different plugin called “pidgin-encryption plugin” available from Souceforge but there are several benefits to using OTR versus the pidgin-encryption plugin, as noted on the OTR FAQ. Most importantly, OTR boasts deniability (encrypted messages do not have digital signatures that can be checked by a third-party) and perfect forward secrecy, which means that, if you lose control of your private keys, no previous conversation is compromised.

Tor

For extra anonymity, OTR can be used over the Tor network. To do this, you’ll have to be logged on to the Tor network and set the proxy settings in your IM client.

In the Pidgin account preferences, under the “Proxy” tab:
– Proxy: Tor/Privacy (SOCKS5)
– Host: 127.0.0.1
– Port: 9050

Although the Tor settings appear to work properly, the account will actually connect without being on the Tor network, so I’m not totally convinced that it actually does what it is supposed to do. There’s also an actual Tor IM client, TorChat (Ubuntu Software Center).

21 Responses to “Encrypted IM”

  1. Seth KingNo Gravatar says:

    This is the sort of thing all self-respecting libertarians should take the time to set up. There is no excuse. Instead of whining about how the government is violating the constitution and spying on us illegally, and hoping that they can fix the government, they should learn to protect themselves, like they would against all other criminal organizations.

    • RyanNo Gravatar says:

      That’s very true. It’s shocking that encryption isn’t standard practice for email and instant messaging. To compare these communications with older technologies, sending email and IM unencrypted is like sending post cards as your main form of communication. It’s ridiculous to think about sending personal and business messages in a way that anyone and everyone can read it’s contents (without even opening an envelope) but for online communication it’s the standard way. The passwords on your email and IM account don’t mean jack shit. This is proven time and time again as we see email accounts hacked on a daily basis.
      The same is true for local file encryption. Encryption is just a password away. Consumers of information technology (which we all are) should demand that software developers implement encryption in wide-area-network communications and local file storage. We keep so much personal detail in digital format that our computers are more like an extension of our personal life and business than merely an entertainment device. So why is it that all digital information should not be treated and stored with some level of privacy?
      From a business perspective, I’ve worked for plenty of companies and individuals who use Google talk, AIM (even facebook chat) for business communications because it’s convenient and effective. Perhaps contemporary business leans on the legal crutch of offensive lawsuits and prison threats in the face of compromised information (see Sony v. George Hotz, et al). When encryption is readily available, why is it that almost all online communication that I receive regarding personal and business affairs is sent to me in-the-clear? To me, it expresses a lack of respect for the information contained in the message.

  2. BobNo Gravatar says:

    I started using PGP when it first came out. Before NAT, there was encrypted voice, and now that IPv6 is making direct user-to-user connections possible again, maybe there will be a resurgence of direct encrypted communication.

    Email clients that run on a user’s local system have supported PGP and GPG for 15 years. It’s easy enough for anyone even modestly interested in encrypted communication to “take control of your email” as it were.

    For a while, the Firefox “FireGPG” plug-in for Gmail made encrypted email as easy as it is for people to use through their browser as it is for us dinosaurs who like to do email on their local systems.

    I’m glad to see encryption being established in instant messaging. But, and it’s a big but, security starts between the ears.

  3. MamaLibertyNo Gravatar says:

    I’ve been using PGP for nearly 15 years. At this point, I have only two or three friends who will even bother to use it. I’ve given up trying to convince the rest. Email is perfectly adequate for my needs. I see no reason at all to mess with instant messaging.

    • Ryan TaylorNo Gravatar says:

      Yeah, IM isn’t useful for everyone. Until now, I’ve only used it with certain business relations where it’s the desired form of communication. Different strokes for different folks.
      I’m definitely seeing the same reaction from everyone whom I try to convince to use encryption, even if it’s just to have someone to play with. Most people just don’t care but if I can rouse interest in any of this security stuff from even one person then I’ll feel satisfied (and have someone to play with).

  4. EeyoreNo Gravatar says:

    The more time the government wastes spying on my online communications (which there’s about a .00000001% chance they actually ever have) the less time they have to be doing stupid shit that will actually end up harming someone.

    I guess I’m going to need a better reason to make any effort to do this.

    • Seth KingNo Gravatar says:

      I do this for a number of reasons.

      If we’re activists, high-profile anarchists, we are much more likely to be targeted. Also, don’t forget that there are other criminals(organizations) that would spy on you other than governments. And lastly, the more people communicate in an encrypted manner, the more difficult it is for criminal organizations(such as governments) to single out underground activities based solely on whether or not their communications are encrypted. If only underground activists encrypted their communications, it would be much easier for governments to narrow their searches. So, if you don’t feel you have anything to “hide” you should still encrypt your communications in order to protect the safety of others that you share common cause with.

      • EeyoreNo Gravatar says:

        “the more people communicate in an encrypted manner, the more difficult it is for criminal organizations(such as governments) to single out underground activities based solely on whether or not their communications are encrypted.”

        That’s a good thought, and probably the only reason I would consider. However, just as my one vote makes no difference, I have trouble seeing how one more person encrypting their communications would make any difference.

        Actually, thinking about it, the best reason to do it is because it kinda feels cool to be completely anonymous, whether or not it makes any difference. That actually might be enough to convince me.

        • Seth KingNo Gravatar says:

          It is cool. It’s very cool. 😉

        • Ryan TaylorNo Gravatar says:

          When discussing encryption and security/privacy, the most popular response that I get from individuals in my personal life and online is definitely: “You’re too paranoid. I have nothing to hide and you probably don’t either” which is really interesting because that’s not at all the reason that I started this self-education, within the last year or so. It’s like you said, Eeyore, it “feels cool”. Honestly, it’s totally awesome!
          In my next few posts I’ll continue to explore tech security and privacy, ultimately to the end of creating a game scenario utilizing defensive and offensive strategies (and dice, too!)
          Along those lines but sort of completely different, there are global “capture the flag” competitions (one of the biggest is at Defcon) in which teams attack and defend against each other. To my knowledge, they don’t focus on encryption but the idea is to make sport out of security.
          Being that this is an Anarchists’ site, thoughts of who we’re defending against naturally go to the State but, when it comes to personal communication and data, all evil-doers are just as important to protect against. On the activism note, with Internet communication becoming the medium of choice with direct actions, it’s increasingly important for activists to protect their communications and information. Wiretapping and packet-sniffing are commonplace police tactics and fairly simple for anyone to do, especially when motivated.
          I hope to hear more from you as I build and share my new found passion.

  5. EeyoreNo Gravatar says:

    Well now you’ve got me intrigued Ryan. Looking forward to hearing more about it.

  6. bwNo Gravatar says:

    Thanks for the easy howto, I’ve forwarded this on to several folks.

  7. bwNo Gravatar says:

    Oh yeah, with all this talk of security.. you might want to fix the forums so they don’t send your plaintext password in the welcome email…seems like pretty bad form.

    • Seth KingNo Gravatar says:

      The forums are definitely insecure. We haven’t got certificates on any part of the website. I’d like to issue my own certificate but then people will get a browser warning that will turn them away. And I simply don’t trust corporate certificates at all. That being said, people can still use caution as well as other p2p encryption when sending private PM’s to one another.

  8. Can encrypted email be set up easily?

    • Ryan TaylorNo Gravatar says:

      It’s actually very easy.
      There’s an article here: http://dailyanarchist.com/2010/09/30/what-is-pgp-and-why-you-need -to-know/
      That will guide you through the process; although, there are much easier ways to integrate PGP/GPG encryption into many email clients. I personally recommend using Thunderbird (Mozilla) with the Enigmail extension, which is available for Windows, Linux and Mac. You can find other guides online about how to set it up on your computer.
      I fully recommend it!

      • Iron WillouwNo Gravatar says:

        This is not the first time I’ve heard of thunderbird, or had it highly recommended.
        I think it’s high time I increase my security rather than being so non-chalant about who sees what I say. The argument of “well you have nothing to hide” is a fallacy.
        The following is an opinion of mine.
        Secrecy allows us to be fully open, in partitions, so that those who would find offense to something one would say do not take negative actions or judge based on a mere fragment of who we are.
        By being too open we are essentially offering ourselves up to be political sacrifices of malignant actions.
        By being secure, we are protecting ourselves, and the person we are communicating with. Isolating the incident. ….. something the government likes to do, but doesn’t want us to. That seems fishy to me.
        I think by being more secure we are taking a peaceful stand for our rights of privacy, and also telling the government we shouldn’t be micromanaged.

        *Take a stand, protect the rights of our land*

  9. MitchNo Gravatar says:

    I really wish people would take this kind of thing more seriously.

    Computers should come with recommendations or even built in VPN options, cell phones should have automatic data and SMS encryption built in to the system without having to go add extra apps to encrypt your messages, only to have it work when BOTH parties have the same encryption apps installed and configured properly.

    All email should be encrypted and so should people’s instant messaging and even their facebook chats should have built in encryption abilities. Yet, you mention it to someone and they get a stupid look on their face like they can’t even understand WHY someone would want to bother with encryption in the first place…

    People really need to learn the seriousness of the situation and how easy it is to become a victim and also how easy it is to take advantages of privacy services and software as well. ..

    Thanks for the good article, I’ve sent it out to a bunch of my friends.

  10. FairPlayNo Gravatar says:

    Something I have found to add to the list:

    Encrypted Secure Chat for Skype

    SecureChat performs a RSA 2048 with Optimal Asymmetric Encryption Padding (OAEP) on chat messages with Personal and Public certificates, thus no one can read them, except the participants.

    skypesecurechat.com