Rather than getting into reasons why encrypting online communication is good practice, I’ll leave it at this: The technology is readily available and extremely easy to use.
In the past I’ve been told, and was convinced, that it is not possible to encrypt instant messaging(IM). Recently, however, I found out that it is possible and quite simple to implement. By no means am I a security expert, but I am always excited to share the learning experiences I gain from others I consider to be more knowledgeable than myself. If you have alternatives, relevant information, resources, or input on this topic, please share as well.
First you’ll need an IM account. For the purpose of this guide I suggest creating a Jabber account which is free at Jabbim.com. There’s a huge list of Jabber servers to choose from. Any jabber server will do. You may be more comfortable creating an account in a country that is less likely to seize private information. It’s up to you. With Jabber, all that you need to do to get an account is create an ID and password for yourself.
Once the account is created, you’ll need an IM client. I’ve found that the most recommended IM client is Pidgin IM, which exists for every major operating system. It’s available in the Ubuntu Software Center. For Mac users, Adium IM is generally recommended. If you want to use a Windows computer that you don’t have administrator access to, there’s a portable version that can be used from a USB drive.
With the client installed, run the program and setup your IM account:
- Protocol: XMPP (or “Jabber” if available)
- Username: For the account that you created, not including
- Resource: Use a descriptive term for this computer. Don’t use the
same resource name on different computers.
- Domain: Jabber server. Given at time of account creation
To encrypt IM communications with Pidgin an encryption plugin needs to be installed. The plugin is “Off the Record” (OTR). It’s also available from the Ubuntu Software Center. OTR comes pre-installed with Adium.
In Pidgin, after the plugin is installed:
- Find the plugins preferences under the “Tools” menu.
- Check the box to enable “Off the Record Messaging”.
- Before closing the plugins window, click “Configure Plugin” (with
OTR selected). These settings are optional but you should definitely take a glance and set them to your preference.
- Click the “Generate” button to create an encryption key for
With everything setup, the last step is finding someone to talk with. When you find a friend, you can “Add a Buddy” to initiate a chat. When using OTR for the first time with someone new, both parties have to authenticate each other in one of various ways: Question and answer, shared secret, or manual fingerprint verification. And, that’s it! Your conversations will be encrypted from that point forward. Digital fingerprints only need to be verified once per user.
There is a different plugin called “pidgin-encryption plugin” available from Souceforge but there are several benefits to using OTR versus the pidgin-encryption plugin, as noted on the OTR FAQ. Most importantly, OTR boasts deniability (encrypted messages do not have digital signatures that can be checked by a third-party) and perfect forward secrecy, which means that, if you lose control of your private keys, no previous conversation is compromised.
For extra anonymity, OTR can be used over the Tor network. To do this, you’ll have to be logged on to the Tor network and set the proxy settings in your IM client.
In the Pidgin account preferences, under the “Proxy” tab:
– Proxy: Tor/Privacy (SOCKS5)
– Host: 127.0.0.1
– Port: 9050
Although the Tor settings appear to work properly, the account will actually connect without being on the Tor network, so I’m not totally convinced that it actually does what it is supposed to do. There’s also an actual Tor IM client, TorChat (Ubuntu Software Center).