- How-To Booklet
- 1. How to protect your computer from malware and hackers
- 2. How to protect your information from physical threats
- 3. How to create and maintain secure passwords
- 4. How to protect the sensitive files on your computer
- 5. How to recover from information loss
- 6. How to destroy sensitive information
- 7. How to keep your Internet communication private
- 8. How to remain anonymous and bypass censorship on the Internet
- Glossary
- Hands-On Guides
- Avast - anti-virus
- Spybot - anti-spyware
- Comodo - firewall
- KeePass - secure password storage
- TrueCrypt - secure file storage
- Cobian - backup
- Undelete Plus - file recovery
- Eraser - secure file removal
- CCleaner - temporary file removal
- Riseup - secure email service
- Pidgin + OTR - secure instant messaging
- VaultletSuite - secure mail client
- Thunderbird + Enigmail - secure mail client
- Firefox - Web browser
- Tor - anonymity and circumvention
- portable security
How to Secure Your Chat Session with OTR
Submitted by genner on Thu, 11/20/2008 - 20:02.
Both communicating parties need to install and configure the OTR plugin before they can have private chat sessions. Pidgin automatically recognizes when both of you have the plugin installed and configured. If you request a private conversation with a friend who has not yet installed OTR, a message will be sent to that person explaining how they can obtain the plugin.
3.1 How to Enable the Pidgin-OTR Plugin
Enabling the Pidgin-OTR plugin is the first step towards having private and secure messaging sessions. To enable the Pidgin-OTR plugin, perform the following steps:
Step 1. Select: Tools > Plugins in the Pidgin Buddy List window as follows:
Figure 16: The Tools menu with Plugins selected
This will activate the Plugins screen as follows:
Step 2. Scroll down to the Off-the-Record Messaging option, then check it to enable this feature.
Figure 17: The OTR Plugins screen with Off-the-Record Messaging selected
Step 3. Click: 
to begin configuring the Off-the-Record Messaging screen.
3.2 How to Generate an Encryption Key
Secure chat sessions in Pidgin are enabled by generating a private key for the relevant account. The Off-the-Record configuration window is divided into the Config and the Known fingerprints tabs. The Config tab is used to generate a key for each of your accounts and to set specific OTR options. The Known fingerprints tab contains your friends' keys. You must possess a key for any buddy with whom you wish to chat privately.
Figure 18: The Off-the-Record Messaging screen displaying the Config tab
Step 1. To optimise your privacy, check the Enable private messaging, Automatically initiate private messaging and Don't log OTR conversations options in the Config tab as shown above.
Step 2. Click: 
to begin generating your secure key. Shortly, a screen notifying you that a private key has been generated appears as follows:
Figure 19: Generating private key screen
Your buddy will need to perform the same steps on his/her own computer.
Important: You have now created a private key for your account. This will be used to encrypt your conversations so that nobody else can read them, even if they manage to listen in between you and your buddies. The fingerprint is a long sequence of letters and numbers used to identify the key for a particular account. It resembles the following:
Fingerprint: 55A3638C 5DCF5BB8 0C7A2815 70DA5122 06507354
Pidgin automatically saves and verifies your and your buddies fingerprints, so that you will not have to remember them.
3.3 How to Authenticate a Private Conversation
There are 3 short steps involved in ensuring the security and privacy of your conversations.
- The first step, which we have just completed in section 3.2 How to Generate an Encryption Key, involves creating the key for your account.
- The second step requires you and your buddy to request a secure conversation.
- The third step is about verifying that your buddy is actually the person who you think he/she is. This process of confirming another person's identity is known as 'authentication' in Pidgin.
3.3.1 The Second Step
Step 1. Double-click on the account of a buddy who is currently online to begin a new IM conversation. If both of you have the OTR plugin installed and properly configured you will notice that a new OTR icon appears at the bottom of your chat window.
Figure 20: A Pidgin chat window displaying the OTR icon
Step 2. Click: 
to bring up a menu and select: Start private conversation
Your chat window will display the following message:
Attempting to start a private conversation with user@example
user@example has not been authenticated yet. You should authenticate this buddy.
Unverified conversation with user@example started.
and the OTR button will change to look as follows: 
This means that you can now have an encrypted conversation with your buddy. However, this conversation is not verified. Your buddy may actually be someone else sitting behind that computer, or someone pretending to be your buddy. Here you will need to share a secret code word (pre-arranged earlier) to authenticate each other.
3.3.2 The Third Step
In order to authenticate your buddy in Pidgin, you will need to perform one of the two identification methods. You could authenticate each other by a code word, or by a question & answer process.
Using a code word for authentication
You can arrange a code word in advance, either by meeting each other in person or by using another communications medium (like a telephone, voice chat by Skype or a mobile phone text message). Once you both type in the same code word, your session will be authenticated.
Step 1. Right-click the OTR button in the chat window, then choose Authenticate Buddy as follows:
Figure 21: A Pidgin chat window displaying the OTR icon
An Authenticate Buddy window will pop up prompting you to choose the method for authentication.
Step 2. Click: on the drop-down menu and select: Shared Secret
Figure 22: The Authenticate buddy screen
Step 3. Type in the secret code word (it is case sensitive) and click the 
button.
Figure 23: The Shared Secret screen
Your buddy will see the same window at his/her end and will have to enter the same code word. If they match, your session will be authenticated.
Once the session is authenticated, the OTR button will change to 
. Your session is now secure and you can be sure that you are really speaking with your buddy.
Using the question & answer for authentication
If you cannot share a code word over an alternative channel, then you have another option for authenticating each other. Create a question and an answer to it. Your buddy will receive the question and if their answer matches yours, you are authenticated. Obviously, the answer will need to be typed in exactly the same on both ends.
Step 1. Right-click the OTR button in the chat window, then choose Authenticate Buddy as follows:
Figure 24: A Pidgin chat window displaying the OTR icon
An Authenticate Buddy window will pop up prompting you to choose the method for authentication.
Step 2. Click: on the drop-down menu and select: Question and Answer
Figure 25: The Authenticate buddy screen
Step 3. Enter a question and an answer to it. The question will be sent to your buddy. If their answer matches yours, the authentication will be successful.
Figure 26: The Questions and Answer screen
Once the session is authenticated, the OTR button will change to 
. Your session is now secure and you can be sure that you are really speaking with your buddy.
Congratulations! You may now chat privately. The next time you and your buddy chat (using the same computers), you can skip the first and third steps, above. You should only have to request a secure connection and have your buddy accept it.
Notice that when you Select: Buddy List > Tools > Plugins > Off The Record Messaging > Configure Plugin, the Known fingerprints tab now displays your buddy's account and a message that their identity has been verified.
Figure 27: The Off-the-Record Messaging screen displaying the Known Fingerprints tab