I use instant messaging between family members and friends quite a lot as it's a fast and efficient communication tool. But communication is easily intercepted as everything is transferred over a centralized server. That's not good as I like my conversations to be private. In a recent Security Now podcast, Steve Gibson has made me aware of an interesting solution called 'Off-The-Record' (OTR).
Not only does OTR provide perfect forward secrecy for message content for all kinds of IM systems (except unfortunately for Skype as it's proprietary) but it also has a built in mechanism for 'plausible deniability', i.e. it's not possible to prove later-on that a particular message has actually been sent by a particular person. A bit like talking in a sound proof room between two people: Nobody can hear what's said when it's said and its not possible to proof what was said later-on by anyone as there are no witnesses. To find out how exactly this is done I recommend to listen to the security now episode linked above.
On Ubuntu, the OTR plugin for Pidgin is already in the repository and installation is simple. For Windows and Mac it has to be installed separately via the author's web page. On Android, Xabber might have what I'm looking for but I haven't tried it so far and I also haven't checked out if the program itself comes from a trustworthy source.
While OTR protects the content of messages it can't of course protect the information of who communicates with whom as the centralized server is aware from and to which an encrypted message is transferred. This can only be fixed by using a non-public instant messaging server. So for family related IM I am strongly thinking about installing my own Jabber server at home on a Raspbery Pi. I haven't done that so far but it seems to be straight forward. More on this once I've tried.
One thought on “Raising the Shields – Part 1: Off-The-Record (OTR) Instant Messaging”
i read some article a few days back after Snowden disclosed details about PRISM. Encryption seems comfortable nowadays. With a mass of supporting software and endless ressources relating to how to get stuff running, there is still ine problem…
The Problem with all this is that its nice to have your private pgp key for email and otr for instant messenging, but as long as your contacts refuse to use them as well (due to not knowing how or simply laziness or ignorance about the seriousness of this affair) you have no benefit…
I’ll admit that i’m a bit paranoid but lazy as well 😉 maybe one day we achieve the common goal of 100.0% privacy.
Comments are closed.