Raising the Shields – Part 1: Off-The-Record (OTR) Instant Messaging

I use instant messaging between family members and friends quite a lot as it's a fast and efficient communication tool. But communication is easily intercepted as everything is transferred over a centralized server. That's not good as I like my conversations to be private. In a recent Security Now podcast, Steve Gibson has made me aware of an interesting solution called 'Off-The-Record' (OTR).

Not only does OTR provide perfect forward secrecy for message content for all kinds of IM systems (except unfortunately for Skype as it's proprietary) but it also has a built in mechanism for 'plausible deniability', i.e. it's not possible to prove later-on that a particular message has actually been sent by a particular person. A bit like talking in a sound proof room between two people: Nobody can hear what's said when it's said and its not possible to proof what was said later-on by anyone as there are no witnesses. To find out how exactly this is done I recommend to listen to the security now episode linked above.

On Ubuntu, the OTR plugin for Pidgin is already in the repository and installation is simple. For Windows and Mac it has to be installed separately via the author's web page. On Android, Xabber might have what I'm looking for but I haven't tried it so far and I also haven't checked out if the program itself comes from a trustworthy source.

While OTR protects the content of messages it can't of course protect the information of who communicates with whom as the centralized server is aware from and to which an encrypted message is transferred. This can only be fixed by using a non-public instant messaging server. So for family related IM I am strongly thinking about installing my own Jabber server at home on a Raspbery Pi. I haven't done that so far but it seems to be straight forward. More on this once I've tried.