Raising the Shields – Part 1: Off-The-Record (OTR) Instant Messaging

OtrI use instant messaging between family members and friends quite a lot as it's a fast and efficient communication tool. But communication is easily intercepted as everything is transferred over a centralized server. That's not good as I like my conversations to be private. In a recent Security Now podcast, Steve Gibson has made me aware of an interesting solution called 'Off-The-Record' (OTR).

Not only does OTR provide perfect forward secrecy for message content for all kinds of IM systems (except unfortunately for Skype as it's proprietary) but it also has a built in mechanism for 'plausible deniability', i.e. it's not possible to prove later-on that a particular message has actually been sent by a particular person. A bit like talking in a sound proof room between two people: Nobody can hear what's said when it's said and its not possible to proof what was said later-on by anyone as there are no witnesses. To find out how exactly this is done I recommend to listen to the security now episode linked above.

On Ubuntu, the OTR plugin for Pidgin is already in the repository and installation is simple. For Windows and Mac it has to be installed separately via the author's web page. On Android, Xabber might have what I'm looking for but I haven't tried it so far and I also haven't checked out if the program itself comes from a trustworthy source.

While OTR protects the content of messages it can't of course protect the information of who communicates with whom as the centralized server is aware from and to which an encrypted message is transferred. This can only be fixed by using a non-public instant messaging server. So for family related IM I am strongly thinking about installing my own Jabber server at home on a Raspbery Pi. I haven't done that so far but it seems to be straight forward. More on this once I've tried.

Prism & Co.: Raising the Shields Is Not Enough

In the past couple of weeks a number of revelations have shown the extent of secret service organizations from around the world tapping the Internet to spy on their citizens and those of other nations, store data about them, record their use of the network and communication metadata such as phone call records. While I think that some of these measures are justified when it comes to counter international crime and terrorism, the line for me is crossed when data of innocent people from around the world is copied and stored indefinitely. Also, wiretapping embassies of other nations and using resources for industrial and political espionage against friends and partners is also something that I find unacceptable. This has to stop and I hope that people and politicians around the world in free and democratic countries will find the courage to control and restrict their secret services and those supporting them and not have their liberty and freedom restricted and undermined by them.

Having said this, I find myself ever more encouraged to protect myself when using the Internet. Using Owncloud to ensure my private data is hosted on my own servers and communicating with them in a secure fashion can only be the first step. I have quite a number of things in mind I want to change over the course of the next months. Watch out on this blog for the details to come.

But raising the shields by storing my data in my own network and encrypting more of my communication is not the cure, it's just treating the symptoms. Privacy and freedom have to come back to communication and only internationally agreed limits to what intelligence agencies are allowed to do on and off the Internet will bring back what we have lost.