Our friend Michael W. Dean recently put on our radar his thorough write-up about Pidgin, which bills itself as “the universal chat client”. If you follow the steps he outlines, you’ll have not just another chat client, but one that is encrypted.
As you’ll see, his instructions below are for those using Windows. I use a Mac so I attempted to get Pidgin working on my machine via this link. The initial set-up was pretty much the same as that for Windows, but, try as I might, I was unable to get my account authenticated. If you have a Mac, attempt this set-up, and get it working correctly, I’d be interested to hear from you just so I know it’s possible. It should be – I think my issue is attributed to user error.
How to Do Encrypted, Off-The-Record Instant Messenger With Pidgin
by Michael W Dean, FreedomFeens.com, Dec. 27th, 2012
The Freedom Feens recently wrote and published an extensive and kick-ass tutorial on setting up encrypted e-mail, here. However, e-mail isn’t always the best tool, especially if you’re going back and forth in a conversational manner. But there is a way to set up encrypted instant messenger, OTR (off-the-record) Pidgin. OTR Pidgin is more instant than e-mail, better for back-and-forth conversations, keeps no record and leaves no trace. It provides actual Plausible deniability (to borrow a phrase from the CIA). I don’t use OTR Pidgin for everyone, only like eight people I trust and know really well, but it’s even better than PGP mail because there is no record, the only record of the conversation is in the heads of both people involved.
A lot of serious hard-core white-hat hacker computer security experts don’t even use e-mail, EVER. They use OTR Pidgin for all Internet communications.
With e-mail and a public key, if someone can get your passphrase, they can read any saved e-mails. But with the OTR Pidgin, NOTHING IS SAVED. Again: The only record is IN THE BRAINS of the two people talking. And it’s even better if you’re using it over a VPN or Tor.
The OTR plugin was created by Cypherpunks. More on them and OTR is here. I showed this tutorial to Cypherpunk Ian Goldberg, who invented the OTR Pidgin plugin. He made a few suggestions for changes, and I made those changes. He added: “If you use OTR and also something like Tor, you can break the link between the username and your physical identity, but *only* if you _always_ use Tor with that IM account, even when creating it….If you need to break the link between the username and your identity, you need to use an anonymous communications network such as Tor in addition to OTR (they’re designed to work well together!).”
Setting up OTR Pidgin is a lot of steps, but each step is simple. The problem with getting more people to use encryption is there’s no way to do it that’s as easy as picking up a phone or using Skype (both of which are uber NOT secure). And so far, the really easy ways of doing encryption (like Hushmail) are not secure. The problem is human stupidity and State evil. Most people say “I have nothing to hide”, and governments don’t want people using encryption. In a real LibPar (without governments, and with all “power” removed from idiots and returned to each honest, smart person), encryption would be in all Internet programs by default.
Instead we get shit like Facebook, where if you’re one of their
marks users, they add a chat bar EVEN IF YOU DON’T WANT one. And if you set it to go away, it randomly comes back from time to time like a stalker ex. They WANT you chatting on their un-secure chat program, and they’re a company that will give any information to any law enforcement entity without a warrant. I recently left Facebook, and if you’re interested in security, you should too. You should also use Internet security programs like PGP e-mail and OTR Pidgin, EVEN IF YOU HAVE NOTHING TO HIDE. Because these days, not matter how “legal” or “ethical” your conversations, intentions and actions are, governments around the world (as well as some individuals, and almost all corporations) will try to use what you say against you. The repercussions of this can run the gamut from being spammed to being imprisoned….even if you think you’re not breaking any laws. We’re in a post-Patriot Act world, where doing things that one branch of the government tells you to do (like having a stockpile of food) can get you targeted as a suspect by another part of the government.
VERY IMPORTANT NOTE: There is a lot of “fake security” these days. For instance, the “Off The Record” option in the Google Talk client is *not* OTR. (They explain that here.) And as I said in our PGP tutorial, using BAD encryption or no encryption when you THINK you’re using encryption is far WORSE than using NO encryption and knowing it, because it only gives you an illusion of security. The way the world is headed, that’s like going into a war zone with a “magic” protection amulet instead of bullet-resistant body armor. Screw web-based encryption. Do it all on your end. No one should have your private keys and passwords but you. OTR Pidgin is secure. It is not fake security.
So, let’s set up OTR Pidgin….
The first step (on Windows, though you can also do this on Linux from the same link) is to download Pidgin (here) and the OTR plugin (latest Windows version, 4.0.0-1, is here. If you want to check for a newer version, check here, where it says “OTR plugin for Pidgin.”
Many flavors of GNU/Linux actually ship with Pidgin AND the OTR plugin installed. But if you’re using Linux, you probably already write encryption software to relax, and wouldn’t need this tutorial. And if you’re on Mac, you’re out of luck, but as Richard Stallman said “Steve Jobs made jail cool.”
But if you’re on Windows (the PC jail – see Footnote 1):
Accept the license. Then accept all the default installs:
Pick your destination folder. The default should be fine:
You will get this screen when it’s done installing:
Install the Pidgin OTR plugin:
Accept the license, let it install, and when you’re done you’ll see this screen:
Now you need to configure your Pidgin Account. You may notice that Pidgin looks almost exactly like the old AOL instant messenger. Well, it was branched off of that project by the guys who wrote it for AOL, but they didn’t like working at AOL, so they went off on their own and made it into Pidgin.
Also notice that while Pidgin comes up as a program in your program list and/or task bar, the OTR plugin does not. That’s normal. the OTR plugin is not a stand-alone program, it’s a behind-the-scene add-on for Pidgin. We’ll configure it later, from within Pidgin. But first you need a Pidgin account. Click Add Account:
There are three tabs. The first we’ll configure is the Basic Tab:
^ (I’ve blurred out all contact info and keyprints in these screenshots, for security reasons.)
Under protocol, pick XMPP. This is very important. None of the other protocols will work in a truly secure manner, and many of them (like Google and Facebook) will send your info through servers of companies that gladly bend over for “The Man” without so much as a warrant. So use XMPP. Do NOT use “Facebook XMPP”, it’s not secure. Use the one near the bottom that just says XMPP:
You can use a gMail address, if you must, breaking the user name and domain up into the two boxes (username, and @gmail.com), but I prefer to use Rayservers. Rayservers is a VPN run by a cool security-minded guy named Ray (more on his VPN is here), and Ray allows cool people to set up free jabber accounts for OTR messaging. You can set up an account right through the Pidgin interface.
Pick a user name that is unique, and somewhat anonymous. Don’t use your real full name, or a nickname that can be absolutely tied to you. Pick something your friends would recognize, but not something that can be proven to be you. Enter it in the username field. For domain, enter
Leave “Resource” blank. Enter a password. (Info on picking a good password is here.) Make sure “Remember Password” is checked. (Might be best to NOT check this if for use on a laptop that you travel with frequently, where physical access to your computer could easily be denied to you, and someone could log on and pretend to be you. But if you do not have it set up to remember password, you’ll have to manually enter it each time you start your computer. Remember, computer security is always a tradeoff between privacy and ease of use.)
Leave Local Alias blank, keep New Mail Notifications unchecked, and you can either accept the default buddy icon, or add your own. For this example, we’ve added our own.
Make sure “Create this new account on the server” is checked. Do NOT yet click “Add”, we’ve got a few more things to set up. Go to the Advanced tab:
Setting for Connection Security should be “Require Encryption.” “Allow Plaintext auth over unencrypted streams” should NOT be checked. Connect Port should be 5222. Leave Connect Server blank. File Transfer Proxy should be left as
BOSH URL should be blank. Show Custom Smileys should be checked. Now go to the Proxy tab:
Proxy Type should be “Use Global Proxy Settings.”
Make sure “Create this new account on the server” is checked, then click the “Add” button in the bottom right. You will get this window:
Go ahead and accept the jabber certificate, even if you get a message saying it’s out of date or cannot be trusted. Trust me on this. SSL certificate issuance is controlled by government monopolies, and if you issue your own without paying The Man, the SSL cert is still valid, but SSL cert notifications try to scare you. Ray’s Cert is self-issued, but solid. After you click “Accept”, you will get a window with these certificate details :
(That certificate is good to year 2020. After that, if this stuff isn’t either freely included everywhere automatically already, or punishable by death, there should be a new cert on Ray’s site when this one stops working, and you should get a notification from Pidgin when it is no longer any good.)
Hit “Close” and you will get this window:
go ahead and click Register, and you will get this:
You now have an account. But we’re not done yet. Go to your Buddy List window and click on Tools/Plugins:
Scroll down to “Windows Pidgin Options”, Single click on it, then click “Configure Plugin” at the bottom:
Make sure “Start Pidgin on Windows Startup” is checked. (It’s fine to leave Pidgin running all the time. It takes very little memory and will not affect your computing performance. It’s about as memory intensive as having Notepad running.)
Do not check anything else, then click “Close.” Now go back to your Buddy List window and click on Tools/Plugins. This time, single click “Off-The-Record Messaging” and click “Configure Plugin” at the bottom:
You’ll get this window:
It should automatically generate a key. If it doesn’t, it will say “No Key Present.” In that case, under where is says “No Key Present”, click the “Generate” button. When it’s done generating a key, you will get this message:
Under “Default OTR Settings”, make sure these are checked: “Enable Private Messaging”, “Automatically Initiate Private Messaging”, “Require Private Messaging” and “Don’t log OTR conversations.” In other words, check EVERYTHING. Also check at the bottom under OTR UI Options where it says “Show OTR button in toolbar.”
(Do not check “Require Private Messaging” if you plan to be chatting with any people who are not using the OTR plugin, but in my opinion, you should not be chatting with those people. lol.)
Hit Close. Then in the Plugins window hit Close. Then on your Buddy List window, go to Tools/Preferences:
UN-CHECK “Log All Instant Messages”, “Log All Chats” and “Log all status changes to system log.” THIS IS VERY IMPORTANT, even though you’ve already set this in “Default OTR Settings” . For some reason, you have to do it both places.
Then hit Close. You are now set up for OTR encrypted instant messaging.
ADDING A BUDDY AND TESTING:
On your Buddy List window, go to Buddies/Add Buddy:
Add the Buddy’s user name under “Buddy’s Username.” This will be info you get from the person you’re trying to contact. It will be in the form of TheirUserName@domain.com (or .net or whatever.) If they’re on Rayservers, it will be TheirUserName@jabber.rayservers.com
We’ve actually got a few volunteers who have set up TEMPORARY THROW-AWAY TEST ADDRESS FOR YOU TO TEST THIS WITH US. For a limited time, when we’re online, we’ll accept requests, type a little with you to confirm that it’s working, and then delete you as a contact. We do this for free, because we’re the Feens, and we care about Freedom.
You can try any of these test address, one of us should be online:
And you’re welcome. Please note, we will not accept file transfer tests, just text chat tests.
So, add your buddy’s username (with domain) or our test address. You can add an alias if you’d like, but it’s optional (like a person’s nickname if their username is a bunch of random letters and numbers). Then click “Add.”
If they’re offline, they will appear grayed out:
It will also be grayed out if they are online, but if they are online, within about 30-60 seconds, the gray dot will turn green to show that they are available.
You can ONLY communicate using OTR when both parties are online. If the other party is online, and have their status set to “Available” (which is the default), they will appear as a green dot:
To initiate chatting with them, double click on their green dot in your Buddy List. This will open up a chat window:
You’re still not chatting securely. Note that it says “Not Private” in the bottom right, above the chat area. You need to click on the OTR icon near the top right, and click “Start Private Conversation”:
It will say “attempting to start conversation”, and then within several seconds, you’ll be secure, and it will say “Private” in the bottom right.
(If it already says Private, then click on the OTR icon near the top right, and click “Refresh Private Conversation”)
Note that you are now OTR and encrypted, but not yet Authenticated (verified). Authenticating is proving that you are talking to who you think you’re talking to. You only have to verify a user once. You both authenticate each other. This is done by typing a text request with a question/answer response that only the other person would know. This is best done while in the same room in person, or on the phone, so you know by the voice that you’re talking to who you think you’re talking to. Even better is doing it with a person you know in real life, where you both share a secret that only you each would be able to answer.
To Authenticate, click on OTR/Authenticate Buddy:
You’ll get this window where you are to type a question and an answer. The answers are case sensitive:
Your buddy will get this message, and should choose “Authorize”:
You’ll get this message while you’re waiting for your buddy to answer your secret question:
And this message once they’ve successfully answered:
Hit “OK”, and you’ll be prompted to do the same process in the other direction:
You should. Authentication is a two-way street.
KEEPING THINGS PRIVATE
If set up properly, as in this tutorial, Pidgin OTR is secure if you do a few things:
1. Refresh your conversation every half-hour or so. Do this by clicking on OTR in the top right of a chat window, and click on “Refresh Private Conversation.”
In addition to the OTR menu in the chat window, you can click the “Not Private” button to initiate private chat, refresh private conversation, authenticate buddy, etc.
2. Keep your computer free of spyware and key-logging bullshit. This is obvious, but even though the conversation over the Internet is encrypted, if someone is logging your keystrokes on your computer (or over your network, if you’re in a corporate environment), they’re going to see what you’re typing. Same is true if they are taking screenshots of what you’re seeing on the screen. The best way to avoid this is to use Linux and never click on anything you don’t need or understand. Second best is using Windows with anti-spyware, anti-virus software, keeping up to date and running scans, and never click on anything you don’t need or understand.
It can be useful to have hidden motion-sensing cameras in your computer area, uploading encrypted to a non-public web folder. This is not only useful if you’re robbed, it’s also useful if someone does a “sneak and peak” where they break in while you’re gone, and without leaving a trace, physically add keylogging software to your computer. Most virus programs have deals with governments to NOT detect government keylogging software and backdoors, so cameras could be the only way you’d know that this had happened. The Feens will be doing a tutorial on security cameras in the future.
True Freedom Feens never click on anything we don’t need or understand. Many people will, but that’s not how or why we use computers. We use computers for communication, real communication, two-way with people we know, and one-way to the world. But this is not the way most people use computers. The way most people use computers is more like running naked through the town square yelling “LOOK AT ME! INTERACT WITH ME! TOUCH ME! LOOK AT THIS CUTE CAT PHOTO! LOOK HOW THE GOVERNMENT IS HARMING YOU, BUT DON’T TAKE ANY PRECAUTIONS TO PROTECT YOURSELF! AND LOOK AT THIS OTHER CUTE CAT PHOTO!”
Doing this is not wise, but most people do it. If you do, please re-think it, you’re putting yourself in constant danger of everything from spam to blackmail to arrest.
3. Have an anti-rubber hose decryption “I’m in trouble” secret phrase with people you know, and establish this phrase when you know you’re secure, that is, you know there’s no one holding a (literal or figurative) gun to either of your heads. What this means: With Pidgin OTR, you can be absolutely sure you’re talking to the COMPUTER of the person you think you’re talking to. But if that computer is seized by authorities, they could log in and chat as your friend and try to trick you into giving up information. Or, authorities or some other criminal gang could kidnap your good childhood friend, and threaten him/her with incarceration or torture and make them chat with you via Pidgin OTR and trick you into giving up some detail you would only give that friend.
You should have a pre-planned innocuous-sounding crypto-safeword to use if you’re typing under duress. Like calling the person “bro” if you never do, or saying “what up?” or using the world “indubitably”….basically anything you would never normally say. Don’t use those examples, find your own. Protecting your friends against being tricked by someone typing on your computer would be harder, but perhaps you could also have some pre-planned innocuous-sounding phrase you ALWAYS use.
For total safety, you should have a different phrase with each person you do OTR with. This could get complicated to remember, which is one more reason to not have a lot of people you do OTR with, keep OTR for real friends, and use PGP e-mail for everyone else.
4. CLOSE YOUR CONVERSATION WHEN YOU’RE DONE. And if you’re talking about particularly sensitive information, do that anyway every half-hour or so and start a new conversation. OTR Pidgin does not log chats internally when set up as above. But as long as you have a chat window open, if someone kicked in your door and your computer was still on with a Pidgin conversation open, they could scroll up and see both sides of the conversation. Close a conversation by going to Conversation/Close in the chat window. Once that is gone, the only record of what you’ve said is in your head and in the head of the other person.
Note: BOTH sides have to close the conversation to have it fully gone. Closing it on your end still leaves a record of it on the other person’s side until they close it too!
PIDGIN TIPS AND TRICKS
You can have two or more secure conversations with two or more different people at the same time, but there is no way to have a three-way or more-way secure conversation in Pidgin.
When you add a second conversation, it will open up in a second tab, like this:
You will have to close each one separately to leave no record.
While in a conversation, you can send a file to another authorized Pidgin buddy, but this is NOT secure, per the readme, so we do not recommend it. Lines 237 & 238 of the README file in the current source code says:
“This plugin only attempts to protect instant messages, not multi-party chats, file transfers, etc.”
Pidgin, by default, makes a lot of notification sounds. It lets you know things like when a buddy goes online, when someone changes their availability status, when they try to start a conversation with you, and when they send you a new message. The noises are useful, and they’re rather pretty sounds. I got used to it really fast. But if you’d rather not hear them, you can turn them off. In your Buddy List, go to Tools/Preferences/Sounds, and turn off what you don’t want to hear:
Sometimes having people constantly pinging you with Pidgin can interpret your work flow, or your life flow. lol. But you can set yourself as “not available” by clicking on the green “Available” button at the bottom of your Buddy List window and changing the status:
As white-hat hacker god Smuggler said in his interview on Anarchy Gumbo, “Security is a process, not an event.” It’s something you need to constantly work toward improving and perfecting. But using Pidgin OTR is a great start, and it’s kind of neat to be able to install something in under an hour that the biggest governments in the world cannot crack. Using Pidgin OTR gives you security that was only available to the CIA, MI6 and KGB not that long ago, and it’s free.
There’s really no reason NOT to use OTR. And get your friends to use it. Encryption used to be considered “munitions”, and it really is like guns in a few ways. One way is that the more people using encryption, the harder it is to stop, and the less “odd” casual use seems.
Footnote 1: regarding my use of the phrase “the PC jail” for Windows, Richard Stallman, the inventor of the GNU part of GNU/Linux, said when Steve Jobs died “I’m not glad he’s dead, but I’m glad he’s gone. Steve Jobs made jail cool.”
My feeling is this: I know PCs are a jail too, but I get really irked with people who are religious about Macs but hate PCs. One is not “freer” than the other. They’re both jails because they have too many rules, try to keep you in their “pen”, and actually cooperate with governments in a way that can LITERALLY get you put in real jail for doing things that do not aggress against anyone. I look at it that Apple is like tyrannical Democrats, Microsoft is like tyrannical Republicans, and GNU/Linux is freedom-loving libertarians/anarchists. That is, anyone who is arguing the value of the Apple jail over the PC jail is a total sheepish statist. And the only real argument is for GNU/Linux. Though I tend to write tutorials for PC, because of the large installed user base. And Linux users are smart enough that they don’t need my help. lol.