thiussat

A lot of people are aware of PGP/GnuPG for secure e-mail, but even some of those people who use GPG seem to forget that their IM conversations are wide open for anyone "in the middle" to read in clear text. If you are using Pidgin or Kopete, there is an easy way to stop the lookie lou's from reading your scandalous IM conversations with your girlfriend's best friend.

It's called OTR, or "Off The Record" encryption and was developed a few years ago as an entry to a contest by two Berkeley grad students. Both Pidgin and Kopete can utilize it via a plugin. (OTR is not to be confused with the regular "encryption" plugin). OTR is better than the regular encryption plugin because it affords you plausible deniability, which means even if your keys are compromised no one can prove it was you who sent the messages. However, during the conversation the person on the other end can be assured it is you who is sending the messages. You can read more here. This plugin will work with almost any IM protocol (AIM, MSN, Yahoo, Jabber, etc.).

As I said, this is available in Pidgin and Kopete as a plugin (it seems most distros are building pidgin and kopete with the plugin already included - this is the case with Kopete on Kubuntu 9.04). If you don't have the plugin, you can easily install it from your distro's package manager. Mac users also can utilize OTR through the IM client "Adium." Windows users must rely on Trillian or Miranda.

Now I will provide a few screenshots to illustrate how to get it set-up in Kopete, but the set-up works almost the same way on Pidgin.

First on the Kopete main screen, click "Settings" and then "Configure." The following screen will pop up:


Now click on the "Plugins" button on the left. You will see "OTR" in the list. Now click on the little "wrench" icon next to it and the following window will pop up:


Now you need to generate yourself a key. All you have to do is hit the "generate" button and wait a few seconds. When done, you should see a key fingerprint like the one listed in the above pic. This will generate a strong AES-256 key (which is much better than the weaker RC4 and RSA algorithms typically used in such encryption like SSL).

Now you can set your preferences in the little box below the key fingerprint. I keep mine set to "opportunistic" which means that an OTR session will automatically start if my contact is also using OTR. If you are sure who you are talking to, then you can automatically accept their key. If you're not sure, then tell them to call you on the phone for identification and then have them read back the key fingerprint they sent. Again, this is only if you are paranoid.

Now, here is an example of a chat window:


As you can see I am talking to a guy I made up "Ocn rulez" just for illustration. You can see the OTR icon on the top right. You can simply click on that icon to start an OTR session.

That's it.

Disadvantages:

Since 90% of people use Windows, this means 90% of people on your contact list probably wont be able to use OTR. Or if they do, they will have to use Trillian or Miranda as their IM client (or they could use the Windows version of Pidgin). Since almost everyone on my contact list uses Windows and since none of them use Trillian or Miranda, I am stuck with non-encrypted conversations. I am sure many people can relate to this. I have tried to tell some of them to get Trillian but most people are stubborn and already have become used to their IM client. Moreover, the Trillian client is still having some bugs to iron out with OTR from what I have read, thus there is no easy solution for using OTR when talking to Windows users. You will probably be stuck only being able to use OTR with other Linux/BSD or Mac users unless you can convince your Windows contacts to switch clients.

A second disadvantage is OTR will not allow group conversations or encrypted file transfers. However, both of these features are being planned.

Any Linux users here are welcome to add me to their AIM contacts. My screen name is in the above screenshots or you can get it in my OCN profile.

__________________

Secure Your Network With Tomato Linux Vs. Windows Security Think You Can Brute Force Long Passwords? Linux File Permissions HOWTO Secure Ubuntu With AppArmor

"I can't bring myself to try Linux Mint because they keep naming the OS after ex-girlfriends or women I've had bad run ins with. Cassandra was a sexual harassing shift manager. And Felicia was a stalker who knew how to turn a good day into a hellish experience in 0-60." -- Anub1s from BBR forums

EntropyTTU

Thanks for the info.
+1

__________________