Secure Chat

We are creating this guide for Windows but the concept is the same for any operating system.

OTR (Off-the-record) is a protocol that allows users of instant messaging or chat tools to have conversations that are confidential. In this guide, you will learn how to use OTR using Pidgin, a free and open source instant messaging client for Windows PC.

Download location:

https://pidgin.im/download/

https://otr.cypherpunks.ca/

Computer requirements: An internet connection, a computer running Windows XP or higher, and an XMPP (Jabber) account.  (If you need an XMPP account to practice with, a list of free servers and instructions on how to register is available at https://xmpp.net/directory.php)

Versions used in this guide: Windows 7 Ultimate; Pidgin 2.10.9, pidgin-otr 4.0.0-1

License: Free Software; mix of Free Software licenses

Other reading: https://pidgin.im/cgi-bin/mailman/listinfo/support

Level: Beginner

Time required: 20 minutes

What is OTR?

OTR (Off-the-record) is a protocol that allows people to have confidential conversations using the messaging

tools they’re already familiar with.

OTR provides this security by:

  • encrypting your chats
  • giving you a way to make sure that the person you are chatting with really is that person
  • not allowing the server to log or otherwise access your conversations

This should not be confused with Google’s “Off the record,” which merely disables chat logging, and does

not have encryption or verification capabilities. While there are several ways to use OTR on Microsoft

Windows, we have found the most consistent and easy-to-use tool to be the Pidgin chat client with the

pidgin-otr plugin.

The instant messaging client for Windows PC, Pidgin, automatically logs conversations by default,

however you do have the ability to disable this feature. That said, you do not have control over the

person with whom you are chatting—she could be logging or taking screenshots of your

conversation, even if you yourself have disabled logging.

Jitsi as a replacement for Pidgin. As well as being able to use Jitsi for secure text chat (including with

Pidgin users), you can also use it to have secure voice and video communications with other Jitsi users.

Jitsi is available for Microsoft Windows, GNU/Linux, Mac OS and more.

Both Pidgin and OTR are available for Microsoft Windows and for GNU/Linux. Another

multi-protocol IM program for Microsoft Windows that supports OTR is Miranda IM. For the

Mac OS you can use Adium, a multi-protocol IM program that supports the OTR plugin.

Pidgin also allows you to do out-of-band verification to make sure that you’re talking to the person

you think you’re talking to and you are not being subject to a MITM attack. For every conversation,

there is an option that will show you the key fingerprints it has for you and the person with whom you

are chatting. A “key fingerprint” is a string of characters like “342e 2309 bd20 0912 ff10 6c63 2192 1928,”

that’s used to verify a longer public key. Exchange your fingerprints through another communications

channel, such as Twitter DM or email, to make sure that no one is interfering with your conversation.

Limitations: When Should I Not Use Pidgin + OTR?

Technologists have a term to describe when a program or technology might be vulnerable to external

attack: they say it has a large “attack surface.” Pidgin has a large attack surface. It is a complex program,

which has not been written with security as a top priority. It almost certainly has bugs, some of which

might be used by governments or even big companies to break into computers that are using it. Using

Pidgin to encrypt your conversations is a great defense against the kind of untargeted dragnet surveillance

that is used to spy on everyone’s Internet conversations, but if you think you will be personally

targeted by a well-resourced attacker (like a nation-state), you should consider stronger

precautions, such as PGP-encrypted email – Read our Guide.

Getting Pidgin

You can get Pidgin on Windows by downloading the installer from the Pidgin download page.

Click on the purple DOWNLOAD tab. Don’t click the green Download Now button because you’ll

want to choose a different installer file. You’ll be taken to the download page.

Don’t click the green Download Now button because we want to choose a different installer file.

The default installer for Pidgin is small because it doesn’t contain all the information and downloads

the files for you. This sometimes fails so you will have a better experience with the “offline installer”

which contains all the necessary installation material. Click the “offline installer” link. You will be

taken to a new page titled “Sourceforge” and after a few seconds, a small popup will ask whether you

want to save a file.

Note that while Pidgin’s download page uses “HTTPS” and is therefore relatively safe from

tampering, the website it directs you to to download the Windows version of Pidgin is

currently Sourceforge, which uses unencrypted “HTTP,” and therefore offers no protection.

That means that the software you download could be tampered with before you download it.

This risk would mostly come from either someone with access to the local Internet infrastructure

attempting to conduct targeted surveillance against you personally (for instance a malicious

hot-spot provider), or a state or government planning to distribute compromised software to

many users. TheHTTPS Everywhere extension can rewrite Sourceforge download URLs to

HTTPS, so it’s recommended you install HTTPS Everywhere before downloading any other

software. Additionally, in our experience, Sourceforge often has confusing full-page ads on

its download pages that can trick people into installing something they may not want to.

You can install an ad blocker before any other software to avoid these confusing ads.

Remember to think about your threat model before you download files from unprotected websites.

Many browsers will ask you to confirm whether you want to download this file. Internet Explorer

11 shows a bar at the bottom of the browser window with an orange border.

For any browser, it is best to first save the file before proceeding, so click the “Save” button. By default,

most browsers save downloaded files in the Downloads folder.

Getting OTR

You can get pidgin-otr, the OTR plugin for Pidgin, by downloading the installer from

the OTR download page.

Click the “Downloads” tab to be taken to the “Downloads” section of the page. Click the

“Win32 installer for pidgin” link.

Many browsers will ask you to confirm whether you want to download this file. Internet Explorer

11 shows a bar at the bottom of the browser window with an orange border.

For any browser, it is best to first save the file before proceeding, so click the “Save” button.

By default, most browsers save downloaded files in the Downloads folder.

After downloading Pidgin and pidgin-otr you should have two new files in your Downloads folder:

Installing Pidgin

Keep the Windows Explorer window open and double-click on pidgin-2.10.9-offline.exe.

You’ll be asked if you want to allow the installation of this program. Click the “Yes” button.

A small window opens asking you to select a language. Click the “OK” button.

A window opens up giving you a quick overview of the installation process.

Click the “Next” button.

Now you get a license overview. Click the “Next” button.

Now you can see what different components are installed. Don’t change the settings.

Click the “Next” button.

Now you can see where Pidgin will be installed. Don’t change this information.

Click the “Next” button.

Now you’ll see a window with scrolling text until it says “Installation Complete.”

Click the “Next” button.

Finally, you’ll see the last window of the Pidgin installer.

Click the “Finish” button.

Installing pidgin-otr

Go back to the Windows Explorer window and open and double-click on

pidgin-otr-4.0.0-1.exe. You’ll be asked if you want to allow the installation of this program.

Click the “Yes” button.

A window opens up giving you a quick overview of the installation process.

Click the “Next” button.

Now you get a license overview. Click the “I Agree” button.

You will see where pidgin-otr will be installed. Don’t change this information.

Click the “Install” button.

Finally, you’ll see the last window of the pidgin-otr installer. Click the “Finish” button.

Configuring Pidgin

Go to the Start menu, click the Windows icon, and select Pidgin from the menu.

Adding an Account

When Pidgin launches for the first time, you will see this welcome window giving you an option to add an account. Since you don’t have an account configured yet, click the “Add” button.

Now you’ll see the “Add Account” window. Pidgin is able to work with many

chat systems, but we’ll focus on XMPP, formerly known as Jabber.


This is the next issue, you need an XMPP account

We recommend : https://chatme.im/ but there is a list of other xmpp servers, just find a

recent one and one that lets you create an account   or try  riseup.net

After you create an account you can follow the next step


At the Protocol entry, select the “XMPP” option.

At the Username entry, enter your XMPP username.

At the Domain entry, enter the domain of your XMPP account.

At the Password entry, enter your XMPP password.

Checking the box by the “Remember password” entry will make accessing your account

easier. Be aware that by clicking “Remember password,” your password will be saved on

the computer, making it accessible to anyone who may happen to access your computer.

If this is a concern, do not check this box. You will then be required to enter your XMPP

account password every time you start Pidgin.

Adding a Buddy

Now you will want to add someone to chat with. Click the “Buddies” menu and

select “Add Buddy.” An “Add Buddy” window will open.

At the “Add Buddy” window, you can enter the username of the person you want

to chat with. This other user does not have to be from the same server, but does

have to use the same protocol, such as XMPP.

At the “Buddy’s username” entry, enter your buddy’s username with thedomain name.

This will look like an email address.

At the “(Optional) Alias” entry, you can enter a name of your choice for your buddy.

This is entirely optional, but can help if the XMPP account of the person you are chatting

with is hard to remember.

Click the “Add” button.

Once you have clicked the “Add” button, Boris will get a message asking if he

gives authorization for you to add him. Once Boris does, he adds your account

and you will get the same request. Click the “Authorize” button.

Configuring the OTR Plugin

Now you will configure the OTR plugin so you can chat securely. Click the “Tools”

menu and select the “Plugins” option.

Scroll down to the “Off-the-Record Messaging” option, and check the box. Click on the

“Off-the-Record Messaging” entry and click the “Configure Plugin” button.

Now you will see the “Off-the-Record Messaging” configuration window.

Notice that is says “No key present.” Click the “Generate” button.

Now a small window will open and generate a key. When it is done, click the

“OK” button.

You’ll see new information: a 40 character string of text, broken up into 5 groups of

eight characters. This is your OTR fingerprint. Click the “Close” button.

Now click the “Close” button on the Plugins window.

Chatting Securely

You are now able to chat with Boris. The two of you can send messages back and forth.

However, we’re still not chatting securely. Even if you are connecting to the XMPP server,

it is possible that the connection between you and Boris is not secure from snooping.

If you look at the chat window, notice that it says “Not private” in red on the bottom right.

Click the “Not private” button.

A menu will open up, select “Authenticate buddy.”

A window will open up. You are asked: “How would you like to authenticate

your buddy?”

The drop-down has three options:

Shared Secret

A shared secret is a line of text you and the person you want to chat have agreed to

use ahead of time. You should have shared this in person and never have exchanged

it over insecure channels such as email or Skype.

You and your buddy need to enter this text together. Click the “Authenticate” button.

The shared secret verification is useful if you and your buddy have already made

arrangements to chat in the future but haven’t yet created OTR fingerprints on the

computer you are using.

Manual Fingerprint Verification

Manual fingerprint verification is useful if you were already given your buddy’s

fingerprint and are now connecting with Pidgin. This will not be useful if your

buddy changed computers or had to create new fingerprints.

If the fingerprint you were given and the fingerprint on the screen match,

select “I have” and click the “Authenticate” button.

Question and Answer

Question and answer verification is useful if you know your buddy but have not

established a shared secret nor had a chance to share fingerprints. This method is

useful to establish verification based on something both of you know, like a shared

event or memory.

Enter the question you want to ask. Don’t make it so simple that someone can guess it

easily, but don’t make it impossible. An example of a good question would be “Where

did we go for dinner in Minneapolis?” And example of a bad question would be

“Can you buy apples in Tokyo?”

The answers must match exactly; so keep that in mind when choosing an answer to your question.

Capitalization matters, so you might consider a note in parentheses like

(for example: use capitals, lower case).

Enter the question and answer then click the “Authenticate” button.

Your buddy will have a window open with the question displayed asking for

the answer. They will have to answer and click the “Authenticate” button.

Then they will receive a message letting them know if the authentication was

successful.

Once your buddy had completed the authentication procedure, you will get a

window letting you know the authentication succeeded.

Your buddy should also verify your account so that both of you can be sure that

the communication is secure. Here is what it would like for Akiko and Boris.

Notice the green “Private” icons in the lower right of the chat window.

Working with Other Software

The mechanisms to verify the authenticity should work between different chat

software such as Jitsi, Pidgin, Adium, and Kopete. You are not required to use

the same chat software to use chat over XMPP and OTR, but sometimes there

are errors in the software. Adium, a chat software for OS X, has an error

receiving the Question and Answer verification. If you find that verifying others

is failing for you when you are using Question and Answer verification, check

whether they are using Adium and see if you can use another verification method.

From: https://ssd.eff.org/en/module/how-use-otr-windows

You can read up on it this site  has several guides  and originally comes from this site