Secure Instant Messaging with Pidgin plus OTR

26 Jul 2013 |

pid logoPidgin is a free open source messaging client that brings all your IM accounts together so you can easily chat with friends on many different networks. It offers much greater security than most other messaging clients, particularly when used with the OTR plugin, and also supports a great number of third party plugins to extend its functionality.

Pidgin is a client that brings all your Instant Messaging accounts together, so to use it you need one or more IM accounts. Pidgin won’t let you chat across IM services (i.e. you cannot chat to someone on AIM using your Google Hangouts account), but it does allow you to manage multiple accounts at the same time. The following IM services are supported:

AIM, Bonjour, Gadu-Gadu, Google Hangouts (was Google Talk), Groupwise, ICQ, IRC, MIRC, MSN, MXit, MySpaceIM, QQ, SILC, SIMPLE, Sametime, Yahoo!, and Zephyr.

The OTR (Off-the Record) plugin was specifically developed for Pidgin, although the code has now been incorporated into a number of other clients (see below), and allows you have secure private conversations by offering:

  • Encryption – using AES encryption and the SHA-1 hash function so no-one can read your message
  • Authentication –to make sure that the person at the other end is who you think they are
  • Deniability – messages are not digitally signed. This means they cannot be checked by a third party once the conversation is finished, and thus used to prove you made them. During a conversation however, you are guaranteed that any messages sent or received are authentic and unmodified
  • Perfect Forward Secrecy – we discuss PFS at some length in this article, but it basically means that each conversation is secured individually, so if your keys are compromised, only that one conversation (and not any previous ones) is compromised.

Pidgin + OTR Alternatives

Pidgin and the OTR plugin are available for Windows and Linux, and Windows users can also try Miranda IM, which also supports the OTR plugin. Mac users have Adium, which has OTR baked in, and users of any platform (Windows, OSX, Linux, iOS or Android) can use Gibberbot. Gibberbot is developed by The Guardian Project, and natively supports OTR.

Setup Pidgin and OTR

1. Follow the links on the Pidgin webpage to download the Pidgin client. Install, but don’t run it (if you do run it then make sure it is closed when you install the OTR plugin).

2. Download and install the OTR plugin.

3. Run Pidgin. When you initialy run the program it will ask you to configure your first IM account, so click ‘Add’.

pid 1

4. Select a service you wish to use, and fill in the required details (which differ slightly for each service). We are going to join Google Talk (which has recently been renamed Google Hangouts). ‘Local Alias’ is simply a nickname, and is optional. When you are done, click ‘Add’.

pid 2

You should now see all your IM ‘Buddies’ in the ‘Buddies’ list. New ones can be added by going to Buddies -> Add Buddy, and following the Wizard. If other people might be able access your PC, you should never tick ‘Remember Password’.

pid 3

Pidgin is now ready to be used as a regular IM client.

Configure the OTR plugin

Both parties in a conversation must have the OTR plugin installed and enabled. If the person you are sending a message to does not have the plugin installed and enabled, they will receive a message alerting them to the fact, along with a link to the OTR website.

pid 8

1. Enable the plugin by going to Tools -> Plugins.

pid 4

Scroll down the list until you see ‘Off-the-Record Messaging’, tick the check box, click on the plugin name, and select ‘Configure Plugin’.

pid 5

2. Generate a unique private key. To do this simply hit the bit ‘Generate’ button. For maximum security you should first ensure that ‘Automatically initiate private messaging’ and ‘Don’t log OTR conversations are ticked.

pid 6

Once key generation is complete, click ‘OK’, and you can now see that you have a fingerprint (a long set of letters and number used to identify a key).

pid 7

You now have a private key for your account, which will be used to encrypt your conversations. Remember that your buddy must also perform these steps.

3. Authenticate a private conversation. Double-click on the Buddy you want a private conversation with, and you will see the ‘Not Private’ button highlighted in red. Click on this button, and select ‘Start private conversation’.

pid 10

The Conversation screen will now look something like this…

 pid 11

You can now message your contact, and any messages will be private and encrypted. However, you have not yet verified the identity if your buddy (who could be an imposter).

4. Authenticate the identity of your buddy.

There are three ways to authenticate that your Pidgin buddy is who you think he or she is.  The ‘Question and Answer’, ‘Shared secret’ or ‘Manual Fingerprint verification methods. All methods require communicating with your Buddy using a different communication method to Pidgin. In-person is best, but PGP encrypted email is another good option. Telephone conversation is often recommended, but thanks to the NSA’s blanket telephone surveillance program, we think this is best avoided.

Click on to the OTR menu button and select ‘Authenticate buddy’.

pid 12

Choose which method you would like to use to authenticate your Buddy.

  • Question and answer – your buddy must answer the question correctly
  • Shared secret – this is likely a pre-arranged password or phrase
  • Manual fingerprint verification – using another form of communication, check that fingerprints you have for each other match up exactly.

The answers must be exact (including capital letters and spaces) for OTR to accept them.

pid 13
Here we used the Shared Secret Method

pid 14
My Buddy is asked to enter the secret (known only to us)

pid 16
Following a confirmation message that Authentication is successful, we can now continue our conversation privately, and secure in the knowledge that my Buddy is in fact my buddy.

Conclusion

Pidigin plus OTR is a lot easier to setup than  say, email with PGP encryption, and ensures that you can have private conversations with authenticated Buddys that are guarrenteed to remain private. In use it is very transparent, to the point that you can almost forget it is there and, even without the OTR functionality, it is an excellent way to manage your IM contacts and stay in touch over a number of different networks.

Author Picture Written by Pete Zaborszky
Pete runs Best VPN and wants to get detailed information to the readers. He is dedicated to being the best and providing the highest quality at anything he does. You can also find him on Twitter or Google+