Today, more than ever, with the release of the recent NSA Spying scandal, the new version of CALEA going forward in Washington, and ever present movement by governments to read into the private messaging of individuals, we all need to get smarter, and use tools that we may have never touched before, to regain the privacy in interpersonal communications across the internet. There are many tools out there, and there are many different ways to achieve the same goals, however, today, I’m going to talk about a few p̶r̶o̶d̶u̶c̶t̶s tools that I use on a daily basis for Instant Messaging (IM) from my Windows 7 computer.
First and foremost, I use Pidgin for all my IM needs. Pidgin is available, for free, to anyone, simply by going to http://pidgin.im/. For those of you who are reading this with limited experience with Free Open Source Software (FOSS), this will be a revelation, that yes, there are free tools out there that allow you to download, install, and use, with no charge, no catch, no penalties. Pidgin is my main tool for chatting inside, and outside of work. It also allows me to have multiple connections to different IM services, as seen by the list that they have on their website:
I’m only using AIM, Google Talk, IRC, MSN, and Yahoo! & also use SIPE, which allows connection to my internal Microsoft Communicator, through the use of the rich plugin architecture built into Pidgin. Pidgin allows developers to build plug-ins, so that you can extend the functionality of the tool, and SIPE, is one of those that works very well, allowing me to use one client to “rule them all” so to speak, with regards to my Instant Messaging. While there isn’t a Pidgin for mobile devices yet, (I’m ever so hopeful), this tool does allow me to have all of my IM contacts available in one tool, where I spend the majority of my day, on my computer. This plugin architecture is critically important for the privacy aspect that I mentioned above, as there is an external plugin that is needed, in order to achieve secure Instant Messaging.
Once you have installed Pidgin, and have gone through the setup of the client, you should easily find how to add your accounts into the tool. Once this is done, and you’ve tested the functionality with your Instant Messaging contacts, it’s time to go private… Now here is the difficult part. If you want to encrypt your communications end to end, the person you’re Instant Messaging with, has to have the same type of encryption. In this write up, we’re talking about the tool called OTR, or Off-The-Record Messaging. OTR supports several IM clients, to date, they’re Pidgin, from the https://otr.cypherpunks.ca/ page, I see that OTR can function with the following IM clients: Pidgin, Adium, Miranda, Kopete, and they also support an AIM proxy. You can read more and view video tutorials on their page
Simply put, adding OTR to pidgin is a trivial windows install, requiring that you specify the location of the installed Pidgin program, (if you changed it from the default when you installed Pidgin), and a restart of the Pidgin application. Once installed, you simply launch Pidgin, go to the Tools menu, select Plugins (or press CTRL-U), in the plugins list, scroll down to Off-the-Record Messaging, put a check in the box to the left of the title, and select the “Configure Plugin” button on the bottom. Inside the plugin’s configuration dialog box, you’ll find two tabs, Config and Known fingerprints.
The config tab has the configuration for your Default OTR settings, as well as the ability to generate private and public key pairs, for use when communicating secure with someone else. You will see your defined IM accounts in a drop down list, and you can select each one, and generate a key. You should only need to generate these keys once per computer, and there are methods to back these keys up, and take them with you, however, I will not be covering that process here. There are many sources of how to do this on the internet, and google is your friend (giyf). If you’d like to know how to do this, bookmark this post, and come back to it later, as I’ve added a google search for the instructions here.
Once you have that setup done, now it’s time to find your friends and get them using one of the OTR supported IM clients, and setup some conversations. I’ve looked through the data that passes through the OTR plugin, and saw that it was completely encrypted, appears as total garbage to whomever is spying on your communications. Bear in mind, that you are responsible for ensuring that your communications are encrypted, and the OTR plugin adds informational messages into your IM window, showing you the status of your communications.
receiving encrypted IM, when you’re not encrypted
setup of encrypted communications and confirmation of encryption
Note, that even though I do not log my OTR conversations, doesn’t mean whomever I’m communicating with, isn’t logging theirs, so it’s no guarantee that your conversations won’t come back to haunt you, but it does encrypt the transport end-to-end to ensure that no one can snoop on the wire.
When you first setup your communications, you’ll receive a notice that your buddy is not “Authenticated”. This page, shows how that authentication can be accomplished. Please use NON IM methods of confirming your identity if you are not sure who you are chatting with. A more full step through process of how to setup and use Pidgin and OTR can be found here. (https://securityinabox.org/en/pidgin_securechat – no affiliation)
Once you’ve got everything working, it’s wonderful to know that your communications cannot be intercepted by your employer, your government, your enemies, or anyone else out to remove your privacy from your communications.
If I have time, I’ll follow up on how to setup some other methods to increase your privacy on the internet. Please stay tuned.
- The FBI wants a backdoor into all communications software(vr-zone.com)
- 28 European Union countries warn US over spying scandal(huffingtonpost.com)
- Cartoon: NSA Spying Scandal(englishblog.com)
- Google’s Eric Schmidt: NSA spying ‘outrageous’(rt.com)
- Encrypt your GTalk / Hangout / Facebook chat(phrozenblog.com)
- Enhance Your Online Security. 7 Encryption Tools to Protect Your Data(maketecheasier.com)
- Technology to Protect Against Mass Surveillance (Part 1)(eff.org)
- It’s 2013. We’re all being spied on. Why do security software websites not use HTTPS?(micahflee.com)
- Avoid PRISM: Change Your Instant Messenger(news.softpedia.com)