OTR stands for “off the record.” It’s a way to have encrypted private instant message conversations online. It uses end-to-end encryption so your network provider, government, and even the instant-messaging service itself can’t see the content of your messages.
This isn’t too hard to set up, although both people will have to use the correct software and go through a quick setup process before your conversations will be encrypted.
How OTR Works
Like all software, OTR isn’t perfect. Any vulnerability in libpurple — the mssaging library used in both Pidgin and Adium — or a vulnerability in the OTR plug-in itself could allow an attacker to compromise your secure session. If the NSA really wanted to snoop on you, it’s possible they already have a way to break OTR.
But OTR has more uses than just hiding your conversations from the NSA. It provides an additional layer of encryption and authentication over AIM, Google Talk, ICQ, Yahoo! Messenger, MSN Messenger,or any other protocol Pidgin or Adium support. This hides what you’re talking about from the instant messaging service you’re using, your Internet service provider, your local network operator, and — in theory — intelligence agencies monitoring your Internet usage.
OTR also provides authentication, so you have some guarantee you’re talking to the actual person. Even if their account were compromised and someone else attempted to talk to you with their screen name, you’d see an error because the encryption information wouldn’t match.
While OTR probably isn’t perfect, it can add some additional privacy if you need to talk about sensitive matters online.
Set Up OTR
OTR is a plug-in for the Pidgin instant messenger. To use it, you’ll need to install Pidgin and the Pidgin-OTR plug-in. Both are available for Windows and should be in your Linux distribution’s software repositories. Mac OS X users will have to use Adium instead.
After installation, launch Pidgin and set up your accounts if you haven’t already. Visit the Tools > Plugins menu and activate the Off-the-Record Messaging plug-in.
Click the Configure Plugin button to view its options. Select the account you want to chat privately with and click the Generate button to create a private key for that specific account. This key will be used to encrypt your messages.
You’ll need to generate keys separately for each account if you want to use OTR with multiple accounts.
If the person you want to talk to doesn’t have OTR set up yet, they’ll need to go through this process on their own computer to set up their software and generate a private key.
Initiate a Private Conversation
Next, open a conversation window with the person you want to talk to. You’ll see an OTR button saying “Not private” if a conversation isn’t secured with OTR. Click the button and select Start private conversation to begin.
You’ll now see a message saying the session is secured with encryption, but that your buddy hasn’t been verified. If this doesn’t work, your buddy likely doesn’t have OTR set up and configured properly.
Authenticate Your Buddy
You’ll now want to authenticate, or verify, your buddy. To start this process, click the OTR button again and select Authenticate buddy.
Select Question and answer, Shared secret, or Manual fingerprint verification. The idea here is that you’re verifying the person you’ve connected to is actually your buddy and not an imposter. For example, you could meet in person ahead of time and choose a secret phrase you’ll use later or ask a question only they would know.
Your buddy will see the authentication prompt and will have to respond with the exact message you typed. It’s case-sensitive.
Once authentication is complete, the status of your conversation will change from Unverified to Private.
Known Key Fingerprints
The OTR plug-in will now remember your buddy’s key fingerprint. The next time you connect to that buddy, it will check that they’re using the same key and automatically verify them. If someone else compromises their account and attempts to connect with a different key fingerprint, you’ll know about it.
Make Future Conversations Private
The plug-in should now automatically initiate a secure conversation with your buddy each time you talk to them.
Note that the first message sent and received in each conversation is sent unencrypted! The secure conversation is only initiated after the message is sent. For this reason, it’s a good idea to start conversations with a quick greeting like “Hi.” Don’t start a conversation with something sensitive, like “Let’s protest at [location]” or by revealing a sensitive business secret.
OTR probably isn’t necessary for the vast majority of conversations, but it provides some additional privacy when you need to talk about something sensitive. It should work well enough, but we should all probably assume there are security holes somewhere in Pidgin or the OTR plug-in that intelligence agencies could take advantage of, just like there are in all pieces of software.
Of course, using OTR will always be more private than talking in clear text! (Unless the NSA begins paying more attention to you when they see you’re using encryption software, which is also a possibility.)