Recently, there has been an increased interest in the topic of secure messengers. Since the most popular modern messengers claiming to be secure are closed, require the mandatory indication of a mobile phone or, for example, work in a browser, they do not inspire me personally much confidence. Therefore, today we will talk about a completely open, free, cross-platform and trustworthy option, which consists in using Jabber (aka XMPP) with an OTR plugin.
Fun fact! Possible alternatives to Jabber with OTR include Tox and GNU Ring . Unfortunately, at the time of this writing, both messengers are extremely unstable - for example, they can sometimes lose messages, or vice versa, send them multiple times. Of the solutions that really work today, I personally know only Jabber with OTR.
OTR is the name of the protocol meaning Off The Record. This protocol is somewhat similar to the already familiar PGP / GPG , but with a number of important differences. For us, the most interesting differences are in the provision of denial and forward secrecy. Deniality means that by intercepting messages and even decrypting them, one cannot rigorously prove that they were actually sent by their sender, and not by someone who forged the message (at least from a cryptography / mathematics point of view; nuances are legally possible). Forward secrecy means that even if after N years someone gains access to your private key, it will not help decrypt messages sent in the past. More details can be found in the articles that have just been linked in the text.
Many Jabber clients support OTR out of the box or via a plugin. In particular, such support is available in Pidgin and Psi +. Personally, I prefer Psi + at this time of day, so I'll talk about it later. On Arch Linux, you can install it like this:
Note that the psi-plus-git package that builds Psi + from Qt4 is broken at the time of this writing. If you are using Ubuntu:
Needless to say, Psi + works on other platforms as well. The official website has packages for Windows, MacOS, and so on.
I think you can figure out the client's interface without my help, especially since it may change a little over time. You just need to enable the OTR plugin and generate yourself a key.
Please note that:
If you are interested in mobile clients with OTR support, then they also exist, in particular, Xabber for Android and ChatSecure for iOS (there is a version for Android, but it is no longer being developed). As an Android user at this time of day, I tried Xabber. Quite normal mobile Jabber client, OTR works. Tor support was also discovered in Xabber.
Finally, I note that there is an implementation of OTR for protocols other than Jabber. In particular, there is a plugin for irssi. A more complete list of all IM and clients to them that support OTR can be found in the same article about OTR on Wikipedia.
Normal people, alas, will never use OTR, because they want group chats, sending messages when the recipient or even the sender is offline, an encrypted history of all messages with the ability to instantly change the master password, synchronization between multiple devices and search history, forwarding pictures, video calls, editing and deleting messages, and so on. In general, more convenience. But if you're willing to sacrifice convenience for something that resembles true security, Jabber with OTR is like something that provides it.
Do you use Jabber with OTR or other crypto messengers? If so, what are your impressions?
Fun fact! Possible alternatives to Jabber with OTR include Tox and GNU Ring . Unfortunately, at the time of this writing, both messengers are extremely unstable - for example, they can sometimes lose messages, or vice versa, send them multiple times. Of the solutions that really work today, I personally know only Jabber with OTR.
OTR is the name of the protocol meaning Off The Record. This protocol is somewhat similar to the already familiar PGP / GPG , but with a number of important differences. For us, the most interesting differences are in the provision of denial and forward secrecy. Deniality means that by intercepting messages and even decrypting them, one cannot rigorously prove that they were actually sent by their sender, and not by someone who forged the message (at least from a cryptography / mathematics point of view; nuances are legally possible). Forward secrecy means that even if after N years someone gains access to your private key, it will not help decrypt messages sent in the past. More details can be found in the articles that have just been linked in the text.
Many Jabber clients support OTR out of the box or via a plugin. In particular, such support is available in Pidgin and Psi +. Personally, I prefer Psi + at this time of day, so I'll talk about it later. On Arch Linux, you can install it like this:
Code:
yaourt -S psi-plus-qt5-git psi-plus-plugins-qt5-gitNote that the psi-plus-git package that builds Psi + from Qt4 is broken at the time of this writing. If you are using Ubuntu:
Code:
sudo apt-get install psi-plus psi-plus-pluginsNeedless to say, Psi + works on other platforms as well. The official website has packages for Windows, MacOS, and so on.
I think you can figure out the client's interface without my help, especially since it may change a little over time. You just need to enable the OTR plugin and generate yourself a key.
Please note that:
- For new contacts, you need to check fingerprints and press verify in the plugin properties. Otherwise, a MITM attack is possible;
- OTR does not provide IP anonymity / hiding. Use a proxy, VPN, or Tor to solve this problem . In the latter case, it is desirable to use a Jabber server, which is a hidden service in this network (for example, otr.im). If you need built-in support for Tor, then it is in Tor Messenger (the messenger can work with Jabber, IRC, Facebook, Twitter and more, it supports OTR). Remember also that there are ways to de-anonymize IM users, for example, through links to web pages;
- Even if you use OTR, this is not a reason not to enable the mandatory use of TLS in the client when connecting to the server;
- OTR only works if both users are online;
If you are interested in mobile clients with OTR support, then they also exist, in particular, Xabber for Android and ChatSecure for iOS (there is a version for Android, but it is no longer being developed). As an Android user at this time of day, I tried Xabber. Quite normal mobile Jabber client, OTR works. Tor support was also discovered in Xabber.
Finally, I note that there is an implementation of OTR for protocols other than Jabber. In particular, there is a plugin for irssi. A more complete list of all IM and clients to them that support OTR can be found in the same article about OTR on Wikipedia.
Normal people, alas, will never use OTR, because they want group chats, sending messages when the recipient or even the sender is offline, an encrypted history of all messages with the ability to instantly change the master password, synchronization between multiple devices and search history, forwarding pictures, video calls, editing and deleting messages, and so on. In general, more convenience. But if you're willing to sacrifice convenience for something that resembles true security, Jabber with OTR is like something that provides it.
Do you use Jabber with OTR or other crypto messengers? If so, what are your impressions?
