How to encrypt conversations in Jabber

[BadB]

Downloading software
First, we need to download the client itself. I'll take as an example Pidgin - it's cross-platform and easy to set up.

We also need the OTR (Off-the-Record Messaging) plugin, which provides encryption. An installer for the Windows version of Pidgin or sources for building in Linux can download from the project site.

At the first launch, Pidgin will offer to log in with an account, but we will postpone this for now. The fact is that registration will take place from our real IP-address, and it would be good for us to make sure that the IP is hidden even from the owners of the service (what if they decide to happily provide this information to anyone who asks!). For this, you can use any kind of proxy, but we will choose Tor for greater reliability.

Forwarding traffic through Tor
If you have installed Tor Browser, then you can configure traffic forwarding directly from the registration window in the "Proxy" tab.

After launching Tor Browser and our Jabber client, you need to open the "Tools" tab and select the "Settings" item there, and open the "Proxy" item in the settings. Put a tick in the "Use remote DNS with SOCKS4 proxy" checkbox, and in the "Proxy type" item select "Tor / Privacy (SOCKS5)"

In the Node item, specify 127.0.0.1 and choose port 9150. This is the standard Tor port, although the 9050 variation is sometimes encountered.

As you might have guessed, Tor Browser must be running and listening to its port all the time you are chatting. Turn it on before starting Pidgin - then it will not swear at the lack of connection to the server.

Now the Pidgin traffic is going through Tor, and we can start registering. First, we need to decide on the server on which we want to create an account. Of course, you can deploy your own server, but then it will become even more difficult to maintain anonymity.

Choosing a server
There are a huge number of servers, the owners of many of them claim that they do not keep logs. But this is impossible to verify. You can admire how the leaked log will look in the picture.

When choosing a server, first of all it is worth looking at which country it is located in. The EU, the United States and the country in which you live are a deliberately unsuccessful option. Ideally, if the server is located where it is prohibited by law to collect logs. Here is a small list of servers that are trusted by many hackers, both in the CIS and abroad. But note that some of the servers are located in the US.

Server	The country	Notes (edit)	Logs	Onion mirror
securejabber.me	Germany	May block an account at the request of the German authorities	No	giyvshdnojeivkom.onion
jabber.calyxinstitute.org	Netherlands		No	ijeeynrc6x2uy5ob.onion
sj.ms	Switzerland		No	No
swissjabber.ch	Switzerland		No	No
xmpp.jp	Japan		No	No
wallstreetjabber.biz	USA	Former securetalks.biz	No	wsjabberhzuots2e.onion
thesecure.biz	Singapore		No	No
exploit.im	France		No	No
fuckav.in	France	There is a filter for Cyrillic characters	No	No
jabber.otr.im	Canada	Server from the creators of OTR	No	5rgdtlawqkcplz75.onion
jabber.ccc.de	Austria		No	okj7xc6j2szr2y75.onion
xmpp.rows.io	USA		No	yz6yiv2hxyagvwy6.onion
jabber.cryptoparty.is	Romania		No	cryjabkbdljzohnp.onion
neko.im	Netherlands	Previously based in Norway	No	No
riseup.net	USA		No	4cjw6cwpeaeppfqz.onion

Nickname selection
Take the choice of a nickname as an example. It would seem an elementary item, but many people scorch on it. You may not remember that you have already used it somewhere else, but Google remembers everything.

The second subtle point is that it would be good not to use nicknames with symbols that have a Cyrillic counterpart. Not all servers have filters configured that prohibit such tricks, so at some point you may have a twin whose name letters do not look different, but have different codes.

Register on the server
Having decided on the username and password, you can start registering on the server. Open the client and select the "Accounts" tab, and in it the "Account Management" item (or just press Ctrl + A).

In the window that appears, click "Add", the registration and authorization window will open.

Here we need to do the following:

1. Select the XMPP protocol from the drop-down list.
2. Enter the desired username.
3. Enter the domain of the server on which you are going to create an account.
4. The resource can be skipped, since it does not affect registration (in fact, this is just an indication of which device this server entrance is tied to - in the roster of your interlocutors it will be written from which resource you came from).
5. Enter the desired password.
6. Check (or not check) the checkbox to remember the password (I recommend not to check it and not to store the password anywhere except in your head, because if someone gains access to your computer, the password will already be entered).
7. Be sure to tick the "Create a new account on the server" checkbox (unless, of course, you have already registered before).

After entering all the data, a separate window for user registration may appear. You will have to enter everything one more time and click OK.

Turn on OTR
Accounting is ready, and you can start setting up encryption. I recommend one of two options: PGP or OTR. Here I will take OTR as an example - it provides a high level of security and is easy to configure. However, when using it, messages in the logs are not encrypted - so for complete reliability it is better to disable them. But on the server, the picture looks like the following.

Since we have already downloaded and installed the plugin, it can be activated from the client. Open Pidgin, click "Tools" and select the "Modules" item.

Next, we need to configure this module. To do this, at the very bottom of the list of modules, click "Configure module".

In the module settings window, we first need to generate a key for our account. Select the account for which you want to create a key, and click "Create". The key generation window will appear.

Keys are generated quickly, but sometimes there is a slight lag at this step. Do not be afraid! Pidgin doesn't hang, it's just a little busy. When the work is over, press Ok and you will see your "fingerprint" of forty characters (five groups of eight characters).

Now check the boxes below:

• "Use secure conversations";
• "Automatically start a secure conversation";
• "Demand protection of the conversation";
• Do not log OTR conversations.

Keeping a journal is entirely voluntary. If it comes in handy, then turn it on, if not, then remember that anyone who can access your computer - remote or completely direct - can read it.

Well, the last checkbox is Show Otr button in toolbar. It simply adds a chat security and interlocutor authentication button to the interface.

We authenticate the interlocutor and protect the chat
In fact, you already have a secure communication channel. To add an interlocutor, you need to click "Interlocutors" and select "Add interlocutor".

Choosing an interlocutor.

And click "Add".

Now the interlocutor will receive a request, and when he confirms it, you can start a chat. The security status can be viewed directly in the chat window. If encryption is not enabled, then there it will be written: "Not protected". By clicking on it, you will see a menu.

If you start a secure conversation, the caption will change to "Not identified." - this means that the chat is protected, but you need to authenticate the interlocutor to be sure that he is exactly who he claims to be.

There are three ways to authenticate an interlocutor.

Question and answer to it. You ask a question to the interlocutor, and he must give the correct answer.

Shared secret.

Manual verification of the key. This is an option in case the key needs to be transferred not via Jabber, but in some other way.

After the interlocutor is authenticated, the green inscription "Protected" will finally appear on the button.

Setting up a mobile client
Jabber clients with encryption support are also available on mobile devices. For example, ChatSecurefor iOS and for android... Just in case, I warn you that the Android application is not listed on the official website and requires a lot of privileges for the messenger, so use it at your own peril and risk.

Registering in the application is the same as registering on a computer. If you already have an account, then instead of creating a new account, select Existing Account on the main page.

Next, choose XMPP.

And enter your data.

If you want to create a new account, then click "Create a new account" and fill in all the data. A big plus of ChatSecure is that it can send traffic through Tor without additional tweaks.

ChatSecure also has a list of private servers - choose which one you like, or, if you have already chosen before, enter the address in the Custom field at the very bottom.

At the end, you will be prompted to save the certificate. Save and wait for registration to complete.

Now you just need to click on the new message icon and click "Add contact" in the menu that appears.

Enter the address of the contact.

And authenticate it with one of the methods we have already listed.

incashwetrust.biz

 

[Hacker]

Step-by-step configuration of Jabber and encryption

Jabber (or XMPP) is a free and open protocol for communicating via instant sending and receiving text messages on the network. You can read more about the protocol on Wikipedia.

The assembly instructions are unique in that:
1. The version will be fully portable wherever you move it. Launch from any media.
2. The GPG module captures new keys on the fly and does not require any pre-launch.
3. Without entries in the registry and there is no need to register, edit or poke around in "variable environments".
4. Normal design with all links to official developers.
5. GPG key exchange takes place at the click of a single button in the chat.

Psi+ (client for Jabber)
Launch TorBrowser. Through its network, we will connect to Jabberserver. On the servers that you connect to, the IP of the node will light up-Tor (the exit node), and not yours, plus Tor encrypts incoming and outgoing traffic, even if your correspondence remains on the server, but your provider will no longer see it.

1. Download and install Psi+

2. Creating a portable version in order not to leave any traces on the disk: run the file in the folder with the installed program and then use the resulting file to run psi-plus-portable.exe

3. By logging in Psi+ - "Register a new account" (or enter the data of an already created jabberaccount)
We select the desired server from the list, the more exotic, the better, for example, with the end .jp (Japan),. im (Isle of Man), etc. The main thing is not. ru
Note: Psi+ makes DNS queries incorrectly, bypassing the proxy settings. This creates a threat to your anonymity, so when specifying a server, you need to manually enter its IP address in the appropriate field. You can find it out using special web services (for example xmpp.jp - 49.212.155.196, jabbim.com - 88.86.102.50, port all the same 5222).
"Encrypt connection" - " Always"

4. "Proxy server:" - "Edit..." - "Create" enter any name,
Type: SOCKS Version 5-Server: 127.0.0.1 Port: 9150-Save.
"Next". Enter your nickname, password, and captcha on some servers.

5. The "Account Settings" tab opens: check "Automatically log in after sleep mode" and "Automatically restore connection". Uncheck "Keep message history" (this is important because the history is not encrypted and is stored on disk in clear text)

6. On the "Connection" tab: check "Compress traffic (if possible) "Send keep-alive packets..."
"Plaintext authentication" - "Never". Save the settings.
Select the "Available" status, enter the account password, and start a conversation or we add message encryption (from the provider and jabberserver), to choose from, and preferably two together, in order to be able to communicate in encrypted form with those who have only OTR or only GPG.

OTR (Off-the-Record)...

7. Download OTR Plugin and unpack it to the folder with the installed program, confirming the replacement. Go to "Settings" - "Plugins" - activate Off-the-Record – generate a new key.

8. After adding the contact of the interlocutor("Add contact"), open the correspondence window and click the mouse arrow icon in the upper right - "OTR messaging" - "Start a private conversation".
It remains to authorize each other, i.e. make sure that you are communicating with your interlocutor, and not with a completely different person. To do this, click the mouse arrow icon in the upper right - "OTR messaging" - "Authenticate contact". After that, you can choose from 3 authorization methods:
§ First, question and answer: You ask a question that only your interlocutor knows, and the answer to it, and your interlocutor must answer it correctly.
The second, shared secret key, is similar to the first method, but there is no need to ask a question, you just need to write the same phrase to both interlocutors (for example, some password).
The third method involves manual verification of the private key via a secure channel (for example, e-mail).
After logging in, you can start communicating or Gpg4usb (Message and File Encryption System)

9. Download and unzip Gpg4usb
GPG is an asymmetric encryption system, a free implementation of PGP. A key pair (secret and public key) is used for encryption.
At the first launch, you can import an existing key pair(secret and public keys) or create a new one. We write your name and email address, any of them. The password is more complex, starting from 10 characters. It is highly advisable not to lose the key and not to forget the password from it. It will no longer be possible to restore the secret key, but the public key is generated from the secret key and cannot be lost. The secret key is encrypted with a password. This is necessary so that even if someone gets hold of your key, they can't use it.
For example, we save a backup copy of the secret key to a flash drive or a cryptographic container: secring_bak. gpg
In the "Key Manager", select your key and copy it to the clipboard, or save it as a file.
We send our public key to the interlocutor, in any way, even in the chat window paste it from the clipboard.
The other person is also doing it on their own side.
We add the key sent to you via "import key". Now you can write a message, select the key of the interlocutor in the list on the right, encrypt and send the encrypted message. He will decrypt it on his side by entering the password for his private key. You can also do this with files without being afraid that someone will open them on the way. The interface is intuitive, I think there should be no difficulties.

The encryption and decryption process goes like this this: follows: you exchanged public keys with the interlocutor, you write him a message and encrypt the message with the public key of the interlocutor, you will not be able to decrypt it back. To decrypt it, you need a secret key that only your interlocutor has. Even if you intercept a message, you won't be able to decrypt it. Simply put, the public key encrypts, and the secret key decrypts.

We continue to configure Psi+:
10. Copy from the gpg4usb/bin folder gpg.exe in gpg4usb. Move the entire gpg4usb to the Psi+ folder (this is what it should be called), create a text document in it, and copy it to it:

@echo off
set GNUPGHOME=%CD%\gpg4usb\keydb
set path=%path%;%CD%\gpg4usb;%CD%\psi+
set PSIDATADIR=%CD%\Psi+
start psi-plus-portable.exe

Save it. Rename the text file to, for example, Startpsi.bat (the name can be anything, the main .bat расширение файла). What this item is for: now Psi+ can be launched from any media and from any folder, wherever you move it. Just run: Startpsi. bat
Note for aesthetes: the bat file can be converted to .exe with Advanced BAT to EXE Converter

11. Again, go to "Account Settings" - "Details" - "Select key..." - select the key you created.
We can connect to the network. Select the "Available" status, enter the account password and the GPG secret key.
Next: select a contact from the list, or add a new one, right - click on it - "Assign an OpenPGP key" - select the imported key of your interlocutor.
To check the electronic signature of a contact, move the mouse to it and see an information window with data on a yellow background. The green line indicates that the contact entered the network with the correct key and you have their public key.
For correspondence: open a new chat window and click the button with the lock at the top right. The keys will be reconciled and, if everything is in order, you will see a message stating that the conversation is encrypted.

What to finish off in small things:
- "Settings" - "Plugins" - "Client switcher plugin" - disable time request (hide your time zone), display the client at your discretion. It happens that in order for the plugin to work, you need to change the skin(in the same place in plugins).
- "Settings" - "Advanced" - "options" - "pgp" - "auto-start" - "true" - in order not to press the button with the lock when starting a conversation.
- "Settings" - "Plugins" - "Image plugin" - activate-allows you to insert a photo directly into the chat, displays a picture, not a link
- "Settings" - "Plugins" - "GnuPG Key Manager" - activate-allows you to exchange GPG keys with just one button in the chat window.

Did you like it?

 

[TigerGG]

We authenticate the interlocutor and protect the chat
In fact, you already have a secure communication channel. To add an interlocutor, you need to click "Interlocutors" and select "Add interlocutor".

Возникает проблема в этом пункте. Просто кнопки добавить собеседника и т.д. не кликабельные. Что можно с этим сделать?