When you pick up your phone and make a call, send an SMS, email, message on Facebook or Google Hangouts, other people can track exactly what you are talking about, who you are chatting with, and where you are. This personal information may not only be available to the service provider who acts as an intermediary in your conversation, but also to telecommunications companies that provide Internet access services, intelligence services and law enforcement agencies, and even a few teenagers who can track your activity on the Wi-Fi network. Fi using the Wireshark app.
Content
1. Installing Adium and setting up an anonymous account over Tor
2. Adding contacts and personal correspondence
However, if you take the necessary steps to protect your information, you will be able to transmit secret and anonymous online messages. In this article, I will explain in detail how to do this. We consider in detail the methods by which the two and a half years ago took the informant and former NSA employee Edward Snowden, to contact me. In other words, I'll show you how to create an anonymous online chat account and exchange messages using an encryption protocol called Off-the-Record Messaging, or OTR.
If you don’t want to read the entire article, you can skip straight to the section that describes step by step how to create an account on Mac OS X, Windows, Linux and Android platforms. When you have enough time, go back to the beginning and read the important notes that come down to these sections.
First, you need to make sure you're using end-user encryption. end-to-end encryption]. In this case, the message will be encrypted at one end - say, on a smartphone - and decrypted at the other - for example, on a laptop. No one, including your ISP, will be able to decrypt your message. Compare this type of encryption with another type when you connect through your ISP, for example, over an HTTPS connection. HTTPS will protect your message from potential Wi-Fi snoopers like teenagers with Wireshark installed or your service provider, but it won't be able to protect your message from the company on the other end of your connection - like Google or Facebook - or from law enforcement and intelligence. services requesting information from these companies.
Another, no less important note is the need to protect not only the content of your correspondence, but also its metadata. Some metadata, such as who is talking to whom, can play a very important role. If someone is going to contact a journalist, then encrypting the letter alone will not be enough to hide the very fact of the correspondence with the journalist. Likewise, if you are unhappy lovers trying to connect with each other and keep it secret from your warring families, you will have to hide not only the content of your love messages, but also the fact that you, in principle, got in touch. Let's take a quick look at how this can be done.
Identity hiding
Imagine Juliet trying to get in touch with Romeo. They both know that if they use phone, mail, Skype or other traditional methods, they will not be able to hide the fact that they have been in contact from their influential families. The trick is to hide rather not that they communicated, but that they are Romeo and Juliet.
Juliet and Romeo decided to create new communication accounts. Juliet took the pseudonym Ceres and Romeo took the name Eris. Now that Ceres and Eris can exchange encrypted messages, it will be much more difficult to find out that Juliet and Romeo are hiding under these names. If Juliet's account is checked for a connection to Romeo - and her hot-tempered cousin is, to put it mildly, a little presumptuous - then no evidence will be found.
Of course, it is not enough just to take a new name for yourself. At this stage, it is still possible, and sometimes even quite simple, to find out that Juliet is hiding under Ceres, and Romeo under Eris.
Juliet logs into her account under the name "Ceres" from the same IP address that she uses for other purposes on her computer (for example, when she contacts Lorenzo's brother by e-mail). If its activity on the Internet is tracked (and this is probably the case, because all our activity on the Internet is tracked), it will not be difficult to correlate a number of facts. If the service is forced to transmit the IP address from which the Ceres user goes online, then it can easily be correlated with Juliet's IP address. Romeo has the same problem.
Independent services like telecommunications companies and mail domains have access to private information about their users, and according to the "third party doctrine" these users "cannot expect to hide" such information. This principle applies not only to secret lovers: journalists, who may receive a number of privileges under the First Amendment of the US Constitution, must closely monitor who is in charge of their communications services. In 2013, the US Department of Justice received evidence of a number of phone calls made by Associated Press reporters during an investigation into a data breach. Many news outlets do not have own mail service: New York Times and Wall Street Journal use Google mail, USA Today uses Microsoft services - so the US government can request their data. (The Intercept uses its own mail service).
Anonymity
In order to hide her private correspondence, Juliet must draw a clear line between Ceres's account and her real identity. By far the easiest and most secure way is to use an open source decentralized anonymous network called Tor.
Tor is designed to use the Internet anonymously. It is a decentralized network of arbitrary "nodes" - computers that transmit and execute requests on the Internet on behalf of other computers. Tor allows you to remain anonymous by connecting you to the Internet through a series of such nodes. If at least one of the nodes was deliberately placed in the series, then no one will be able to find out who you are and what you are doing: you can either find out your IP address without knowing what you are doing on the Web, or find out what you are doing on the Web without knowing your IP address.
Most of those who have heard of the Tor network also know about the browser of the same name, which can be used to browse the web anonymously. But beyond that, its software can be used anonymously for other purposes, including messaging and emails.
If Romeo and Juliet use the Tor network to access their Eris and Ceres accounts, and if they exchange messages encrypted using the OTR protocol, they will finally be able to organize private online correspondence regardless of whether they will be spied on. or not.
Romeo and Juliet secretly exchange encrypted messages from anonymous accounts
Hackers and carders surround us from all sides
Now that Romeo and Juliet have created new anonymous Tor accounts, let's test every part of our system for flaws.
From Juliet's side: An attacker monitoring Juliet's internet traffic will be able to see that some of her traffic is passing through Tor, but will not be able to understand what Juliet is using it for. If hackers begin to check who Juliet writes e-mails to, who she contacts on Skype, who calls and sends messages, then there will be no signs of her connection with Romeo. (Of course, the use of the Tor network itself can raise suspicion. That is why The Intercept recommends that, in order to maintain anonymity, make a network connection from her personal computer that is not connected in any way with the service provider. In other words, to protect herself, Juliet could go to Internet from a Starbucks or public library).
From Romeo's side: An attacker monitoring Romeo's internet traffic could see that some of his traffic goes through Tor. If this person looks through all the mail, calls, messages, as well as Romeo's activity on Skype, then he will not be able to find Juliet.
From the side of the chat server: the messaging service itself can track that someone with an IP address on the Tor network created a user "Ceres", someone with an IP address on the Tor network created a user "Eris", and both of these users exchange with each other encrypted messages. It is impossible to find out that Ceres is actually Juliet or that Eris is actually Romeo, since their IP addresses are hidden by Tor. It is also impossible to know what Ceres and Eris are talking about among themselves, because their messages are encrypted using OTR. These accounts could just as easily belong to a whistleblower and journalist, or a human rights activist and his lawyer, rather than two lovers exchanging poetry.
Even after taking these steps, there is still a small fraction of metadata that can leak out if you act inadvertently. Here are some things to keep in mind:
Tor is not flawless
Tor provides high-level network anonymity, but ensuring true anonymity is a problem that is almost impossible to find a solution to. There is a real arms race between Tor developers and scientists on the one hand, and influential hackers who want to be able to secretly expose or censor netizens on the other.
Tor has never been a reliable defense against a "global observer" - a force that can monitor all nodes of the network in real time around the world. These forces could monitor the traffic of Tor users entering the network, watch traffic flow around the world, and then watch as that traffic leaves the network, thereby explaining which traffic belongs to a particular user.
Despite all this, Snowden's documents published by The Guardian indicate that the combined spy force of the Five Eyes [eng. Five Eyes] (USA, UK, Canada, Australia and New Zealand) are not yet considered a "global observer": at least they were not considered so in July 2012, when the presentation of these top secret materials took place. As it turns out, Western intelligence agencies can only expose a random unlucky user for their own benefit and have never been able to expose a specific user on demand.
As promising as it sounds, Tor can't always hide your identity, especially if you're already under surveillance. A striking example is the arrest of Jeremy Hammond.
The FBI suspected that Hammond might be a member of the LulzSec hacker group, which continued to commit cybercrime in 2011. In particular, the FBI believed that he could work in online chat under the pseudonym sup_g. His staff set up surveillance of Hammond's apartment in Chicago, monitoring which servers he connected to over his Wi-Fi network. A legally certified FBI document states that "a significant portion of the traffic originated from [Hammond's] Chicago apartment and onto the Internet via the Tor network." The FBI conducted a low-tech traffic correlation attack to confirm that Hammond was in fact operating under the name sup_g. When Hammond left his apartment, Tor traffic would stop and sup_g would log out of the chat. When he returned home, traffic resumed, and sup_g reappeared on the network.
Thor is not supernatural; it is just a tool. The person who uses it should consider the FBI's activities if they wish to remain anonymous.
Workstation security
One more caveat can be made. If a hacker breaks into Juliet's computer, then he can find out what she was doing. The same situation is with Romeo. You can encrypt all traffic and use all the nodes in the world to protect your data, but if a hacker can see the text you are typing, as well as your computer screen, then you cannot hide from him.
It is extremely difficult to protect your computer from attacks if you are being hunted by powerful hackers. You can reduce the risk of your computer being compromised by using a separate device solely for a secure connection, because the computer you use for everyday tasks will be much easier to hack.
In addition, for personal correspondence, you can use a tool such as Tails. It is a portable operating system that you can install on a USB flash drive and work with it anonymously, even if hackers break into your regular operating system. Despite the fact that Tails will provide you with a high degree of protection for your personal correspondence, it is a rather complex tool. New users will have to spend several days troubleshooting all sorts of problems, especially if they are new to Linux.
Most users are happy with their normal operating system, with which you can exchange private messages in real time and not worry about being hacked - although in this case, the likelihood of data leakage that you would like to keep secret is higher. This option is much more convenient and easier to get started with if you only need a little personal space and do not have critical data that could be at risk.
First contact
When you are about to start an online correspondence, it is not always clear exactly how to do it. If you can meet a person in person, then establishing a secure communication channel is quite simple: when you meet, you just need to ask each other for logins, messaging server data and OTR fingerprints (see below for more details).
However, it is not always possible to meet in person: you may be at a great distance from each other, or one side may want to remain unknown to the other. Even if you both want to meet in person, how do you go about it if you need to hide the fact that you are in touch with each other?
In order to establish the first contact with Romeo, Juliet must specifically create an anonymous account for this, which will allow her to contact Romeo's public account. She can poison Romeo an email from her anonymous mailbox. Most email services require a user's phone number when creating an account, and some deny access to all Tor users, making it more difficult to create an anonymous account. Juliet could also create an anonymous social media account and use it to link to Romeo's public profile.
If possible, she should encrypt the first messages she sends to Romeo. The procedure is simplified if Romeo publishes the PGP key. All The Intercept journalists publish their PGP keys on the employee profiles page. If you are going to make the first contact with a journalist working in an organization that uses the SecureDrop platform, you can use it so as not to create new anonymous accounts and not deal with PGP keys. SecureDrop is also used by The Intercept.
At the first contact with Romeo, Juliet must indicate the chat server on which she created the account, her username, OTR fingerprint and the time when she will be waiting for him on the network. In addition, she can give Romeo the necessary instructions for creating an account, possibly referring to this article.
If both Juliet and Romeo logged into their anonymous accounts and began exchanging encrypted messages with OTR fingerprints, then the job is almost done. Depending on how Juliet first established contact with Romeo, careful examination of Romeo's emails and his social media account may reveal the user details of Juliet's anonymous account: one way or another, she must tell him that data. This is how investigators can find out Romeo's hidden profile.
To prevent such situations, Juliet and Romeo can delete their accounts and switch to new ones without leaving any traces. Indeed, Juliet and Romeo should leave their old accounts when they see fit and switch to new accounts with new OTR encryption keys. There are hundreds of public chat servers and it is completely free to create a new account.
From theory to practice
Now that you are familiar with the theory of hiding your identity, it is time to put it into practice.
Do not be alarmed, I am sure you will succeed. All you need to do is follow the instructions provided for Mac OS X, Windows, Linux and Android users. (Unfortunately, you won't be able to contact anonymously via chat servers on iPhone.) Practice with your friend first.
Jabber and Off-the-Record
When I talked about "chat servers" I was actually referring to Jabber servers, also known as XMPP. Jabber is an open protocol for instant messaging; it is not a special service like Signal, WhatsApp or Facebook. Jabber is a decentralized, integrated email-like application. I can send an email from my @ theintercept.com mailbox to your gmail.com because The Intercept's and Gmail servers use the same standard protocol.
So everyone has the opportunity to run a Jabber server: it is used by many organizations, including the Calyx Institute, Riseup, Chaos Computer Club and DuckDuckGo and others. There are hundreds of other public Jabber servers out there. Many organizations run private Jabber servers, including The Intercept subsidiary First Look Media. The messaging service HipChat is powered by Jabber, while its competitor, Slack, uses Jabber gateways.
Since Jabber is decentralized, a user with a Jabber account like [email protected] can chat with [email protected]. But if both parties - Romeo and Juliet in our example - use the same server for their Jabber accounts, then the metadata of their correspondence will be better protected. Messages will be stored on the same server and will not be transmitted over the Internet.
Unlike email, most Jabber servers allow users to create accounts through Tor and do not require any personal information from you. Generally speaking, many Jabber servers run anonymous services that allow Tor users to communicate with each other without ever leaving the network. This topic is quite complex, so for the sake of simplicity, I will not use anonymous services when describing the instructions in the future.
Off-the-Record (OTR) is an encryption protocol that can add end-user encryption to any messaging service including Jabber. To exchange encrypted messages, both parties must use software that supports OTR encryption. There are several options, but this article covers Adium for Mac users, Pidgin for Windows and Linux users, and ChatSecure for Android users. ChatSecure is also available on iOS, but the app is not fully Tor compatible on iOS devices.
Choosing a Jabber server
If you are going to hide your identity by creating an Android account, you can skip directly to the appropriate section. ChatSecure for Android has built-in support for creating temporary anonymous accounts to hide your identity.
Everyone else needs to download and install the Tor browser. Open it and download our article in this browser, not the one you used before. So, you are now using the Tor browser. This is a very important point because I don't want your IP address to get lost in the log files of every Jabber server you intend to use. As will be shown later, this will be the main idea behind revealing your identity.
You have hundreds of Jabber servers to choose from. You can find lists of some of the public Jabber servers, such as here and here. Which one should you choose?
The server will not be able to determine who you really are (you will connect over the Tor network) or what you write about in your messages (you will use the OTR protocol to encrypt your messages), so you do not need to worry about that. However, it is better to choose a server that is less likely to pass log files to your government, and it will not be very happy about the fact that Tor users create anonymous accounts.
More often than not, people create Jabber accounts directly through messaging programs. Setting up such a program to send messages through Tor from your account is easy. It is more difficult to make sure that the program allows you to create new accounts through Tor (if you are using the Tails operating system, then you have nothing to worry about, since all your traffic will go through the Tor network). Therefore, I recommend choosing a Jabber server that will allow you to create a new account from the program's website, and you can do this in the Tor browser instead of the messaging program.
The following are several Jabber servers where you can create new accounts using the Tor browser. They are randomly selected from a list of public servers: ChatMe (located in Italy), CodeRollers (located in Romania), Darkness XMPP (located in Russia), KodeRoot (located in the USA), Jabber.at (located in Austria), Hot-Chilli (located in Germany), XMPP.jp (located in Japan), etc. The list is quite long.
Ready to get started? Select a Jabber server. Come up with a login that has nothing to do with your real identity. Come up with a password that you don't use anywhere else.
Create a Jabber account using the Tor browser. Now write down the details of the server on which you created your account, your username and password, and proceed to the next section depending on the platform you are using: Android, Mac OS X, Windows or Linux.
Choose your operating system:
Transferring encrypted messages anonymously on Mac OS X
If you have not already created a new Jabber account using the Tor browser, follow the instructions in the Choosing a Jabber Server section above to create one. Make sure you know on which server you created your account, as well as your username and password.
For this example, I created a Jabber account on the xmpp.jp server and took the pluto1 login.
Installing Adium and setting up an anonymous account over Tor
Download and install Adium, a messaging client for Mac that supports OTR encryption.
Make sure the Tor browser is open. While it is open, the Tor service runs in the background on your computer. When you close the Tor browser, the Top service will also stop running. This means that every time you want to use your hidden Jabber account, your Tor browser must be running in the background, otherwise Adium simply won't be able to connect. So, open your Tor browser and don't close it until you have followed all the instructions.
Open Adium. After you open it, the Adium Assistant Wizard window will pop up. Close it: we'll create an account manually to get more options.
With the Contacts window selected, click on the menu bar at the top of Adium and select Preferences. Make sure the Accounts tab is selected at the top of the window. Click on the "+" button at the bottom left of the window to add a new account. Then select "XMPP (Jabber)" from the drop-down list.
This will bring up a new dialog box in which you can set the settings for your account.
Before proceeding to the next step, switch to the "Connect using proxy" tab and select the "SOCKS5" type from the list. In the Server field enter "127.0.0.1" and in the Port field enter "9150". Create a username and password for this account and enter them in the appropriate fields. These settings will ensure that Adium will connect to this account via Tor. Entering a username and password is optional, but if you use them, Tor will select different communication channels for this account , which will increase your anonymity.
Click on the "Privacy" tab. In the Encryption field, change the value from Encrypt chats as requested to Force encryption and refuse plaintext.
Click on the "Options" tab. Change the "Resource" field (the default is your computer name) to "anonymous". Also, under Security, check the box next to Require SSL / TLS.
Now go to the "Accounts" tab. Enter Jabber ID. The username is pluto1 and the Jabber server name is xmpp.jp, so the Jabber ID will be written as [email protected]. Enter your password and click "OK" to log into your account.
Adium will now try to connect to your anonymous account via Tor. If everything goes well, your account with the signature "Online" should appear in the list of accounts.
Encryption keys and fingerprints
So, you've anonymously logged into your hidden account via Tor. The next step is to create an encryption key using the OTR protocol. Anyone wishing to use the OTR protocol must generate their own key. This key is a file stored on the device that you use to exchange messages. Each key contains a unique sequence of characters called the fingerprint of that key: no two keys can have the same fingerprint.
Let's try to create our own key with OTR encryption. In the Contacts window, click on the Adium menu bar and select Preferences. Go to the Advanced tab and click on the Encryption sidebar. Select your anonymous account and click on the Generate button to generate a new key. After completing the procedure, you will have a new fingerprint with OTR encryption.
In our example, I created a new key using OTR encryption for my account [email protected] with fingerprint C4CA056C 922C8579 C6856FBB 27F397B3 2817B938. If you want to start a personal correspondence with someone, tell this person your username and server name, as well as the key fingerprint with OTR. After he creates an anonymous Jabber account and generates an OTR encrypted key, ask him to also tell you his username, server name and key fingerprint.
After starting the exchange of encrypted messages, you will be able to see your interlocutor's key fingerprint, and he will be able to see yours. If the fingerprint that was given to you matches the fingerprint that is displayed in Adium, then this contact can be marked as trusted. If the fingerprint you shared matches the fingerprint displayed in Adium, then your contact can also be marked as trusted.
This stage is somewhat confusing, but very important. If the keyprints do not match, this means that a middleman attack is directed at you. In this case, do not mark the contact as reliable, but try to repeat the procedure a little later.
Adding contacts and personal correspondence
I am trying to start private messaging with my friend. He informed me that his Jabber account is [email protected] and his OTR fingerprint is A65B59E4 0D1FD90D D4B1BE9F F9163914 46A35AEE.
After I have created my pluto1 account, I want to add the user pluto2 to my contacts. First I select the Contacts window and then I click on the Contact menu button and select Add Contact. In the Contact Type field, I select XMPP, and in the Jabber ID field, I enter [email protected]. Then I click on the "Add" button to add the user to the contact list.
Once you've added a contact to Jabber, you can't immediately tell if it's online or not. First, you need to get the user's consent to view his status. So now I need to wait for pluto2 to log into their account and confirm my request to add to the contact list.
So pluto2 has allowed me to see when he is online, and he sends a request for me to allow him to see when I am online. I select his contact and click on the button "Allow to add me to your list of contacts" (Authorize).
Now I have added user pluto2 as my contact for the first time and it will show up in my contact list when he is online. Then all I have to do to start communicating with him is to double-click on his name.
I double-clicked on the pluto2 contact and wrote hello.
Before sending my message, Adium started an OTR encrypted session. Pay attention to the inscription "[email protected]'s identity not verified" ([email protected]'s identity not verified). This means that during the exchange of encrypted messages, I cannot be completely sure that a middleman attack will not occur.
In addition, the OTR Fingerprint Verification box will pop up. Does the fingerprint given to me by user pluto2 match what is written in this window?
I compare each of the fingerprint characters that pluto2 gave me earlier with the fingerprint characters that Adium refers to. It can be seen that they are indeed the same. This means that no one is conducting an encryption attack, and I can safely press the Accept button. If I didn’t have the pluto2 OTR fingerprint, I would request it from pluto2 externally. out-of-band] channel (not in this chat, since I don't know how reliable it is), and then confirm that they match. If I didn't have time for this, I would click on the "Verify Later" button.
You only need to go through the confirmation stage before starting to exchange encrypted messages with a new contact. If tomorrow I log into my account and start a conversation with pluto2, then I can immediately start working, considering this conversation secure.
That, in fact, is all. Bottom line: we created an anonymous Jabber account over the Tor network. We have configured the Adium messaging program and can log into this account via Tor. We have created a new OTR encryption key for this account. We added one contact to our account and verified their OTR encryption fingerprint. Now we can exchange messages with this contact at a sufficiently high level of information security.
In Part 1, we figured out the modern possibilities of anonymous encrypted messages that are available to a common user and discussed the practical application of technologies popular in this area using Mac OS X as an example. Android.
Transferring encrypted messages anonymously on Windows and Linux
If you have not already created a new Jabber account using the Tor browser, follow the instructions in the Choosing a Jabber Server section in Part 1 to create one. Make sure you know on which server you created your account, as well as your username and password.
For this example, I created a Jabber account on the wtfismyip.com server and took the pluto2 login.
The instructions for Windows and Linux are in the same section because they use the same program, Pidgin. Almost all the steps for both operating systems are the same, but I will tell you about their differences.
Installing Pidgin and setting up an anonymous account over Tor
If you are on Windows, download and install Pidgin, and then download and install the OTR plugin for Pidgin. Make sure the Tor browser is open. While it is open, the Tor service will run in the background on your computer. When you close the Tor browser, the Tor service will also stop running. This means that every time you want to use your hidden Jabber account, your Tor browser must be running in the background, otherwise Pidgin simply won't be able to connect. So, open your Tor browser and don't close it until you have followed all the instructions.
If you are using Linux, install the pidgin, pidgin-otr and tor packages. On Ubuntu and Debian operating systems, you can enter the line “sudo apt-get install pidgin pidgin-otr tor” in a terminal, or go to the Ubuntu Application Center. If you are installing Tor on Linux, you do not need to worry about the Tor browser always running in the background, as is the case with Windows or Mac OS X.
Open Pidgin. After you open it, a "Welcome to Pidgin!" Window will pop up. Click the Add button to add your hidden account (if you are already using Pidgin, you can add a new account by clicking on the Accounts menu in the Buddy List window and selecting "Manage Accounts").
The Add Account window should appear. Before proceeding to the next step, go to the Proxy tab. Set the proxy type to "Tor / Privacy (SOCKS5)". In the Host field, enter 127.0.0.1, and in the Port field, enter 9150 if you are using Windows and 9050 if you are using Linux.
Come up with a unique username and password for this account and enter them in the appropriate fields. These settings ensure that Pidgin will connect to this account through Tor. Entering a username and password is optional, but if you use them, Tor will select different communication channels for this account , which will increase your anonymity.
Click on the Basic tab. In the "Protocol" field, select "XMPP". In the field "Username" enter your username (in my case it is "pluto2"). In the Domain field, enter the name of the Jabber server (in my case, "wtfismyip.com"). Enter "anonymous" in the Resource field. In the Password field, enter your password, after which you can check the box next to it so that your password will be remembered. After all the settings, click the Add button.
If everything is done correctly, you should see the "List of interlocutors" window with the "Available" status.
Encryption keys and fingerprints
So, you've anonymously logged into your hidden account via Tor. The next step is to create an encryption key using the OTR protocol. Anyone wishing to use the OTR protocol must generate their own key. This key is a file stored on the device that you use to exchange messages. Each key contains a unique sequence of characters called the fingerprint of that key: no two keys can have the same fingerprint.
Let's try to create our own key with OTR encryption. In the Buddy List window, click on the Tools menu and select Plugins. You should see "Off-the-Record Messaging", which indicates one of the plugins. Make sure there is a check mark to the left of it.
Once you have selected Off-the-Record Messaging, click on the Configure Plugin button. Select your hidden account and click on the Generate button to generate a new key. After completing the procedure, you will have a new fingerprint with OTR encryption. In the same window, check the box next to Require private messaging.
In our example, I created a new key using OTR encryption for my account [email protected] with fingerprint A65B59E4 0D1FD90D D4B1BE9F F9163914 46A35AEE. If you want to start a personal correspondence with someone, tell this person your username and server name, as well as the key fingerprint with OTR. After he creates an anonymous Jabber account and generates an OTR encrypted key, ask him to also tell you his username, server name and key fingerprint.
After starting the exchange of encrypted messages, you will be able to see your interlocutor's key fingerprint, and he will be able to see yours. If the fingerprint that was given to you matches the fingerprint that is displayed in Pidgin, then this contact can be marked as trusted. If the fingerprint that you submitted matches the fingerprint displayed in Pidgin, then your contact can also be marked as trusted.
This stage is somewhat confusing, but very important. If the keyprints do not match, this means that a middleman attack is directed at you. In this case, do not mark the contact as reliable, but try to repeat the procedure a little later.
Adding contacts and personal correspondence
I am trying to start private messaging with my friend. He informed me that his Jabber account is [email protected].
After I have created my pluto2 account, I want to add user 0060e404a9 to my contacts. In the Buddy List window, I click on the Buddies menu and select Add Buddy. In the interlocutor name field, I enter “[email protected]” and click the “Add” button.
Once you've added a contact to Jabber, you can't immediately tell if it's online or not. First, you need to get the user's consent to view his status. So now I need to wait for 0060e404a9 to sign in to his account and confirm my request to be added to the contact list.
So 0060e404a9 allowed me to see when he is online, and he sends a request for me to allow him to see when I am online. I click on the "Authorize" button.
Now I have added user 0060e404a9 as my contact for the first time and it will show up in my contact list when he is online. Then all I have to do to start communicating with him is to double-click on his name. I double-clicked on contact 0060e404a9 and wrote “hello”.
Before sending my message, Pidgin started an OTR encrypted session. Please note the inscription “[email protected] is not yet authenticated. You need to authenticate this interlocutor. " You can also see the yellow text “Unverified” at the bottom right of the window. This means that during the exchange of encrypted messages, I cannot be completely sure that a middleman attack will not occur.
Click on the link "Not verified" and select "Authenticate buddy" (Authenticate buddy). The window "Authenticate interlocutor" offers three authentication options: "Question and answer", "Secret word" and "Manual fingerprint verification". To view the prints of both sides of the conversation, select the last one.
Although the Question and Answer and Secret Word methods do an excellent job, I will not describe how they work.
The OTR fingerprint of this contact is 6F3D8148 DA029CDA 23C92CF7 45DA09C5 ED537DC4. Before continuing, I want to make sure that this is his fingerprint, so I ask him about it via an external channel (not in this chat, since I do not know how reliable it is).
So, the interlocutor gave me the details of his fingerprint, and by comparing each of his characters with the characters of the fingerprint that is displayed in Pidgin, you can make sure that these fingerprints match. This means that no attack is being made on encryption, and I can safely change the inscription from “I have not checked” to “I have checked” (I have) and click the “Authenticate” button. The conversation will now change from Unverified to Private.
You only need to go through the confirmation stage before starting to exchange encrypted messages with a new contact. If tomorrow I log into my account and start a new conversation with 0060e404a9, then I can immediately start working, considering this conversation is secure.
That, in fact, is all. Bottom line: we created an anonymous Jabber account over the Tor network. We have configured the Pidgin messaging program and can log into this account via Tor. We have created a new OTR encryption key for this account. We added one contact to our account and verified their OTR encryption fingerprint. Now we can exchange messages with this contact at a sufficiently high level of information security.
Transferring encrypted messages anonymously in Android
Installing ChatSecure and setting up an anonymous account over Tor
Open the Google Play app and install Orbot - the same Tor, only for Android. Launch the app and hold the big button in the center of the screen to connect to the Tor network. To set up your Jabber account, you must first connect to Tor.
Now open the Google Play app and install ChatSecure, a Jabber app with OTR encryption. Once you launch ChatSecure, you will be prompted to set a master password. It can be quite helpful if you are unsure of what to do next. You will need this master password every time you launch the ChatSecure app and connect to your anonymous account. If you need extra protection, try using a high entropy passphrase for your master password.
Now swipe right a few times until you get to the “Secret Identity!” Page and then click on the “Add Account” button.
ChatSecure will automatically create a new hidden Jabber account for you over the Tor network. In my case, the system picked up the name 0060e404a9 on the jabber.calyxinstitute.org server. Click on your name for more details.
Click on the Advanced Account Options button and change the Chat Encryption to Force / Require.
You are now logged into your hidden account anonymously via Tor.
Encryption keys and fingerprints
Anyone wishing to use the OTR protocol must generate their own key. This key is a file stored on the device that you use to exchange messages. Each key contains a unique sequence of characters called the fingerprint of that key: no two keys can have the same fingerprint.
If you want to start a personal correspondence with someone, tell this person your username and server name. ChatSecure won't generate an OTR encryption key for you until you start exchanging encrypted messages, so if you've just created an account, you won't be able to tell the other person about your fingerprint in advance.
After your interlocutor creates an anonymous Jabber account, ask him, among other things, to give you his login and server name. As soon as you start exchanging messages with him, you will be able to see each other's prints.
Now via an external channel - that is, by texting not in a chat, but via a different communication channel - tell your interlocutor your OTR fingerprint and ask him to send you his OTR fingerprint.
If the fingerprint that was sent to you matches the fingerprint displayed in ChatSecure, then this contact can be marked as trusted. If the fingerprint that you sent matches the fingerprint that is displayed in the program used by your interlocutor, then your contact can also be marked as trusted.
This stage is somewhat confusing, but very important. If the keyprints do not match, this means that a middleman attack is directed at you. In this case, do not mark the contact as reliable, but try to repeat the procedure a little later.
Adding contacts and personal correspondence
I am trying to start private messaging with my friend. He informed me that his Jabber account is [email protected] and his OTR fingerprint is 71863391 390AF4A8 D5692385 5A449038 7F69C09C.
After I have created a temporary account 0060e404a9, I want to add the user pluto3 to my contacts. In ChatSecure, I click on the "+" icon at the top right of the screen and select "Add Contact". Then in the Jabber ID field I enter “[email protected]” and click on the “Send Invite” button.
As soon as I add a new contact, ChatSecure allows me to send a message. But before you make contact with your interlocutor, it is better to wait until you are sure that he is online. To start exchanging messages encrypted using the OTR protocol, both me and pluto3 must be online at the same time.
Once you've added a contact to Jabber, you can't immediately tell if it's online or not. First, you need to get the user's consent to view his status. So now I have to wait for pluto3 to log in to their account and confirm my request to be added to the contact list.
So pluto3 has allowed me to see when he is online, and he sends a request for me to allow him to see when I am online. I click on the "Yes" button.
After I added pluto3 to my contact list, I can see when he is online and send messages to him. Please note that there is an open lock icon in the upper right corner of the screen: this indicates that OTR encryption is not yet in use. I have to click on the lock icon and select the Start Encryption option.
Note that the lock is now closed and a question mark has appeared on it. I need to click on the padlock again and select the Verify Contact option.
On my screen, I compare the pluto3 OTR fingerprint with the one that my interlocutor gave me initially, and I see that they match. This means that you are not targeted by a middleman attack.
My OTR fingerprint is also listed here. Now I need to tell the interlocutor via an external channel my fingerprint so that he can check it.
I click on the Manual button to manually confirm the matching prints, after which the question mark on the lock icon changes to a green checkmark.
You only need to go through the confirmation stage before starting to exchange encrypted messages with a new contact. If tomorrow I log into my account and start a conversation with pluto3, then I can immediately start working, considering this conversation secure.
That, in fact, is all. Bottom line: we installed the Orbot program and connected it to the Tor network on Android. We installed the ChatSecure app and created an anonymous hidden Jabber account. We added one contact to this account, started an encrypted messaging session, and verified the correctness of the OTR fingerprints. Now we can start a correspondence with him at an extremely high level of information security.
Note: The original version of this article stated that Jabber and OTR for Tor on iOS cannot be used. In fact, ChatSecure for iOS has experimental support for Tor.
(c) cryptoworld.su
Content
1. Installing Adium and setting up an anonymous account over Tor
2. Adding contacts and personal correspondence
However, if you take the necessary steps to protect your information, you will be able to transmit secret and anonymous online messages. In this article, I will explain in detail how to do this. We consider in detail the methods by which the two and a half years ago took the informant and former NSA employee Edward Snowden, to contact me. In other words, I'll show you how to create an anonymous online chat account and exchange messages using an encryption protocol called Off-the-Record Messaging, or OTR.
If you don’t want to read the entire article, you can skip straight to the section that describes step by step how to create an account on Mac OS X, Windows, Linux and Android platforms. When you have enough time, go back to the beginning and read the important notes that come down to these sections.
First, you need to make sure you're using end-user encryption. end-to-end encryption]. In this case, the message will be encrypted at one end - say, on a smartphone - and decrypted at the other - for example, on a laptop. No one, including your ISP, will be able to decrypt your message. Compare this type of encryption with another type when you connect through your ISP, for example, over an HTTPS connection. HTTPS will protect your message from potential Wi-Fi snoopers like teenagers with Wireshark installed or your service provider, but it won't be able to protect your message from the company on the other end of your connection - like Google or Facebook - or from law enforcement and intelligence. services requesting information from these companies.
Another, no less important note is the need to protect not only the content of your correspondence, but also its metadata. Some metadata, such as who is talking to whom, can play a very important role. If someone is going to contact a journalist, then encrypting the letter alone will not be enough to hide the very fact of the correspondence with the journalist. Likewise, if you are unhappy lovers trying to connect with each other and keep it secret from your warring families, you will have to hide not only the content of your love messages, but also the fact that you, in principle, got in touch. Let's take a quick look at how this can be done.
Identity hiding
Imagine Juliet trying to get in touch with Romeo. They both know that if they use phone, mail, Skype or other traditional methods, they will not be able to hide the fact that they have been in contact from their influential families. The trick is to hide rather not that they communicated, but that they are Romeo and Juliet.
Juliet and Romeo decided to create new communication accounts. Juliet took the pseudonym Ceres and Romeo took the name Eris. Now that Ceres and Eris can exchange encrypted messages, it will be much more difficult to find out that Juliet and Romeo are hiding under these names. If Juliet's account is checked for a connection to Romeo - and her hot-tempered cousin is, to put it mildly, a little presumptuous - then no evidence will be found.
Of course, it is not enough just to take a new name for yourself. At this stage, it is still possible, and sometimes even quite simple, to find out that Juliet is hiding under Ceres, and Romeo under Eris.
Juliet logs into her account under the name "Ceres" from the same IP address that she uses for other purposes on her computer (for example, when she contacts Lorenzo's brother by e-mail). If its activity on the Internet is tracked (and this is probably the case, because all our activity on the Internet is tracked), it will not be difficult to correlate a number of facts. If the service is forced to transmit the IP address from which the Ceres user goes online, then it can easily be correlated with Juliet's IP address. Romeo has the same problem.
Independent services like telecommunications companies and mail domains have access to private information about their users, and according to the "third party doctrine" these users "cannot expect to hide" such information. This principle applies not only to secret lovers: journalists, who may receive a number of privileges under the First Amendment of the US Constitution, must closely monitor who is in charge of their communications services. In 2013, the US Department of Justice received evidence of a number of phone calls made by Associated Press reporters during an investigation into a data breach. Many news outlets do not have own mail service: New York Times and Wall Street Journal use Google mail, USA Today uses Microsoft services - so the US government can request their data. (The Intercept uses its own mail service).
Anonymity
In order to hide her private correspondence, Juliet must draw a clear line between Ceres's account and her real identity. By far the easiest and most secure way is to use an open source decentralized anonymous network called Tor.
Tor is designed to use the Internet anonymously. It is a decentralized network of arbitrary "nodes" - computers that transmit and execute requests on the Internet on behalf of other computers. Tor allows you to remain anonymous by connecting you to the Internet through a series of such nodes. If at least one of the nodes was deliberately placed in the series, then no one will be able to find out who you are and what you are doing: you can either find out your IP address without knowing what you are doing on the Web, or find out what you are doing on the Web without knowing your IP address.
Most of those who have heard of the Tor network also know about the browser of the same name, which can be used to browse the web anonymously. But beyond that, its software can be used anonymously for other purposes, including messaging and emails.
If Romeo and Juliet use the Tor network to access their Eris and Ceres accounts, and if they exchange messages encrypted using the OTR protocol, they will finally be able to organize private online correspondence regardless of whether they will be spied on. or not.
Romeo and Juliet secretly exchange encrypted messages from anonymous accounts
Hackers and carders surround us from all sides
Now that Romeo and Juliet have created new anonymous Tor accounts, let's test every part of our system for flaws.
From Juliet's side: An attacker monitoring Juliet's internet traffic will be able to see that some of her traffic is passing through Tor, but will not be able to understand what Juliet is using it for. If hackers begin to check who Juliet writes e-mails to, who she contacts on Skype, who calls and sends messages, then there will be no signs of her connection with Romeo. (Of course, the use of the Tor network itself can raise suspicion. That is why The Intercept recommends that, in order to maintain anonymity, make a network connection from her personal computer that is not connected in any way with the service provider. In other words, to protect herself, Juliet could go to Internet from a Starbucks or public library).
From Romeo's side: An attacker monitoring Romeo's internet traffic could see that some of his traffic goes through Tor. If this person looks through all the mail, calls, messages, as well as Romeo's activity on Skype, then he will not be able to find Juliet.
From the side of the chat server: the messaging service itself can track that someone with an IP address on the Tor network created a user "Ceres", someone with an IP address on the Tor network created a user "Eris", and both of these users exchange with each other encrypted messages. It is impossible to find out that Ceres is actually Juliet or that Eris is actually Romeo, since their IP addresses are hidden by Tor. It is also impossible to know what Ceres and Eris are talking about among themselves, because their messages are encrypted using OTR. These accounts could just as easily belong to a whistleblower and journalist, or a human rights activist and his lawyer, rather than two lovers exchanging poetry.
Even after taking these steps, there is still a small fraction of metadata that can leak out if you act inadvertently. Here are some things to keep in mind:
- Be sure to use Tor when creating a messaging account, not just when you are chatting.
- Never log into your account if you are not on the Tor network.
- Make sure that your login does not reveal your real identity: for example, do not use a login that you have previously used. Instead, you can take a random name that has nothing to do with you. Often, many people think that an anonymous account should become your "second self". These people come up with a cool login and then get attached to it. However, it is better to treat your new name as something one-off or temporary: your task is to hide the hidden identity, and not put it on public display. A set of random characters like "bk7c7erd19" will do much better as a name than "gameofthronesfan".
- Don't use a password that you already use elsewhere. Reusing passwords will not only lower your security level, but it can also expose you if you enter the same password in an account that is somehow associated with your real identity as in your anonymous account.
- Keep track of who you are in contact with and through which of the anonymous accounts. If one of your contacts is unsecured, it can increase the chances that other contacts will also be unsecured. It would be logical to create a separate account for each individual project or contact in order to reduce the risk of exposing the whole network of anonymous contacts.
- Do not provide any personal information to the messaging service
- Monitor your habits. If you log into your account in the morning when you start using your computer, and log out in the evening after finishing work, the service will store information about what time zone you are in and what time you work. For you, this may not be so important, but if it is still important, it is better to agree with the interlocutor about the time when you will be online.
- Keep track of how you use your IP address in Tor. If you use Tor for both an anonymous account and a regular account that has something to do with you, then server log entries may indicate a link between your anonymous account and your real identity. Using a unique username and password for the SOCKS protocol, you can configure Tor so that each of your accounts will work in different communication channels. This will be discussed in more detail later.
Tor is not flawless
Tor provides high-level network anonymity, but ensuring true anonymity is a problem that is almost impossible to find a solution to. There is a real arms race between Tor developers and scientists on the one hand, and influential hackers who want to be able to secretly expose or censor netizens on the other.
Tor has never been a reliable defense against a "global observer" - a force that can monitor all nodes of the network in real time around the world. These forces could monitor the traffic of Tor users entering the network, watch traffic flow around the world, and then watch as that traffic leaves the network, thereby explaining which traffic belongs to a particular user.
Despite all this, Snowden's documents published by The Guardian indicate that the combined spy force of the Five Eyes [eng. Five Eyes] (USA, UK, Canada, Australia and New Zealand) are not yet considered a "global observer": at least they were not considered so in July 2012, when the presentation of these top secret materials took place. As it turns out, Western intelligence agencies can only expose a random unlucky user for their own benefit and have never been able to expose a specific user on demand.
As promising as it sounds, Tor can't always hide your identity, especially if you're already under surveillance. A striking example is the arrest of Jeremy Hammond.
The FBI suspected that Hammond might be a member of the LulzSec hacker group, which continued to commit cybercrime in 2011. In particular, the FBI believed that he could work in online chat under the pseudonym sup_g. His staff set up surveillance of Hammond's apartment in Chicago, monitoring which servers he connected to over his Wi-Fi network. A legally certified FBI document states that "a significant portion of the traffic originated from [Hammond's] Chicago apartment and onto the Internet via the Tor network." The FBI conducted a low-tech traffic correlation attack to confirm that Hammond was in fact operating under the name sup_g. When Hammond left his apartment, Tor traffic would stop and sup_g would log out of the chat. When he returned home, traffic resumed, and sup_g reappeared on the network.
Thor is not supernatural; it is just a tool. The person who uses it should consider the FBI's activities if they wish to remain anonymous.
Workstation security
One more caveat can be made. If a hacker breaks into Juliet's computer, then he can find out what she was doing. The same situation is with Romeo. You can encrypt all traffic and use all the nodes in the world to protect your data, but if a hacker can see the text you are typing, as well as your computer screen, then you cannot hide from him.
It is extremely difficult to protect your computer from attacks if you are being hunted by powerful hackers. You can reduce the risk of your computer being compromised by using a separate device solely for a secure connection, because the computer you use for everyday tasks will be much easier to hack.
In addition, for personal correspondence, you can use a tool such as Tails. It is a portable operating system that you can install on a USB flash drive and work with it anonymously, even if hackers break into your regular operating system. Despite the fact that Tails will provide you with a high degree of protection for your personal correspondence, it is a rather complex tool. New users will have to spend several days troubleshooting all sorts of problems, especially if they are new to Linux.
Most users are happy with their normal operating system, with which you can exchange private messages in real time and not worry about being hacked - although in this case, the likelihood of data leakage that you would like to keep secret is higher. This option is much more convenient and easier to get started with if you only need a little personal space and do not have critical data that could be at risk.
First contact
When you are about to start an online correspondence, it is not always clear exactly how to do it. If you can meet a person in person, then establishing a secure communication channel is quite simple: when you meet, you just need to ask each other for logins, messaging server data and OTR fingerprints (see below for more details).
However, it is not always possible to meet in person: you may be at a great distance from each other, or one side may want to remain unknown to the other. Even if you both want to meet in person, how do you go about it if you need to hide the fact that you are in touch with each other?
In order to establish the first contact with Romeo, Juliet must specifically create an anonymous account for this, which will allow her to contact Romeo's public account. She can poison Romeo an email from her anonymous mailbox. Most email services require a user's phone number when creating an account, and some deny access to all Tor users, making it more difficult to create an anonymous account. Juliet could also create an anonymous social media account and use it to link to Romeo's public profile.
If possible, she should encrypt the first messages she sends to Romeo. The procedure is simplified if Romeo publishes the PGP key. All The Intercept journalists publish their PGP keys on the employee profiles page. If you are going to make the first contact with a journalist working in an organization that uses the SecureDrop platform, you can use it so as not to create new anonymous accounts and not deal with PGP keys. SecureDrop is also used by The Intercept.
At the first contact with Romeo, Juliet must indicate the chat server on which she created the account, her username, OTR fingerprint and the time when she will be waiting for him on the network. In addition, she can give Romeo the necessary instructions for creating an account, possibly referring to this article.
If both Juliet and Romeo logged into their anonymous accounts and began exchanging encrypted messages with OTR fingerprints, then the job is almost done. Depending on how Juliet first established contact with Romeo, careful examination of Romeo's emails and his social media account may reveal the user details of Juliet's anonymous account: one way or another, she must tell him that data. This is how investigators can find out Romeo's hidden profile.
To prevent such situations, Juliet and Romeo can delete their accounts and switch to new ones without leaving any traces. Indeed, Juliet and Romeo should leave their old accounts when they see fit and switch to new accounts with new OTR encryption keys. There are hundreds of public chat servers and it is completely free to create a new account.
From theory to practice
Now that you are familiar with the theory of hiding your identity, it is time to put it into practice.
Do not be alarmed, I am sure you will succeed. All you need to do is follow the instructions provided for Mac OS X, Windows, Linux and Android users. (Unfortunately, you won't be able to contact anonymously via chat servers on iPhone.) Practice with your friend first.
Jabber and Off-the-Record
When I talked about "chat servers" I was actually referring to Jabber servers, also known as XMPP. Jabber is an open protocol for instant messaging; it is not a special service like Signal, WhatsApp or Facebook. Jabber is a decentralized, integrated email-like application. I can send an email from my @ theintercept.com mailbox to your gmail.com because The Intercept's and Gmail servers use the same standard protocol.
So everyone has the opportunity to run a Jabber server: it is used by many organizations, including the Calyx Institute, Riseup, Chaos Computer Club and DuckDuckGo and others. There are hundreds of other public Jabber servers out there. Many organizations run private Jabber servers, including The Intercept subsidiary First Look Media. The messaging service HipChat is powered by Jabber, while its competitor, Slack, uses Jabber gateways.
Since Jabber is decentralized, a user with a Jabber account like [email protected] can chat with [email protected]. But if both parties - Romeo and Juliet in our example - use the same server for their Jabber accounts, then the metadata of their correspondence will be better protected. Messages will be stored on the same server and will not be transmitted over the Internet.
Unlike email, most Jabber servers allow users to create accounts through Tor and do not require any personal information from you. Generally speaking, many Jabber servers run anonymous services that allow Tor users to communicate with each other without ever leaving the network. This topic is quite complex, so for the sake of simplicity, I will not use anonymous services when describing the instructions in the future.
Off-the-Record (OTR) is an encryption protocol that can add end-user encryption to any messaging service including Jabber. To exchange encrypted messages, both parties must use software that supports OTR encryption. There are several options, but this article covers Adium for Mac users, Pidgin for Windows and Linux users, and ChatSecure for Android users. ChatSecure is also available on iOS, but the app is not fully Tor compatible on iOS devices.
Choosing a Jabber server
If you are going to hide your identity by creating an Android account, you can skip directly to the appropriate section. ChatSecure for Android has built-in support for creating temporary anonymous accounts to hide your identity.
Everyone else needs to download and install the Tor browser. Open it and download our article in this browser, not the one you used before. So, you are now using the Tor browser. This is a very important point because I don't want your IP address to get lost in the log files of every Jabber server you intend to use. As will be shown later, this will be the main idea behind revealing your identity.
You have hundreds of Jabber servers to choose from. You can find lists of some of the public Jabber servers, such as here and here. Which one should you choose?
The server will not be able to determine who you really are (you will connect over the Tor network) or what you write about in your messages (you will use the OTR protocol to encrypt your messages), so you do not need to worry about that. However, it is better to choose a server that is less likely to pass log files to your government, and it will not be very happy about the fact that Tor users create anonymous accounts.
More often than not, people create Jabber accounts directly through messaging programs. Setting up such a program to send messages through Tor from your account is easy. It is more difficult to make sure that the program allows you to create new accounts through Tor (if you are using the Tails operating system, then you have nothing to worry about, since all your traffic will go through the Tor network). Therefore, I recommend choosing a Jabber server that will allow you to create a new account from the program's website, and you can do this in the Tor browser instead of the messaging program.
The following are several Jabber servers where you can create new accounts using the Tor browser. They are randomly selected from a list of public servers: ChatMe (located in Italy), CodeRollers (located in Romania), Darkness XMPP (located in Russia), KodeRoot (located in the USA), Jabber.at (located in Austria), Hot-Chilli (located in Germany), XMPP.jp (located in Japan), etc. The list is quite long.
Ready to get started? Select a Jabber server. Come up with a login that has nothing to do with your real identity. Come up with a password that you don't use anywhere else.
Create a Jabber account using the Tor browser. Now write down the details of the server on which you created your account, your username and password, and proceed to the next section depending on the platform you are using: Android, Mac OS X, Windows or Linux.
Choose your operating system:
- Anonymous encrypted messaging on the Android platform;
- Anonymous encrypted messaging on Windows and Linux platforms;
- Anonymous encrypted messaging on the Mac OS X platform.
Transferring encrypted messages anonymously on Mac OS X
If you have not already created a new Jabber account using the Tor browser, follow the instructions in the Choosing a Jabber Server section above to create one. Make sure you know on which server you created your account, as well as your username and password.
For this example, I created a Jabber account on the xmpp.jp server and took the pluto1 login.
Installing Adium and setting up an anonymous account over Tor
Download and install Adium, a messaging client for Mac that supports OTR encryption.
Make sure the Tor browser is open. While it is open, the Tor service runs in the background on your computer. When you close the Tor browser, the Top service will also stop running. This means that every time you want to use your hidden Jabber account, your Tor browser must be running in the background, otherwise Adium simply won't be able to connect. So, open your Tor browser and don't close it until you have followed all the instructions.
Open Adium. After you open it, the Adium Assistant Wizard window will pop up. Close it: we'll create an account manually to get more options.
With the Contacts window selected, click on the menu bar at the top of Adium and select Preferences. Make sure the Accounts tab is selected at the top of the window. Click on the "+" button at the bottom left of the window to add a new account. Then select "XMPP (Jabber)" from the drop-down list.
This will bring up a new dialog box in which you can set the settings for your account.
Before proceeding to the next step, switch to the "Connect using proxy" tab and select the "SOCKS5" type from the list. In the Server field enter "127.0.0.1" and in the Port field enter "9150". Create a username and password for this account and enter them in the appropriate fields. These settings will ensure that Adium will connect to this account via Tor. Entering a username and password is optional, but if you use them, Tor will select different communication channels for this account , which will increase your anonymity.
Click on the "Privacy" tab. In the Encryption field, change the value from Encrypt chats as requested to Force encryption and refuse plaintext.
Click on the "Options" tab. Change the "Resource" field (the default is your computer name) to "anonymous". Also, under Security, check the box next to Require SSL / TLS.
Now go to the "Accounts" tab. Enter Jabber ID. The username is pluto1 and the Jabber server name is xmpp.jp, so the Jabber ID will be written as [email protected]. Enter your password and click "OK" to log into your account.
Adium will now try to connect to your anonymous account via Tor. If everything goes well, your account with the signature "Online" should appear in the list of accounts.
Encryption keys and fingerprints
So, you've anonymously logged into your hidden account via Tor. The next step is to create an encryption key using the OTR protocol. Anyone wishing to use the OTR protocol must generate their own key. This key is a file stored on the device that you use to exchange messages. Each key contains a unique sequence of characters called the fingerprint of that key: no two keys can have the same fingerprint.
Let's try to create our own key with OTR encryption. In the Contacts window, click on the Adium menu bar and select Preferences. Go to the Advanced tab and click on the Encryption sidebar. Select your anonymous account and click on the Generate button to generate a new key. After completing the procedure, you will have a new fingerprint with OTR encryption.
In our example, I created a new key using OTR encryption for my account [email protected] with fingerprint C4CA056C 922C8579 C6856FBB 27F397B3 2817B938. If you want to start a personal correspondence with someone, tell this person your username and server name, as well as the key fingerprint with OTR. After he creates an anonymous Jabber account and generates an OTR encrypted key, ask him to also tell you his username, server name and key fingerprint.
After starting the exchange of encrypted messages, you will be able to see your interlocutor's key fingerprint, and he will be able to see yours. If the fingerprint that was given to you matches the fingerprint that is displayed in Adium, then this contact can be marked as trusted. If the fingerprint you shared matches the fingerprint displayed in Adium, then your contact can also be marked as trusted.
This stage is somewhat confusing, but very important. If the keyprints do not match, this means that a middleman attack is directed at you. In this case, do not mark the contact as reliable, but try to repeat the procedure a little later.
Adding contacts and personal correspondence
I am trying to start private messaging with my friend. He informed me that his Jabber account is [email protected] and his OTR fingerprint is A65B59E4 0D1FD90D D4B1BE9F F9163914 46A35AEE.
After I have created my pluto1 account, I want to add the user pluto2 to my contacts. First I select the Contacts window and then I click on the Contact menu button and select Add Contact. In the Contact Type field, I select XMPP, and in the Jabber ID field, I enter [email protected]. Then I click on the "Add" button to add the user to the contact list.
Once you've added a contact to Jabber, you can't immediately tell if it's online or not. First, you need to get the user's consent to view his status. So now I need to wait for pluto2 to log into their account and confirm my request to add to the contact list.
So pluto2 has allowed me to see when he is online, and he sends a request for me to allow him to see when I am online. I select his contact and click on the button "Allow to add me to your list of contacts" (Authorize).
Now I have added user pluto2 as my contact for the first time and it will show up in my contact list when he is online. Then all I have to do to start communicating with him is to double-click on his name.
I double-clicked on the pluto2 contact and wrote hello.
Before sending my message, Adium started an OTR encrypted session. Pay attention to the inscription "[email protected]'s identity not verified" ([email protected]'s identity not verified). This means that during the exchange of encrypted messages, I cannot be completely sure that a middleman attack will not occur.
In addition, the OTR Fingerprint Verification box will pop up. Does the fingerprint given to me by user pluto2 match what is written in this window?
I compare each of the fingerprint characters that pluto2 gave me earlier with the fingerprint characters that Adium refers to. It can be seen that they are indeed the same. This means that no one is conducting an encryption attack, and I can safely press the Accept button. If I didn’t have the pluto2 OTR fingerprint, I would request it from pluto2 externally. out-of-band] channel (not in this chat, since I don't know how reliable it is), and then confirm that they match. If I didn't have time for this, I would click on the "Verify Later" button.
You only need to go through the confirmation stage before starting to exchange encrypted messages with a new contact. If tomorrow I log into my account and start a conversation with pluto2, then I can immediately start working, considering this conversation secure.
That, in fact, is all. Bottom line: we created an anonymous Jabber account over the Tor network. We have configured the Adium messaging program and can log into this account via Tor. We have created a new OTR encryption key for this account. We added one contact to our account and verified their OTR encryption fingerprint. Now we can exchange messages with this contact at a sufficiently high level of information security.
In Part 1, we figured out the modern possibilities of anonymous encrypted messages that are available to a common user and discussed the practical application of technologies popular in this area using Mac OS X as an example. Android.
Transferring encrypted messages anonymously on Windows and Linux
If you have not already created a new Jabber account using the Tor browser, follow the instructions in the Choosing a Jabber Server section in Part 1 to create one. Make sure you know on which server you created your account, as well as your username and password.
For this example, I created a Jabber account on the wtfismyip.com server and took the pluto2 login.
The instructions for Windows and Linux are in the same section because they use the same program, Pidgin. Almost all the steps for both operating systems are the same, but I will tell you about their differences.
Installing Pidgin and setting up an anonymous account over Tor
If you are on Windows, download and install Pidgin, and then download and install the OTR plugin for Pidgin. Make sure the Tor browser is open. While it is open, the Tor service will run in the background on your computer. When you close the Tor browser, the Tor service will also stop running. This means that every time you want to use your hidden Jabber account, your Tor browser must be running in the background, otherwise Pidgin simply won't be able to connect. So, open your Tor browser and don't close it until you have followed all the instructions.
If you are using Linux, install the pidgin, pidgin-otr and tor packages. On Ubuntu and Debian operating systems, you can enter the line “sudo apt-get install pidgin pidgin-otr tor” in a terminal, or go to the Ubuntu Application Center. If you are installing Tor on Linux, you do not need to worry about the Tor browser always running in the background, as is the case with Windows or Mac OS X.
Open Pidgin. After you open it, a "Welcome to Pidgin!" Window will pop up. Click the Add button to add your hidden account (if you are already using Pidgin, you can add a new account by clicking on the Accounts menu in the Buddy List window and selecting "Manage Accounts").
The Add Account window should appear. Before proceeding to the next step, go to the Proxy tab. Set the proxy type to "Tor / Privacy (SOCKS5)". In the Host field, enter 127.0.0.1, and in the Port field, enter 9150 if you are using Windows and 9050 if you are using Linux.
Come up with a unique username and password for this account and enter them in the appropriate fields. These settings ensure that Pidgin will connect to this account through Tor. Entering a username and password is optional, but if you use them, Tor will select different communication channels for this account , which will increase your anonymity.
Click on the Basic tab. In the "Protocol" field, select "XMPP". In the field "Username" enter your username (in my case it is "pluto2"). In the Domain field, enter the name of the Jabber server (in my case, "wtfismyip.com"). Enter "anonymous" in the Resource field. In the Password field, enter your password, after which you can check the box next to it so that your password will be remembered. After all the settings, click the Add button.
If everything is done correctly, you should see the "List of interlocutors" window with the "Available" status.
Encryption keys and fingerprints
So, you've anonymously logged into your hidden account via Tor. The next step is to create an encryption key using the OTR protocol. Anyone wishing to use the OTR protocol must generate their own key. This key is a file stored on the device that you use to exchange messages. Each key contains a unique sequence of characters called the fingerprint of that key: no two keys can have the same fingerprint.
Let's try to create our own key with OTR encryption. In the Buddy List window, click on the Tools menu and select Plugins. You should see "Off-the-Record Messaging", which indicates one of the plugins. Make sure there is a check mark to the left of it.
Once you have selected Off-the-Record Messaging, click on the Configure Plugin button. Select your hidden account and click on the Generate button to generate a new key. After completing the procedure, you will have a new fingerprint with OTR encryption. In the same window, check the box next to Require private messaging.
In our example, I created a new key using OTR encryption for my account [email protected] with fingerprint A65B59E4 0D1FD90D D4B1BE9F F9163914 46A35AEE. If you want to start a personal correspondence with someone, tell this person your username and server name, as well as the key fingerprint with OTR. After he creates an anonymous Jabber account and generates an OTR encrypted key, ask him to also tell you his username, server name and key fingerprint.
After starting the exchange of encrypted messages, you will be able to see your interlocutor's key fingerprint, and he will be able to see yours. If the fingerprint that was given to you matches the fingerprint that is displayed in Pidgin, then this contact can be marked as trusted. If the fingerprint that you submitted matches the fingerprint displayed in Pidgin, then your contact can also be marked as trusted.
This stage is somewhat confusing, but very important. If the keyprints do not match, this means that a middleman attack is directed at you. In this case, do not mark the contact as reliable, but try to repeat the procedure a little later.
Adding contacts and personal correspondence
I am trying to start private messaging with my friend. He informed me that his Jabber account is [email protected].
After I have created my pluto2 account, I want to add user 0060e404a9 to my contacts. In the Buddy List window, I click on the Buddies menu and select Add Buddy. In the interlocutor name field, I enter “[email protected]” and click the “Add” button.
Once you've added a contact to Jabber, you can't immediately tell if it's online or not. First, you need to get the user's consent to view his status. So now I need to wait for 0060e404a9 to sign in to his account and confirm my request to be added to the contact list.
So 0060e404a9 allowed me to see when he is online, and he sends a request for me to allow him to see when I am online. I click on the "Authorize" button.
Now I have added user 0060e404a9 as my contact for the first time and it will show up in my contact list when he is online. Then all I have to do to start communicating with him is to double-click on his name. I double-clicked on contact 0060e404a9 and wrote “hello”.
Before sending my message, Pidgin started an OTR encrypted session. Please note the inscription “[email protected] is not yet authenticated. You need to authenticate this interlocutor. " You can also see the yellow text “Unverified” at the bottom right of the window. This means that during the exchange of encrypted messages, I cannot be completely sure that a middleman attack will not occur.
Click on the link "Not verified" and select "Authenticate buddy" (Authenticate buddy). The window "Authenticate interlocutor" offers three authentication options: "Question and answer", "Secret word" and "Manual fingerprint verification". To view the prints of both sides of the conversation, select the last one.
Although the Question and Answer and Secret Word methods do an excellent job, I will not describe how they work.
The OTR fingerprint of this contact is 6F3D8148 DA029CDA 23C92CF7 45DA09C5 ED537DC4. Before continuing, I want to make sure that this is his fingerprint, so I ask him about it via an external channel (not in this chat, since I do not know how reliable it is).
So, the interlocutor gave me the details of his fingerprint, and by comparing each of his characters with the characters of the fingerprint that is displayed in Pidgin, you can make sure that these fingerprints match. This means that no attack is being made on encryption, and I can safely change the inscription from “I have not checked” to “I have checked” (I have) and click the “Authenticate” button. The conversation will now change from Unverified to Private.
You only need to go through the confirmation stage before starting to exchange encrypted messages with a new contact. If tomorrow I log into my account and start a new conversation with 0060e404a9, then I can immediately start working, considering this conversation is secure.
That, in fact, is all. Bottom line: we created an anonymous Jabber account over the Tor network. We have configured the Pidgin messaging program and can log into this account via Tor. We have created a new OTR encryption key for this account. We added one contact to our account and verified their OTR encryption fingerprint. Now we can exchange messages with this contact at a sufficiently high level of information security.
Transferring encrypted messages anonymously in Android
Installing ChatSecure and setting up an anonymous account over Tor
Open the Google Play app and install Orbot - the same Tor, only for Android. Launch the app and hold the big button in the center of the screen to connect to the Tor network. To set up your Jabber account, you must first connect to Tor.
Now open the Google Play app and install ChatSecure, a Jabber app with OTR encryption. Once you launch ChatSecure, you will be prompted to set a master password. It can be quite helpful if you are unsure of what to do next. You will need this master password every time you launch the ChatSecure app and connect to your anonymous account. If you need extra protection, try using a high entropy passphrase for your master password.
Now swipe right a few times until you get to the “Secret Identity!” Page and then click on the “Add Account” button.
ChatSecure will automatically create a new hidden Jabber account for you over the Tor network. In my case, the system picked up the name 0060e404a9 on the jabber.calyxinstitute.org server. Click on your name for more details.
Click on the Advanced Account Options button and change the Chat Encryption to Force / Require.
You are now logged into your hidden account anonymously via Tor.
Encryption keys and fingerprints
Anyone wishing to use the OTR protocol must generate their own key. This key is a file stored on the device that you use to exchange messages. Each key contains a unique sequence of characters called the fingerprint of that key: no two keys can have the same fingerprint.
If you want to start a personal correspondence with someone, tell this person your username and server name. ChatSecure won't generate an OTR encryption key for you until you start exchanging encrypted messages, so if you've just created an account, you won't be able to tell the other person about your fingerprint in advance.
After your interlocutor creates an anonymous Jabber account, ask him, among other things, to give you his login and server name. As soon as you start exchanging messages with him, you will be able to see each other's prints.
Now via an external channel - that is, by texting not in a chat, but via a different communication channel - tell your interlocutor your OTR fingerprint and ask him to send you his OTR fingerprint.
If the fingerprint that was sent to you matches the fingerprint displayed in ChatSecure, then this contact can be marked as trusted. If the fingerprint that you sent matches the fingerprint that is displayed in the program used by your interlocutor, then your contact can also be marked as trusted.
This stage is somewhat confusing, but very important. If the keyprints do not match, this means that a middleman attack is directed at you. In this case, do not mark the contact as reliable, but try to repeat the procedure a little later.
Adding contacts and personal correspondence
I am trying to start private messaging with my friend. He informed me that his Jabber account is [email protected] and his OTR fingerprint is 71863391 390AF4A8 D5692385 5A449038 7F69C09C.
After I have created a temporary account 0060e404a9, I want to add the user pluto3 to my contacts. In ChatSecure, I click on the "+" icon at the top right of the screen and select "Add Contact". Then in the Jabber ID field I enter “[email protected]” and click on the “Send Invite” button.
As soon as I add a new contact, ChatSecure allows me to send a message. But before you make contact with your interlocutor, it is better to wait until you are sure that he is online. To start exchanging messages encrypted using the OTR protocol, both me and pluto3 must be online at the same time.
Once you've added a contact to Jabber, you can't immediately tell if it's online or not. First, you need to get the user's consent to view his status. So now I have to wait for pluto3 to log in to their account and confirm my request to be added to the contact list.
So pluto3 has allowed me to see when he is online, and he sends a request for me to allow him to see when I am online. I click on the "Yes" button.
After I added pluto3 to my contact list, I can see when he is online and send messages to him. Please note that there is an open lock icon in the upper right corner of the screen: this indicates that OTR encryption is not yet in use. I have to click on the lock icon and select the Start Encryption option.
Note that the lock is now closed and a question mark has appeared on it. I need to click on the padlock again and select the Verify Contact option.
On my screen, I compare the pluto3 OTR fingerprint with the one that my interlocutor gave me initially, and I see that they match. This means that you are not targeted by a middleman attack.
My OTR fingerprint is also listed here. Now I need to tell the interlocutor via an external channel my fingerprint so that he can check it.
I click on the Manual button to manually confirm the matching prints, after which the question mark on the lock icon changes to a green checkmark.
You only need to go through the confirmation stage before starting to exchange encrypted messages with a new contact. If tomorrow I log into my account and start a conversation with pluto3, then I can immediately start working, considering this conversation secure.
That, in fact, is all. Bottom line: we installed the Orbot program and connected it to the Tor network on Android. We installed the ChatSecure app and created an anonymous hidden Jabber account. We added one contact to this account, started an encrypted messaging session, and verified the correctness of the OTR fingerprints. Now we can start a correspondence with him at an extremely high level of information security.
Note: The original version of this article stated that Jabber and OTR for Tor on iOS cannot be used. In fact, ChatSecure for iOS has experimental support for Tor.
(c) cryptoworld.su
