Instant Messaging with Off the Record (OTR) Encryption Background

Given the National Security Agency and various telecom providers warrantless wiretapping activities, your instant messaging (IM) traffic, in fact all of your traffic is becoming available to prying eyes. Even using SSL encryption for public IM services (AOL, MSN, YIM, etc) are not helpful as a subpoena forces them to turn over the logs of the conversation which they store on their server. Sometimes it does not even take a subpoena.

This is where Off-the-Record (OTR) messaging comes into play. Created by Ian Goldberg, Chris Alexander and Nikita Borisov, OTR provides four major items to ensure private conversations.

– Encryption
No one else can read your instant messages.

– Authentication
You are assured the correspondent is who you think it is.

– Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

– Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised. [1]

Ian Goldberg provides a terrific explanation of why current methods for IM privacy do not work (i.e. GPG/PGP) and how OTR works. At the bottom of the page is a link to the OGG/Theora torrent. Torrents for other versions (i.e. AVI, MPEG) are available here.

Implementations

There are several ways to take advantage of OTR. One is to use a client which include either native OTR support or an OTR plugin. Such clients include Adium X (native), mICQ and Pidgin (plugin). The other option, if you choose not to use any of these clients, is to use otrproxy. Please note, otrproxy is currently limited to support for AIM and ICQ only, cannot use additional proxies (i.e. Tor) and cannot change the configuration of the ports it uses.