How to configure a universal secure messenger: XMPP + OTR

⇡ # Preliminary remarks

Generally speaking of the security of instant messengers in isolation from the security of other components of the system is somewhat strange. No, no, we will still try to give practical advice and instructions for not very experienced users, but first you will have to tell about other important aspects. And the first one is very simple – the messenger does not exist by itself, it always works in the environment of OS and other programs that may not be too reliable and safe. What's the use of a secure instant messenger, if your fashionable keyboard with ponies and hyphas on your smartphone immediately sends everything dialed directly to the server of the manufacturer? On the other hand, the applications themselves can store their data on the device, sometimes in a not very secure form.

We will not even talk about various malware for any OS or vulnerability – one Quadrooter of what it costs. Well, or the history of preinstallation in the firmware of the devices of the famous spyware producers, supposedly necessary for the collection of statistics. But there are even more exotic methods of remote data collection! However, it is not necessary to acquire paranoia from this, we just have to remember that there are always and everywhere vulnerabilities. In addition, it should be understood that, no matter how beautiful the application architecture is in theory, in practice it will be realized by living people who are prone to make mistakes. And even the openness of the code is not a sufficient condition for all errors of this kind to be quickly found and corrected.

The second important aspect is that any messenger for work requires a network connection. Obviously, we are interested in the Internet connection, and this automatically means the passage of traffic through uncontrolled channels. Even if it is encrypted, it does not mean that it can not be decrypted later. Strictly speaking, such systems are designed for systems like SORM, as well as various laws. And this is the third aspect. In some countries, in principle, it is forbidden to use strong encryption, while in others the user is required to provide keys for decryption at the first request of the authorities. By the way, on the territory of the Customs Union, which includes Russia, there are also rules on this matter.

Finally, the last important observation is always to find a balance between usability and security. Previously, we talked about the creation of P2P-VPN networks, but they are suitable only for experienced users who will certainly manage without our advice. The option is simpler – F2F networks or other peer-to-peer networks like TOR or I2P, which have their own services for communication (note, it is within networks, and not to proxy other services). But this again is not too simple for the average user. Fortunately, EFF has long prepared a comparison of the security of various messengers. Taking into account the above, two solutions were selected from this table that are compatible with each other: for mobile devices and for desktops. Both are limited to the use of Off-the-Record Messaging (OTR) and XMPP protocols.

⇡ # Set up ChatSecure

ChatSecure is a free messenger with open source, which, firstly, works on Android and iOS, and secondly, it is compatible with other messengers using all the same OTR and XMPP. That is, messages sent from ChatSecure can be read in other instant messengers supporting these protocols, and vice versa, messages from these messengers can be sent to ChatSecure users.

It's not difficult to configure it. To work ChatSecure on Android you will need a barcode scanner – the application itself will prompt you to install it. In addition, ChatSecure supports integration with the Orbot TOR client. At the first start it is suggested to set a master password, which you will need to enter each time you open the application. It is better not to refuse from it and ask for a reliable passphrase. Then the messenger will suggest adding a new account.

On Android, it's easiest to use the Google Talk / Hangouts account, but for the sake of security, you can create a separate account on any of the public Jabber servers right in the application (for simplicity, ChatSecure itself offers five to choose from). For reliability, it's best to have all the accounts on the same server. It is also recommended in the settings of the program to enable automatic removal of unprotected media files (Delete Insecure Media), and in the account settings include mandatory secure TLS connection and forced encryption of messages (Chat Encryption, Always Require). For some servers, you also need to enable the processing of the SRV record. To enter the account settings, click on its name in the menu on the left.

Naturally, your interlocutor should also have a similar messenger and own Jabber-account (at least Google Talk / Hangouts). To initialize the chat, you need to have an interlocutor online. In the main ChatSecure window, you must click on the plus sign and either select an interlocutor from the contact list, or send him an invitation. An alternative, which is also considered a kind of good tone for cryptographers – a personal meeting with an interlocutor and direct exchange of keys. In this case, it is made using QR-codes. In the account settings, you can generate a fingerprint and show it to someone who in his ChatSecure will simply scan it.

After mutual addition of contacts, it is also recommended to think of a secret question and answer to it, in order to remotely verify the authenticity of the interlocutor. Then in the contact list you need to click on the required and in the chat window that opens, look at the lock icon in the upper right corner. If this icon has a red X, and not a green checkmark, then click on it and enable Encryption (Start Encryption). After a while, if both parties have the correct settings and the application is active, a secure exchange of data will be established. Even if forced encryption of messages is enabled in the settings, it is worth waiting for the installation of a protected chat.

On receiving unencrypted messages, the messenger warns immediately. And in general, it uses simple notations everywhere: the closed padlock symbol means protection, and its absence or the open lock icon means its absence. The above-mentioned secret question and answer are needed for additional authentication of the interlocutor. To set them, click on the same lock icon at the top right and view the profile (View Profile), where you select the corresponding item. In the Russian version of the interface it is designated as "Question", and in English as Question.

In fact, messages are transmitted in the form of encrypted text. If you open the same Hangouts client, you can see message sets consisting of a large number of sequences of letters and numbers. Exactly the same way in ChatSecure are transferred images and any other files. Please note that for Google accounts, all correspondence in encrypted form can be stored in Gmail.

⇡ # Setting up Pidgin with OTR plugin

So, with the configuration of a secure messenger for mobile platforms, we figured out, now we'll do the same on the dstup. Messengers with support for XMPP and OTR for all desktop OS there is a lot. There are even specialized versions of assemblies that work only with these protocols. We will consider a solution for Windows that is compatible with the same ChatSecure, although in part – only text messaging will be available. We need an open Pidgin instant messenger and an OTR plugin for it. Both have ready-made installers for Windows, which will have to be launched one by one. When you first turn on Pidgin prompts you to immediately add an account, we need XMPP. As with Chat Secure you can create a new one on any of the available Jabber servers, or use a Google account.

Please note that in order to work correctly in Google's settings, you'll have to enable access for untested applications, although it's more reliable to use 2-step authentication and generate a separate password for Pidgin. In the advanced settings of the account, it is recommended to use forced encryption to connect to the server and to prohibit plaintext authentication through unencrypted connections. Then, in the list of modules (Ctrl + U), you must enable the OTR plug-in, and in the plug-in settings for the account you want to generate a new key (fingerprint). It is advisable to include forced use of OTR and, if you want, to disable the recording of logs of correspondence.

As in the case of ChatSecure, for a secure conversation, it is necessary for the interlocutor to have his Jabber account and a client with OTR support, and he himself must be online. To enable encryption in the correspondence window in the OTR menu, select the appropriate item. After a few moments, the encryption will be activated, which will be indicated by the status in the chat window itself and in the area on the right and below the chat. Additionally, you can authenticate the interlocutor using the same OTR menu. If the other person is using ChatSecure, then the authentication option with a secret question and answer is right for him. Once again, we recall that it is necessary to check the existence of encryption for each new conversation.

⇡ # Conclusion

As you can see, protection of correspondence in the messenger is not such a difficult task. For other OSes and clients, instructions on how to set up OTR can be found on the EFF website, but for tips on using other advertised secure messengers, you must be careful. Naturally, 100% protection is not guaranteed neither by them, nor by the above instruction. For those who are interested in this topic, you can advise materials about encrypting drives, disabling telemetry in Windows, security of mobile devices and the subtleties of VPN work. However, the best defense in all is common sense and caution. Sincerely we hope that all our advice will be used by readers exclusively for good purposes.

If you notice an error – select it with the mouse and press CTRL + ENTER.

Leave a Reply