How to install and use OTR with Pidgin

You probably found out that it's a good thing to encrypt private communication but how going about that task? OTR is an long established encryption method that you can transparently lay over any communication channel. It gives you real private communication like I have explained here.

That means if you and your buddy both have OTR available you can chat privately over (nearly) any messenger protocol like Jabber/XMPP, MSN, ICQ and even Facebook! The catch here is that your messenger needs to be able to encrypt and decrypt OTR messages. But there is a software program that even works in the dark worlds of Windows and Mac. It's called Pidgin on Linux and Windows and Adium on Mac.

Here I explain how to set up Pidgin for Ubuntu Linux:

1. Install and enable OTR
2. Confirm encryption status
3. Verify/authenticate someone

Install and enable OTR

  1. Open a Termina: CTRL + ALT + t
  2. Install Pidgin and OTR:
    sudo apt-get install pidgin pidgin-otr
  3. Open Pidgin and set up you messenger accounts. You can always add/remove/reconfigure accounts under AccountsManage Accounts.
    Sidenote: I would recommend you get yourself a Jabber account.
  4. Go to: ToolsPlugins and enable Off-the-Record Messaging.
  5. To make sure that Pidgin is logging conversations even if OTR is active click Configure Plugin while Off-the-Record Messaging is highlighted.
  6. Verify that Don't log OTR conversations is unchecked.

Pidgin will now automatically enable OTR if the chat partner also has OTR available. Note that the first message in a new chat will initiate the encryption but will not be encrypted itself.

If OTR becomes active for the first time on your computer it may take a while to generate the cryptographic keys. It may seem as if Pidgin hangs. Just give it a while.

Confirm encryption status

Every chat-window now features an OTR-indicator. The following states exist:

  • Unencrypted:
    Pidgin OTR status bottom right
  • Encrypted but not verified:
    Pidgin OTR started unverified "Unverified" in this context means that you have not made sure that the other person really is the other person. It still could be that there is the so called "man-in-the-middle" logging and storing your conversation. The thread of a man-in-the-middle-attack always lingers in the background in this unverified state.
  • Encrypted and verified:
    Pidgin OTR started and verified "Verified" means that you have made sure cryptographically that the other person really is the other person. If the "Verified"-status downgrades to "Unverfied" again it can either mean that the other person has reinstalled their system or that your communication channel is under attack.

Verify/authenticate someone

To verify someones identity and remove the thread of a man-in-the-middle-attack you can click the OTR-indicator and then Authenticate buddy:
Pidgin authenticate buddy

There you are presented with three options which are quite self-explanatory. One note about Question and answer though: It's quite helpful to give a hint about the correct spelling directly in the question. A question like "Whats the name of my first pet? Answer: J..." should avoid errors.

The author

Written by Per

Free software enthusiast and transhumanist residing in Stuttgart, Germany.

comments powered by Disqus