Skip to main content

Make Instant Messenger Chats Private with Off The Record

Many Instant Messenger clients can secure conversation by tunneling messages over transport layer security (TLS) to provide encryption, including XMPP (or Jabber), IRC, and the OSCAR protocol used by AIM. There is nothing wrong with TLS, but a considerably secure solution for IM is a protocol called Off-the-Record (OTR).

What is Off-the-Record?

Image credit: Bigstockphoto

Off-the-Record is a cryptographic protocol that provides strong encryption for instant messaging conversations. In addition to authentication and encryption, OTR provides the ability for conversation participants to deny the conversation, while keeping conversations confidential, like a private conversation in real life. This is the primary motivation behind the protocol which was designed by cryptographers Ian Goldberg and Nikita Borisov.

OTR provides better security than TLS and other connection-oriented protocols by setting up a new public/private key pair for each message communicated over the channel. This is in contrast with other cryptography tools, such as PGP, that require the users to already have a public/private key pair to be retrieved and verified in an outside channel. Such output can be later used as a verifiable record of the communication event and the identities of the participants. In most cases, people using such cryptography software are not aware of this.

With the OTR protocol, when both participants in a conversation agree to start an OTR session, the clients set up an encrypted channel with Diffie-Hellman key exchange, then perform a mutual authentication routine inside that channel to verify each other's identity. After the setup, a new key exchange is performed on every message sent, based on incrementing the previously acknowledged key. The participants can independently verify each other's identity using the "Socialist Millionaires' Protocol" (SMP) which allows mutual verification without exchanging private data.

The multiple key exchanges provide "perfect forward secrecy" which means that compromising one key does not let an attacker decrypt your previous conversations. This is one of OTR's big advantages over TLS-like encryption alone. The other advantage is "deniable encryption"

Deniable encryption allows an encrypted message to be decrypted to different sensible plaintexts, depending on the key used. This allows the users to convincingly deny that the data that is encrypted is the one that the user is accused of sending. Such convincing denials may or may not be genuine, but the point is that the alleged decrypted message cannot ever be proven to be authentic.

Note: Do not confuse Off-the-Record protocol with ‘off the record’ function found in Gtalk/Gmail. Off the record in Gtalk simply turns off chat logging so that messages exchanged are not archived. It has nothing to do with secured communication.

How to use Off-the-Record?

Off-the-Record Messaging is supported out of the box in a small number of IM clients.

  • climm (Unix-like)
  • MCabber (Unix-like)
  • CenterIM (Unix-like)
  • Phoenix Viewer (Cross-platform)
  • Vacuum IM (Cross-platform)
  • Jitsi (Cross-platform)
  • BitlBee (Cross-platform)
  • Spark (cross-platform)
  • Gibberbot, an XMPP client for Android

Using plug-ins, OTR can be implemented in the following IM clients.

  • Pidgin
  • Kopete 
  • Miranda IM
  • Psi
  • Trillian
  • irssi, xchat, and weechat

For this article I’ll be using Pidgin, because Pidgin has the best implementation of the OTR protocol. Pidgin also offers an auto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations.

Download OTR plug-in for Pidgin from this website. Plug-ins for other IM clients are available from the same site.

After it’s installed, login to your chat account on Pidgin and then from Tools menu click on Plugins. Scroll down the plugin list and select Off-the-Record Messaging and click Configure Plugin.


You’ll now need to generate a key. You might also prefer to not log OTR conversations for added privacy.


From your list of buddies, select a contact and initiate a chat conversation like you normally would. From the private chat window, click on the OTR menu and choose ‘Start private conversation’. After a brief exchange of authentication keys secure chat will be enabled.


You can choose to authenticate a buddy (from the OTR menu) by different means such as Question and Answer or a Shared secret.


The private conversation can be ended or refreshed at any point by either parties.

The video below demonstrates Off-the-Record messaging between two different IM clients.

Sources: 1, 2


Popular posts from this blog

How to Record CPU and Memory Usage Over Time in Windows?

Whenever the computer is lagging or some application is taking too long to respond, we usually fire up task manager and look under the Performance tab or under Processes to check on processor utilization or the amount of free memory available. The task manager is ideal for real-time analysis of CPU and memory utilization. It even displays a short history of CPU utilization in the form of a graph. You get a small time-window, about 30 seconds or so, depending on how large the viewing area is.

Diagram 101: Different Types of Diagrams and When To Use Them

Diagrams are a great way to visualize information and convey meaning. The problem is that there’s too many different types of diagrams, so it can be hard to know which ones you should use in any given situation. To help you out, we’ve created this diagram that lays out the 7 most common types of diagrams and when they’re best used:

How to Schedule Changes to Your Facebook Page Cover Photo

Facebook’s current layout, the so called Timeline, features a prominent, large cover photo that some people are using in a lot of different creative ways. Timeline is also available for Facebook Pages that people can use to promote their website or business or event. Although you can change the cover photo as often as you like, it’s meant to be static – something which you design and leave it for at least a few weeks or months like a redesigned website. However, there are times when you may want to change the cover photo frequently and periodically to match event dates or some special promotion that you are running or plan to run. So, here is how you can do that.