How to circumvent Data Retention, Part 2 - OTR encryption

In a previous post (in Swedish) I discussed how to use remailers combined with GPG encryption to bypass certain feautures of data retention and wiretapping. There are however plenty of other protocols to secure, and the more we know, the less we suffer from recent intrusion in our wires.

Instant messaging is very popular among users, but the corporate standards all suffer from serious flaws. For example MSN-messenger, which is pre-installed on Windows machines, suffers from random censorship when pasting P2P links and is insecure enough to spread malware that will compromise your system. Skype is key-escrowed, so using that is equal to shout straight into the records of you local regime.

Your first rule of thumb is to choose a protocol which is open and maintained by a community, which is open enough for you to be able to host it on your own machine as a server. With the internet, escaping corporate enslavement is very easy. The basic rule with any protocol is - If you can host a service yourself, even only hypothetically, there is a line of flight from machinic enslavement!.

One such protocol is XMPP, which is supported by popular clients such as Pidgin, Adium, Empathy, Trillian and Mcabber. You can host your own XMPP server on an average Linux server, and then calmly wave goodbye to Microsoft and Skype. Second rule of thumb is: Do not ask your provider to secure your rights, enforce your rights by building your own infrastructure.

But, we don't have to go as far as to install a server just to chat. Instead you can team up with your friends and share a server as a community. Telecomix did that, and the result is xmpp.telecomix.org. It's very fancy!

Even though XMPP is usually encrypted between you and the server, you may add and extra layer of security with the next level method of Off The Record (OTR) encryption.

Let me explain why. A serious attacker on your chat-conversation, be it intrusive state surveillance or some random aggressor, may try to hijack the server by pretending to be the real one. This happens every now and then on your travels to certain states.

To remedy this effect, large-scale servers such as jabber.org use corporate signed certificates to make sure that you can trust them. However, corporate certificates can be bought and stolen, so it is a better idea to make your own ones.

Xmpp.telecomix.org has a self signed certificate. This means that your client will warn you that it is unable to find a valid signature for it. This is good, and means that we will validate it outside the automatic system. In your client you select "view certificate" and you make sure that the fingerprint corresponds to:

5D:9F:B2:15:90:A0:DE:CD:FD:A3:6E:2A:A8:FB:F1:38:D8:40:12:EB

Now, of course, also my blog may be hijacked from wherever you are connecting (now we are talking paranoia, but it is important to understand the machinery of trust and ciphers). To remedy this, you may at any time demand to see the certificate again from a Telecomix sysop. Go to chat.telecomix.org and talk to us directly if you wish.

To add the extra layer of OTR encryption you need a good client that supports it. I am using Pidgin on Linux, which is dead easy to install - just hit sudo apt-get install pidgin pidgin-otr and you will get both the client and the OTR-plugin. Pidgin also runs smoothly on my Nokia N900 under Maemo Linux. On a Mac you may use Adium and I think that Windows users may hit Trillian to also use OTR.

While the first layer of encryption simply is general for the client and server (just like https), OTR is specific between two users. You and a friend are Off The Record in a literal sense.

Time for some screen shots to lighten up this very technical blog post:

Your first step is to create an account. Just add a cool nickname and set it to create an account on xmpp.telecomix.org (or some other XMPP server that you like).

As mentioned before, you must now check the certificate for Telecomix. View details and check the fingerprint (above) and make sure it corresponds to what your client tells you.

Then add buddies, above is a picture of me adding jaywalk. (The reason for him showing up in all my tutorials is because we hang out and hack in Gothenburg very often to tinker on next level cryptography).

Okay! You are still reading! Now it is time for serious military grade ciphers, so you are adviced to re-fill your cup of coffee because now it is time to trust. We trust in DJs, we sometimes trust in facebook.com, but most of all we trust our friends. This is why our ciphers will always be stronger than those of states!

If you have successfully installed the pidgin-otr plugin, you shall activate it under tools -> plugins. Then you will get an extra feature in all the chat windows thay you have.

OTR now creates a specific encryption key for each chat-conversation you will have. This means that you must verify that every friend of yours is who he or she appears to be on XMPP. To solve that you have a few methods at hand.

If you are in the same room, you will have the highest level of security. Just press the manual fingerprint verification, and look over each others shoulders to make sure the prints are correct. You may also phone your friend and read you fingerprint to him or her, since we recognize each others voices very easily.

You may also have a shared secret. You can make one up and share with your friend.

Once you have verified an OTR session, the chat window says "private", and you now speak in ciphers with your friend. It is end-to-end, from your computer to your friends computer, and anyone listening in during the vast intertubes, will only see ciphertext.

As with all uses of cryptography, there is no such thing as perfect security. You already know this, but it is worth mentioning that there may be advanced attacks on OTR and XMPP, so use everything cautiously. However, with plaintext communication in corporate systems, you know for sure that you are monitored. With good crypto, you have made it very hard for any authority to to gain unauthorized access to your conversations with friends.

Stay secure, stay Off The Record!