pidgin - secure instant messaging

Pidgin - secure instant messaging

Pidgin is a free and open source client that lets you organise and manage your different Instant Messaging

(IM) accounts using a single interface. The OTR plug-in allows for secure and authenticated communications

with Pidgin.

Homepage

www.pidgin.im

Computer Requirements

An Internet connection

All Windows Versions

Version used in this guide

Pidgin 2.5.2 and OTR 3.2.0

License:

Free and Open-Source

Software

Installing Pidgin and OTR

Follow any program-specific directions in theGuideIf there are none, simply click the link belowand choose a location to save the installerFind the installer on your computer anddouble-click it

Pidgin: OTR:

Required Reading

How-to Booklet chapter 7. Keeping your Internet Communication Private

Level: 1: Beginner, 2: Average, 3: Intermediate, 4: Experienced, 5: Advanced

Time required to start using this tool: 30 minutes

What you will get in return:

The ability to organise and manage some of the most popular instant messaging services through a

single program

The ability to have private and authenticated chat sessions

1.1 Things you should know about this tool before you start

Pidgin is a free and open source client that lets you organise and manage your different Instant Messaging

(IM) accounts using a single interface. Before you can start using Pidgin you must have an existing IM

account. For instance, if you have an email account with Gmail or Yahoo, you can use the IM service offeredby that company with Pidgin. Use the login details to access your IM account through Pidgin.

Note: All users are encouraged to learn as much as possible about their instant messaging service provider's

privacy and security policies.

Pidgin supports the following IM services: AIM; Google Talk; ICQ; IRC; MSN; QQ; Yahoo!; and all other IM

clients running the XMPP protocol.

Pidgin does not allow communication between different IM services. For instance, if you are using Pidgin to

access your Google Talk account, you won't be able to chat with a friend who is using Pidgin with his/her

Yahoo chat account. However, if you use Pidgin to connect to multiple accounts, then you can chat with friends

who are using any of those services. It is a good idea to use Pidgin for your instant messaging needs, as it

offers more security than the alternatives, and does not come bundled with unnecessary adware or spyware.

OTR (Off-the-Record) Messaging is a plugin developed specifically for Pidgin. It allows you to chat privately

and offers the following features:

Encryption: No one else can read your instant messages.Authentication: You are assured the correspondent is who you think it is.

Pidgin - secure instant messaging 06/03/2009 01:26

http://en.security.ngoinabox.org/book/export/html/148 1 of 18

Deniability: After the conversation, messages cannot be identified as having originated either from youor from your correspondent.

Perfect Forward Security: If you lose control of your private keys, no previous conversation iscompromised.

Note: You must first install the Pidgin software, and then install Pidgin OTR.

Using Pidgin

Before you can start using Pidgin, you must have an existing IM account with one of the providers listed

above. You must type your IM login details into Pidgin.

Note: If you do not have an existing account registered with one of the providers listed above, and would like

some help to do so, please refer to section 4.1 How to Create a Google Talk account.

2.1 How to Create a Pidgin account

Step 1. Select: Start > Programs > Pidgin to run Pidgin.

Figure 1: The Pidgin Buddy List Welcome screen

Step 2. Select: Accounts > Manage to activate the Accounts screen as follows:



Figure 2: The Accounts screen

Step 3. Click: to activate the Add Account screen as follows:

Figure 3: The Add Account screen displaying Basic and Advanced tabs

Step 4. Click the Protocol drop-down list to view supported messaging service protocols as follows:



Figure 4: The Add Account screen displaying the Protocol drop-down list

Step 5. Select the protocol that corresponds to your account.

Note: Different IM service providers will display their specific text fields for you to fill in. Some of them are

automatically filled in (for example, if you select Google Talk, both the Domain and Resource text fields arecompleted for you). However, all services require that you enter a screen name, local alias and a password.

Step 6. In the Screen name field, type in your email address, (for example, [email protected])

Step 7. In the Password field, type in your password for this specific account.

Step 8. In the Local Alias field, type a nickname you would like to be identified by. (This field is optional.)

Important: Check the Remember password option if you want Pidgin to remember your password. However, tooptimise privacy and security, it would be better to leave this unchecked, so that Pidgin will prompt you for your

password whenever you connect. This way, other people are prevented from logging in and pretending to be

you, when you leave your computer unattended for a period of time. Also, remember to exit or quit Pidgin when

you have finished your messaging session!

A completed Add Account screen would resemble the following:



Figure 5: Example of a Completed Add Account form

Tip: Google Talk, IRC, SILC and XMPP clients can easily request an encrypted connection. Please read

section 4.2 How to Enable a Secure Connection for more details.

Step 9. Click: to complete adding your account. This will simultaneously activate the updated

Accounts screen and the Buddy List screen as follows:



Figure 6: The Accounts screen updated Figure 7: The BuddyList screen in Active mode

After you have completed these steps, you are ready to add IM contact information for your friends (or

"buddies," as they are referred to in Pidgin).

2.2 How to Add a Buddy

Step 1. Select: Buddies > + Add Buddy as follows:



Figure 8: The Buddy List with the Buddies menu activated

This will activate the following screen:

Figure 9: The Add Buddy screen

Step 2. Select your account, where you are using the same messaging service as your 'buddy'.

Note: Both your buddy and yourself must be using the same messaging service, even if he/she is not using

Pidgin. For instance, if you have only added a Google Talk account to Pidgin, you cannot add a buddy who

uses MSN or Yahoo to this account. However, you can register and use multiple accounts simultaneously in

Pidgin, thereby chatting with one buddy over Google Talk and with another over Yahoo or MSN.

Step 3. In the Screen name field, type in your buddy's email address. (Remember: In Pidgin, a Screen namegenerally refers to an email address.)

Step 4. In the Alias field, type in a nickname for your buddy.

Step 5. Click:

Note: After you have added a buddy, a message will be sent to him/her requesting his/her approval and

authorisation for your request.

Figure 10: The Authorize buddy confirmation dialog box

After your buddy has authorised the request, he/she should follow similar steps to request your account.



Figure 11: The Add Buddy screen displaying buddy information

You will receive an authorisation request from them as follows:

Figure 12: The Add Buddy screen

Step 6. Click the Authorise button and your buddy will appear in the Buddy List as follows:

Figure 13: The Buddy List screen featuring a newly created buddy

2.3 How to Chat with Your Buddy

Step 1. Right-click on your buddy's name to activate a pop-up menu listing all the tasks you can perform as

follows:



Figure 14: The Buddy tasks menu

Step 2. Select IM from the pop-up menu to activate a chat window as follows:

Figure 15: A typical chat window in Pidgin

Now you're all set to chat with your buddy using Pidgin. However, you must perform a few more steps to ensure

that your chat sessions will be private and secure.

How to Secure Your Chat Session with OTR



Both communicating parties need to install and configure the OTR plugin before they can have private chat

sessions. Pidgin automatically recognizes when both of you have the plugin installed and configured. If you

request a private conversation with a friend who has not yet installed OTR, a message will be sent to that

person explaining how they can obtain the plugin.

3.1 How to Enable the Pidgin-OTR Plugin

Enabling the Pidgin-OTR plugin is the first step towards having private and secure messaging sessions. To

enable the Pidgin-OTR plugin, perform the following steps:

Step 1. Select: Tools > Plugins in the Pidgin Buddy List window as follows:

Figure 16: The Tools menu with Plugins selected

This will activate the Plugins screen as follows:

Step 2. Scroll down to the Off-the-Record Messaging option, then check it to enable this feature.

Figure 17: The OTR Plugins screen with Off-the-Record Messaging selected

Step 3. Click: to begin configuring the Off-the-Record Messaging screen.



3.2 How to Generate an Encryption Key

Secure chat sessions in Pidgin are enabled by generating a private key for the relevant account. The Off-the-Record configuration window is divided into the Config and the Known fingerprints tabs. The Config tab is usedto generate a key for each of your accounts and to set specific OTR options. The Known fingerprints tabcontains your friends' keys. You must possess a key for any buddy with whom you wish to chat privately.

Figure 18: The Off-the-Record Messaging screen displaying the Config tab

Step 1. To optimise your privacy, check the Enable private messaging, Automatically initiate privatemessaging and Don't log OTR conversations options in the Config tab as shown above.

Step 2. Click: to begin generating your secure key.

Shortly, a screen notifying you that a private key has been generated appears as follows:

Figure 19: Generating private key screen

Your buddy will need to perform the same steps on his/her own computer.

Important: You have now created a private key for your account. This will be used to encrypt your

conversations so that nobody else can read them, even if they manage to listen in between you and yourbuddies. The fingerprint is a long sequence of letters and numbers used to identify the key for a particular

account. It resembles the following:

Fingerprint: 55A3638C 5DCF5BB8 0C7A2815 70DA5122 06507354

Pidgin automatically saves and verifies your and your buddies fingerprints, so that you will not have to

remember them.

3.3 How to Authenticate a Private Conversation



There are 3 short steps involved in ensuring the security and privacy of your conversations.

The first step, which we have just completed in section 3.2 How to Generate an Encryption Key,

involves creating the key for your account.

The second step requires you and your buddy to request a secure conversation.

The third step is about verifying that your buddy is actually the person who you think he/she is. Thisprocess of confirming another person's identity is known as 'authentication' in Pidgin.

3.3.1 The Second Step

Step 1. Double-click on the account of a buddy who is currently online to begin a new IM conversation. If both

of you have the OTR plugin installed and properly configured you will notice that a new OTR icon appears atthe bottom of your chat window.

Figure 20: A Pidgin chat window displaying the OTR icon

Step 2. Click: to bring up a menu and select: Start private conversation

Your chat window will display the following message:

Attempting to start a private conversation with user@example

user@example has not been authenticated yet. You should authenticate this buddy.

Unverified conversation with user@example started.

and the OTR button will change to look as follows:

This means that you can now have an encrypted conversation with your buddy. However, this conversation is

not verified. Your buddy may actually be someone else sitting behind that computer, or someone pretending to

be your buddy. Here you will need to share a secret code word (pre-arranged earlier) to authenticate each

other.

3.3.2 The Third Step

In order to authenticate your buddy in Pidgin, you will need to perform one of the two identification methods.

You could authenticate each other by a code word, or by a question & answer process.

Using a code word for authentication

You can arrange a code word in advance, either by meeting each other in person or by using another

communications medium (like a telephone, voice chat by Skype or a mobile phone text message). Once you

both type in the same code word, your session will be authenticated.

Step 1. Right-click the OTR button in the chat window, then choose Authenticate Buddy as follows:




An Authenticate Buddy window will pop up prompting you to choose the method for authentication.

Step 2. Click: on the drop-down menu and select: Shared Secret

Figure 22: The Authenticate buddy screen

Step 3. Type in the secret code word (it is case sensitive) and click the button.

Figure 23: The Shared Secret screen

Your buddy will see the same window at his/her end and will have to enter the same code word. If they match,your session will be authenticated.



Once the session is authenticated, the OTR button will change to . Your session is now secure and

you can be sure that you are really speaking with your buddy.

Using the question & answer for authentication

If you cannot share a code word over an alternative channel, then you have another option for authenticating

each other. Create a question and an answer to it. Your buddy will receive the question and if their answer

matches yours, you are authenticated. Obviously, the answer will need to be typed in exactly the same on both

ends.

Step 1. Right-click the OTR button in the chat window, then choose Authenticate Buddy as follows:


An Authenticate Buddy window will pop up prompting you to choose the method for authentication.

Step 2. Click: on the drop-down menu and select: Question and Answer

Figure 25: The Authenticate buddy screen

Step 3. Enter a question and an answer to it. The question will be sent to your buddy. If their answer matches

yours, the authentication will be successful.



Figure 26: The Questions and Answer screen

Once the session is authenticated, the OTR button will change to source:Pidgin/screenshots-en/110.PNG.Your session is now secure and you can be sure that you are really speaking with your buddy.

Congratulations! You may now chat privately. The next time you and your buddy chat (using the same

computers), you can skip the first and third steps, above. You should only have to request a secure connection

and have your buddy accept it.

Notice that when you Select: Buddy List > Tools > Plugins > Off The Record Messaging > Configure

Plugin, the Known fingerprints tab now displays your buddy's account and a message that their identity hasbeen verified.

Figure 27: The Off-the-Record Messaging screen displaying the Known Fingerprints tab



Creating a Google Talk account

4.1 How to Create a Google Talk account

To create a Google Talk account, perform the following steps:

Step 1. Open your Internet browser and go to the Create Google Account page.

Figure 28: The Google Registration web page

Step 2. Type in the necessary registration details.

Note: In the Desired Login Name: field, type in a name for your email address/account. For reasons ofanonymity and confidentiality, it should, ideally, not correspond with your first and last names.

Step 3. Click the Check availability button to see if your desired login name is available. If it is not, you mighthave to come up with something a little more original!

Step 4. Click source:Pidgin/screenshots-en/34.PNG to accept the conditions and create your Google Talk

account after completing all necessary fields.

4.2 How to Enable a Secure Connection

Users who register and use Pidgin with a Google Talk, IRC, SILC or an XMPP compatible service, can

configure Pidgin to use a secure connection, otherwise known as the Secure Socket Layer (SSL) or TransportLayer Security (TLS).

In the Basic tab in the Add Account screen:

Step 1. Select your IM provider, and fill in the required details, then click the Advanced tab.

source:Pidgin/screenshots-en/31.png

Figure 29: The Modify Account screen displaying the Advanced tab



Step 2. Check the Require SSL/TLS to automatically enable a secure channel over which your messagingsession can take place.

FAQ and Review

Q: I shut down Pidgin last night. Today, when I launched the program again, I did not see any of my contacts,even though I knew they were online.

A: This happens sometimes if your account was not shut down properly (the Internet connection was droppedor your computer had crashed). You need to re-enable your account. To re-enable your account Select:Accounts > Add/Edit menu and check the box next to your account.

Figure 30: The The Accounts screen with a re-enabled account

Q: Can I use Pidgin-OTR to chat with friends in both MSN and Yahoo?

A: Although Pidgin-OTR supports a number of chat and messaging services, you have to use the sameprovider to initiate an IM session with your buddy. You both need to use an MSN or a Google Talk account forexample. However, in Pidgin you can register and be online with several IM accounts simultaneously. That's thebeauty of using a multi-protocol IM client.

Q: What would happen if I had to access my Pidgin-OTR account on another computer?

A: You would have to generate a new private key to use with your IM account on that computer. You can starta conversation with your buddy using this new key, but you will need to authenticate your session again.

Q: What if I forget the login password for my IM account? Or what if someone steals it? Will they have accessto my past and future conversations?

A: This is a very important question. First of all, if you forget your login password, you will have to generate anew IM account. Then, you can tell your friend about the new account by telephone, Skype voice-chat, orsecure email. Finally, you should create a new, authenticated session with him/her. If however, someonesteals your IM password, that person could try to impersonate you when using Pidgin. Luckily, he/she won't beable to authenticate the session without your shared code word, and so your buddy should be alerted andbecome suspicious. That's why authentication is so important. Furthermore, if you followed the instructionsabove and set the recommended preferences in the OTR 'Config' tab, then even someone who steals yourpassword won't have access to your past conversations, since you chose not to record them.

5.1 Questions to test yourself with after completing the chapter

What are the requirements for creating an account in Pidgin?



Is it possible to register and use several instant messaging accounts in Pidgin at once?

What are the requirements for having a private and authenticated chat session in Pidgin?

How many times do you need to 'authenticate' your chat session with a given buddy?

What is a fingerprint in Pidgin?

What will happen to your OTR preferences (including received keys' fingerprints) when you install Pidgin

and OTR on another computer?



pidgin - secure instant messaging

Documents