How to secure your IM conversations

I was asked the other day if there was a way to truly secure IM conversations between two people. The answer is a most definately resounding YES. This can be done using Open Source and free software on every major operating system (Windows, Mac OSX, Linux) and every major IM network (Yahoo, MSN, AIM etc.). Now people may ask “Why encrypt if you have nothing to hide?”. Why is it a felony for postal workers to open mail, since its all innocent, right? Why are you worried? It’s called privacy. For no other reason then I don’t want Microsoft indexing my chat conversation and trying to sell me sneakers on a sidebar because I typed the word “Shoes”. Its nobody’s business except mine, end of story.

Lets go over a couple of things first. When you IM a person it does not go directly from you to them. It goes from you, to a server run by the IM providor, and then relayed to your friend. There are multiple security issues here. First, the obvious fact that by default nothing is encrypted anywhere between the three systems in use. Second, your IM conversation is stored temporarily or PERMANENTLY on the IM providers server. While Google offers you the option to save your chat transcripts or go “off-the-record” (don’t confuse this with the OTR application I mention later) I choose not to trust any IM providor.

Now, you might be thinking “Yahoo chat offers me encryption so why not use their built in functionality?”. Well, if you don’t want random people on the internet sniffing your traffic this may be good enough for you. However, if you want to make sure NOBODY (including the chat providors) can see your IM conversation then you need to use a technology/program that uses their network but is not controlled by them, therefore giving you freedom and a much higher level of security.

The programs I recommend are as follows.

Mac OSX – Adium
Windows and Linux – Pidgin

These two programs are Multi-Chat clients, you can use this one program to chat on many networks at the same time and even have multiple accounts on the same network all connected at the same time.  This may not seem valuable unless you have a personal account, school account  and then a business account.  This becomes invaluable.

Pidgin is actually the basis for Adium, as both use the same core libraries but Adium is simply prettied up for Mac.  The security feature at the core of this is called OTR – Off The Record.   From the OTR website

“Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

No one else can read your instant messages.
You are assured the correspondent is who you think it is.
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.”

So lets go over what OTR offers you, authenticaion, super strong encryption (256-bit AES) and a way to authenticate people. Now, the encryption basically works in the background, you don’t have to select anything etc, it uses the best by default. For this to work, two people must both be using OTR complient programs. So, you can have a person using Adium and another using Pidgin on two different operating systems. It does not matter at all. So lets say Tim and Bob are trying this out.

Tim starts a conversation with Bob and they both see a popup asking if they want to secure the session. Both of their chat clients realized they were talking to another OTR capable application. Then Tim’s application asks a weird question, it asks “Are you sure this is Bob?”. This is called authentication. The first time you create a secure session with a user, you both exchange credentials. What Tim is being asked, is if its valid. this will make more sense in a moment. So the application tells Tim, “I know you want a secure connection with this guy but you never had one before”. Tim says, I know Joe and this is him. Joe does the same thing. From now on, it will not ask you to verify eachother because the credentials being passed at the beginning will always be the same.

What happens if Joe is on a new computer and wants a secure connection with Tim? Joe tries to chat with Tim and Tim receives a message saying “Ummmm, Joe wants a secure chat, but Joe is showing us different credentials. What to do?” Tim either tells the system yes this is Joe, or no its an impostor.

This can get MUCH more detailed but we want this for general use , so non-techies can have a secure chat. When this is setup then every chat between you two will be encrypted. Just make sure your preferences are set to try and always initiate a secure chat between clients that are capable. Also, ensure the secure icon is showing a locked or secured state. This is a visual indicator that everything is okay.

Note: Pidgin users must install OTR separately.

I hope this helps, feedback is welcome as always.

11 responses to “How to secure your IM conversations

  1. The problems I have with OTR is that when the other person I’m talking with doesnt have it installed, a weird error will be sent to them, sometimes multiple times if their client isnt compatible.

    me: hi u, how are u

    i don’t remember what the errors actually are, but they are some technical mumbo jumbo.

    • I have not received this error, but if the auto-secure option is causing you issues, just turn it off and you can intiate secure sessions on a per-user or just when you click on it basis.

  2. what about retroshare?

    • I had not heard of retroshare before, but i checked it out. It does in fact seem very neat. However from my understanding of it, you cannot use standard accounts that you already have which is a nice feature of OTR, be secure with anyone, with minimal setup.

  3. Pingback: » Blog Archive » How to Secure Your IM Conversations

  4. Pingback: Wireless security - how secure is your data? « Tech Czar

  5. You can install OTR and still talk with people on your buddy list who do not OTR without showing any strange errors. There is a setting in OTR that allows you to chat with OTR off by default. You then go to your buddy list and right click the names (under Pidgin I’m not sure of other apps) and select OTR-Settings and define rules. Example: John on my BL has OTR and I’d like to make sure our conversations are always private when we chat. I right click his name on my BL and set that rule. But Alex on my BL doesn’t use OTR and has no desire to do so. Because I made OTR off by default unless defined by specific and certain buddies, he and I will receive no strange messages.

    I am always looking for new friends who use OTR. My AIM name is sushiosoyum.

  6. Pingback: 怎樣讓你的 IM 通訊更安全 | Nica's Blog

  7. I know this is a really old thread however in the intervening years the problem of secure IM has not been solved. Until now. There is a new product about to be released that is a peer based messenger that the users control the encryption keys etc on.

    Check it out and check back until its released.

    Drop me a line if you want to be notified of going live!

  8. hello!,I like your writing very much! share we keep in touch more about your post on AOL? I need a specialist in this area to unravel my problem. Maybe that’s you! Looking forward to peer you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s