Tag Archives: IM

How to secure your IM conversations

I was asked the other day if there was a way to truly secure IM conversations between two people. The answer is a most definately resounding YES. This can be done using Open Source and free software on every major operating system (Windows, Mac OSX, Linux) and every major IM network (Yahoo, MSN, AIM etc.). Now people may ask “Why encrypt if you have nothing to hide?”. Why is it a felony for postal workers to open mail, since its all innocent, right? Why are you worried? It’s called privacy. For no other reason then I don’t want Microsoft indexing my chat conversation and trying to sell me sneakers on a sidebar because I typed the word “Shoes”. Its nobody’s business except mine, end of story.

Lets go over a couple of things first. When you IM a person it does not go directly from you to them. It goes from you, to a server run by the IM providor, and then relayed to your friend. There are multiple security issues here. First, the obvious fact that by default nothing is encrypted anywhere between the three systems in use. Second, your IM conversation is stored temporarily or PERMANENTLY on the IM providers server. While Google offers you the option to save your chat transcripts or go “off-the-record” (don’t confuse this with the OTR application I mention later) I choose not to trust any IM providor.

Now, you might be thinking “Yahoo chat offers me encryption so why not use their built in functionality?”. Well, if you don’t want random people on the internet sniffing your traffic this may be good enough for you. However, if you want to make sure NOBODY (including the chat providors) can see your IM conversation then you need to use a technology/program that uses their network but is not controlled by them, therefore giving you freedom and a much higher level of security.

The programs I recommend are as follows.

Mac OSX – Adium
Windows and Linux – Pidgin

These two programs are Multi-Chat clients, you can use this one program to chat on many networks at the same time and even have multiple accounts on the same network all connected at the same time.  This may not seem valuable unless you have a personal account, school account  and then a business account.  This becomes invaluable.

Pidgin is actually the basis for Adium, as both use the same core libraries but Adium is simply prettied up for Mac.  The security feature at the core of this is called OTR – Off The Record.   From the OTR website

“Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:

Encryption
No one else can read your instant messages.
Authentication
You are assured the correspondent is who you think it is.
Deniability
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Perfect forward secrecy
If you lose control of your private keys, no previous conversation is compromised.”

So lets go over what OTR offers you, authenticaion, super strong encryption (256-bit AES) and a way to authenticate people. Now, the encryption basically works in the background, you don’t have to select anything etc, it uses the best by default. For this to work, two people must both be using OTR complient programs. So, you can have a person using Adium and another using Pidgin on two different operating systems. It does not matter at all. So lets say Tim and Bob are trying this out.

Tim starts a conversation with Bob and they both see a popup asking if they want to secure the session. Both of their chat clients realized they were talking to another OTR capable application. Then Tim’s application asks a weird question, it asks “Are you sure this is Bob?”. This is called authentication. The first time you create a secure session with a user, you both exchange credentials. What Tim is being asked, is if its valid. this will make more sense in a moment. So the application tells Tim, “I know you want a secure connection with this guy but you never had one before”. Tim says, I know Joe and this is him. Joe does the same thing. From now on, it will not ask you to verify eachother because the credentials being passed at the beginning will always be the same.

What happens if Joe is on a new computer and wants a secure connection with Tim? Joe tries to chat with Tim and Tim receives a message saying “Ummmm, Joe wants a secure chat, but Joe is showing us different credentials. What to do?” Tim either tells the system yes this is Joe, or no its an impostor.

This can get MUCH more detailed but we want this for general use , so non-techies can have a secure chat. When this is setup then every chat between you two will be encrypted. Just make sure your preferences are set to try and always initiate a secure chat between clients that are capable. Also, ensure the secure icon is showing a locked or secured state. This is a visual indicator that everything is okay.

Note: Pidgin users must install OTR separately.

I hope this helps, feedback is welcome as always.