1
Off-the-Record Messaging plugin for pidgin
4
This is a pidgin plugin which implements Off-the-Record (OTR) Messaging.
5
It is known to work (at least) under the Linux and Windows versions of
8
OTR allows you to have private conversations over IM by providing:
10
- No one else can read your instant messages.
12
- You are assured the correspondent is who you think it is.
14
- The messages you send do _not_ have digital signatures that are
15
checkable by a third party. Anyone can forge messages after a
16
conversation to make them look like they came from you. However,
17
_during_ a conversation, your correspondent is assured the messages
18
he sees are authentic and unmodified.
19
- Perfect forward secrecy
20
- If you lose control of your private keys, no previous conversation
23
For more information on Off-the-Record Messaging, see
24
http://www.cypherpunks.ca/otr/
28
Run pidgin, and open the Plugins panel. (If you had a copy of pidgin
29
running before you installed pidgin-otr, you will need to restart it.)
30
Find the Off-the-Record Messaging plugin, and enable it by selecting the
31
checkbox next to it. Click "Configure Plugin" to bring up the OTR UI.
32
The UI has two "pages": "Known fingerprints" and "Config".
34
The "Config" page allows you generate private keys, and to set OTR
37
Private keys are used to authenticate you to your buddies. Choose
38
one of your accounts from the menu, click "Generate" and wait until
39
it's finished. You'll see a sequence of letters and number appear
40
above the "Generate" button. This is the "fingerprint" for that
41
account; it is unique to that account. If you have multiple IM
42
accounts, you can generate private keys for each one separately.
43
Note that if you don't generate keys in this way, they will be
44
generated automatically, when they are needed.
46
The OTR options determine when private messaging is enabled. The
47
checkboxes on this page control the default settings; you can edit
48
the per-buddy settings by right-clicking on your buddy in the buddy
49
list, and choosing "OTR Options" from the menu.
52
[X] Enable private messaging
53
[X] Automatically initiate private messaging
54
[ ] Require private messaging
56
If the "enable private messaging" box is unchecked, private messages
57
will be disabled completely (and the other two boxes will be greyed
58
out, as they're irrelevant).
60
If the first box is checked, but "automatically initiate private
61
messaging" is unchecked, private messaging will be enabled, but only
62
if either you or your buddy explicitly requests to start a private
63
conversation (and the third box will be greyed out, as it's
66
If the first two boxes are checked, but "require private messaging"
67
is unchecked, OTR will attempt to detect whether your buddy can
68
understand OTR private messages, and if so, automatically start a
71
If all three boxes are checked, messages will not be sent to your
72
buddy unless you are in a private conversation.
74
The "Known fingerprints" page allows you to see the fingerprints of any
75
buddies you have previously communicated with privately.
77
You can close the Preferences panel (but make sure not to disable
78
(un-"Load") the OTR plugin).
80
IM as normal with your buddies. If you want to start a private
81
conversation with one of them, click the "OTR: Not Private" button in
82
the conversation window.
84
If your buddy does not have the OTR plugin, a private conversation will
85
(of course) not be started. [But he'll get some information about OTR
88
If your buddy does have the OTR plugin (and it's enabled), a private
89
conversation will be initiated.
91
If both you and your buddy have OTR software, and your OTR options set
92
to automatically initiate private messaging, your clients may recognize
93
each other and automatically start a private conversation.
95
The first time you have a private conversation with one of your buddies,
96
his fingerprint will appear. It's usually a good idea to make sure it's
97
correct, perhaps via the phone, or some other authenticated
100
If it's wrong, it means someone's intercepting your communication.
101
While unlikely, this is one of the things this plugin detects.
103
Once you've seen your buddy's fingerprint, it will be stored, and
104
future private conversations with him won't bother you with this dialog.
105
[Unless, of course, he uses a different fingerprint, perhaps from a
106
different IM account, or on a different computer. It's OK to have
107
multiple fingerprints for the same IM account, on different machines.]
109
At this point, the label on the OTR button in the conversation window
110
will change to "OTR: Unverified". This means that, although you are
111
sending encrypted messages, you have not yet verified your buddy's
112
fingerprint, and so it is not certain that the person who can decrypt
113
these messages is actually your buddy (it may be an attacker).
115
If you right-click on the OTR button, you will get a menu with the
118
Start / Refresh private conversation
120
Choosing this menu option is the same as clicking the OTR button: it
121
will attempt to start (or refresh, if you're already in one) a
122
private conversation with this buddy.
124
End private conversation
126
If you wish to end the private conversation, and go back to
127
communicating without privacy protection, you can select this
128
option. Note that if you have "Automatically initiate private
129
messaging" set, it is likely that a new private conversation will
130
automatically begin immediately.
134
Choose this menu option once you have your buddy on the phone, or
135
some other authenticated communication channel (such as a gpg-signed
136
message). Have your buddy read you his fingerprint. If it matches
137
what is displayed in the dialog box, pull down the selection that
138
says "I have not" (verified that this is in fact the correct
139
fingerprint), and change it to "I have".
141
Once you do this, the label on the OTR button will change to "OTR:
142
Private". Note that you only need to do this once per buddy (or
143
once per fingerprint, if your buddy has more than one fingerprint).
144
pidgin-otr will remember which fingerprints you have marked as
147
View secure session id
149
The "secure session id" is another way to verify that you're actually
150
chatting with your buddy, and not some eavesdropper
151
("man-in-the-middle" is the technical term). Phone him up, and ask
152
him to read his bold part, and read yours back to him. If they're
153
both correct, you're assured that there's no one intercepting your
154
private conversation. This is secure, even if you know that one or
155
both of your private keys have been compromised.
157
You should almost never need to use this; it is only useful in the
158
event that you know your private keys have been compromised, and you
159
wish to have a private conversation anyway.
163
This will open a web browser to get online help.
166
If you open the Preferences panel back up, and go to the OTR UI, you'll
167
see your buddy, and his fingerprint, listed there. The "Status" should
168
currently be "Private", which means you're having a private
169
conversation. Other possibilities are "Unverified", which means you
170
have not yet verified your buddy's fingerprint, "Not private", which
171
means you're just chatting in IM the usual (non-OTR) way, and
172
"Finished", which means your buddy has selected "End private
173
conversation"; at this point, you will be unable to send messages to him
174
at all, until you either also choose "End private conversation" (in
175
which case further messages will be sent unencrypted), or else choose
176
"Refresh private conversation" (in which case further messages will be
179
By selecting one of your buddies from the list, you'll be able to do one
180
or more of the following things by clicking the buttons below the list:
181
- "Start private conversation": if the status is "Not private" or
182
"Finished", this will attempt to start a private conversation.
183
- "End private conversation": if the status is "Unverified", "Private",
184
or "Finished", you can force an end to your private conversation by
185
clicking this button. There's not usually a good reason to do this,
187
- "Verify fingerprint": this will open the fingerprint verification
188
dialog discussed above.
189
- "Forget fingerprint": this will remove your buddy's fingerprint from
190
the list. You'll have to re-verify it the next time you start a
191
private conversation with him. Note that you can't forget a
192
fingerprint that's currently in use in a private conversation.
196
Please send your bug reports, comments, suggestions, patches, etc. to us
197
at the contact address below.
199
This plugin only attempts to protect instant messages, not multi-party
200
chats, file transfers, etc.
204
There are three mailing lists pertaining to Off-the-Record Messaging:
207
http://lists.cypherpunks.ca/mailman/listinfo/otr-announce/
208
*** All users of OTR software should join this. *** It is used to
209
announce new versions of OTR software, and other important information.
212
http://lists.cypherpunks.ca/mailman/listinfo/otr-users/
213
Discussion of usage issues related to OTR Messaging software.
216
http://lists.cypherpunks.ca/mailman/listinfo/otr-dev/
217
Discussion of OTR Messaging software development.
221
The Off-the-Record Messaging plugin for pidgin is covered by the following
224
Off-the-Record Messaging plugin for pidgin
225
Copyright (C) 2004-2005 Nikita Borisov and Ian Goldberg
228
This program is free software; you can redistribute it and/or modify
229
it under the terms of version 2 of the GNU General Public License as
230
published by the Free Software Foundation.
232
This program is distributed in the hope that it will be useful,
233
but WITHOUT ANY WARRANTY; without even the implied warranty of
234
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
235
GNU General Public License for more details.
237
There is a copy of the GNU General Public License in the COPYING file
238
packaged with this plugin; if you cannot find it, write to the Free
239
Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
244
To report problems, comments, suggestions, patches, etc., you can email
247
Nikita Borisov and Ian Goldberg <otr@cypherpunks.ca>
249
For more information on Off-the-Record Messaging, visit
250
http://www.cypherpunks.ca/otr/