~ubuntu-branches/ubuntu/vivid/pidgin-otr/vivid-proposed

« back to all changes in this revision

Viewing changes to README

Committer: Bazaar Package Importer
Author(s): Thibaut VARENE
Date: 2007-05-08 17:21:54 UTC
Revision ID: james.westby@ubuntu.com-20070508172154-rl73hykhkfbbvhzm

Tags: upstream-3.0.0+cvs20070508

Import upstream version 3.0.0+cvs20070508

files added:

AUTHORS

COPYING

ChangeLog

INSTALL

Makefile.am

Makefile.in

Makefile.mingw

NEWS

README

aclocal.m4

config.guess

config.h.in

config.sub

configure

configure.ac

depcomp

dialogs.c

dialogs.h

gtk-dialog.c

gtk-dialog.h

gtk-ui.c

gtk-ui.h

install-sh

ltmain.sh

makedist

missing

otr-plugin.c

otr-plugin.h

packaging

packaging/fedora

packaging/fedora/gaim-otr.spec

packaging/windows

packaging/windows/gaim-otr.nsi

packaging/windows/pidgin-otr.nsi

ui.c

ui.h

Show diffs side-by-side

added added

removed removed

README

Off-the-Record Messaging plugin for pidgin

v3.0.0, 6 May 2007

This is a pidgin plugin which implements Off-the-Record (OTR) Messaging.

It is known to work (at least) under the Linux and Windows versions of

pidgin (2.0).

OTR allows you to have private conversations over IM by providing:

- Encryption

- No one else can read your instant messages.

- Authentication

- You are assured the correspondent is who you think it is.

- Deniability

- The messages you send do _not_ have digital signatures that are

checkable by a third party. Anyone can forge messages after a

conversation to make them look like they came from you. However,

_during_ a conversation, your correspondent is assured the messages

he sees are authentic and unmodified.

- Perfect forward secrecy

- If you lose control of your private keys, no previous conversation

is compromised.

For more information on Off-the-Record Messaging, see

http://www.cypherpunks.ca/otr/

USAGE

Run pidgin, and open the Plugins panel. (If you had a copy of pidgin

running before you installed pidgin-otr, you will need to restart it.)

Find the Off-the-Record Messaging plugin, and enable it by selecting the

checkbox next to it. Click "Configure Plugin" to bring up the OTR UI.

The UI has two "pages": "Known fingerprints" and "Config".

The "Config" page allows you generate private keys, and to set OTR

options.

Private keys are used to authenticate you to your buddies. Choose

one of your accounts from the menu, click "Generate" and wait until

it's finished. You'll see a sequence of letters and number appear

above the "Generate" button. This is the "fingerprint" for that

account; it is unique to that account. If you have multiple IM

accounts, you can generate private keys for each one separately.

Note that if you don't generate keys in this way, they will be

generated automatically, when they are needed.

The OTR options determine when private messaging is enabled. The

checkboxes on this page control the default settings; you can edit

the per-buddy settings by right-clicking on your buddy in the buddy

list, and choosing "OTR Options" from the menu.

The options are:

[X] Enable private messaging

[X] Automatically initiate private messaging

[ ] Require private messaging

If the "enable private messaging" box is unchecked, private messages

will be disabled completely (and the other two boxes will be greyed

out, as they're irrelevant).

If the first box is checked, but "automatically initiate private

messaging" is unchecked, private messaging will be enabled, but only

if either you or your buddy explicitly requests to start a private

conversation (and the third box will be greyed out, as it's

irrelevant).

If the first two boxes are checked, but "require private messaging"

is unchecked, OTR will attempt to detect whether your buddy can

understand OTR private messages, and if so, automatically start a

private conversation.

If all three boxes are checked, messages will not be sent to your

buddy unless you are in a private conversation.

The "Known fingerprints" page allows you to see the fingerprints of any

buddies you have previously communicated with privately.

You can close the Preferences panel (but make sure not to disable

(un-"Load") the OTR plugin).

IM as normal with your buddies. If you want to start a private

conversation with one of them, click the "OTR: Not Private" button in

the conversation window.

If your buddy does not have the OTR plugin, a private conversation will

(of course) not be started. [But he'll get some information about OTR

instead.]

If your buddy does have the OTR plugin (and it's enabled), a private

conversation will be initiated.

If both you and your buddy have OTR software, and your OTR options set

to automatically initiate private messaging, your clients may recognize

each other and automatically start a private conversation.

The first time you have a private conversation with one of your buddies,

his fingerprint will appear. It's usually a good idea to make sure it's

correct, perhaps via the phone, or some other authenticated

communication.

100

If it's wrong, it means someone's intercepting your communication.

101

While unlikely, this is one of the things this plugin detects.

102

103

Once you've seen your buddy's fingerprint, it will be stored, and

104

future private conversations with him won't bother you with this dialog.

105

[Unless, of course, he uses a different fingerprint, perhaps from a

106

different IM account, or on a different computer. It's OK to have

107

multiple fingerprints for the same IM account, on different machines.]

108

109

At this point, the label on the OTR button in the conversation window

110

will change to "OTR: Unverified". This means that, although you are

111

sending encrypted messages, you have not yet verified your buddy's

112

fingerprint, and so it is not certain that the person who can decrypt

113

these messages is actually your buddy (it may be an attacker).

114

115

If you right-click on the OTR button, you will get a menu with the

116

following options:

117

118

Start / Refresh private conversation

119

120

Choosing this menu option is the same as clicking the OTR button: it

121

will attempt to start (or refresh, if you're already in one) a

122

private conversation with this buddy.

123

124

End private conversation

125

126

If you wish to end the private conversation, and go back to

127

communicating without privacy protection, you can select this

128

option. Note that if you have "Automatically initiate private

129

messaging" set, it is likely that a new private conversation will

130

automatically begin immediately.

131

132

Verify fingerprint

133

134

Choose this menu option once you have your buddy on the phone, or

135

some other authenticated communication channel (such as a gpg-signed

136

message). Have your buddy read you his fingerprint. If it matches

137

what is displayed in the dialog box, pull down the selection that

138

says "I have not" (verified that this is in fact the correct

139

fingerprint), and change it to "I have".

140

141

Once you do this, the label on the OTR button will change to "OTR:

142

Private". Note that you only need to do this once per buddy (or

143

once per fingerprint, if your buddy has more than one fingerprint).

144

pidgin-otr will remember which fingerprints you have marked as

145

verified.

146

147

View secure session id

148

149

The "secure session id" is another way to verify that you're actually

150

chatting with your buddy, and not some eavesdropper

151

("man-in-the-middle" is the technical term). Phone him up, and ask

152

him to read his bold part, and read yours back to him. If they're

153

both correct, you're assured that there's no one intercepting your

154

private conversation. This is secure, even if you know that one or

155

both of your private keys have been compromised.

156

157

You should almost never need to use this; it is only useful in the

158

event that you know your private keys have been compromised, and you

159

wish to have a private conversation anyway.

160

161

What's this?

162

163

This will open a web browser to get online help.

164

165

166

If you open the Preferences panel back up, and go to the OTR UI, you'll

167

see your buddy, and his fingerprint, listed there. The "Status" should

168

currently be "Private", which means you're having a private

169

conversation. Other possibilities are "Unverified", which means you

170

have not yet verified your buddy's fingerprint, "Not private", which

171

means you're just chatting in IM the usual (non-OTR) way, and

172

"Finished", which means your buddy has selected "End private

173

conversation"; at this point, you will be unable to send messages to him

174

at all, until you either also choose "End private conversation" (in

175

which case further messages will be sent unencrypted), or else choose

176

"Refresh private conversation" (in which case further messages will be

177

sent privately).

178

179

By selecting one of your buddies from the list, you'll be able to do one

180

or more of the following things by clicking the buttons below the list:

181

- "Start private conversation": if the status is "Not private" or

182

"Finished", this will attempt to start a private conversation.

183

- "End private conversation": if the status is "Unverified", "Private",

184

or "Finished", you can force an end to your private conversation by

185

clicking this button. There's not usually a good reason to do this,

186

though.

187

- "Verify fingerprint": this will open the fingerprint verification

188

dialog discussed above.

189

- "Forget fingerprint": this will remove your buddy's fingerprint from

190

the list. You'll have to re-verify it the next time you start a

191

private conversation with him. Note that you can't forget a

192

fingerprint that's currently in use in a private conversation.

193

194

NOTES

195

196

Please send your bug reports, comments, suggestions, patches, etc. to us

197

at the contact address below.

198

199

This plugin only attempts to protect instant messages, not multi-party

200

chats, file transfers, etc.

201

202

MAILING LISTS

203

204

There are three mailing lists pertaining to Off-the-Record Messaging:

205

206

otr-announce:

207

http://lists.cypherpunks.ca/mailman/listinfo/otr-announce/

208

*** All users of OTR software should join this. *** It is used to

209

announce new versions of OTR software, and other important information.

210

211

otr-users:

212

http://lists.cypherpunks.ca/mailman/listinfo/otr-users/

213

Discussion of usage issues related to OTR Messaging software.

214

215

otr-dev:

216

http://lists.cypherpunks.ca/mailman/listinfo/otr-dev/

217

Discussion of OTR Messaging software development.

218

219

LICENSE

220

221

The Off-the-Record Messaging plugin for pidgin is covered by the following

222

(GPL) license:

223

224

Off-the-Record Messaging plugin for pidgin

225

226

<otr@cypherpunks.ca>

227

228

This program is free software; you can redistribute it and/or modify

229

it under the terms of version 2 of the GNU General Public License as

230

published by the Free Software Foundation.

231

232

This program is distributed in the hope that it will be useful,

233

but WITHOUT ANY WARRANTY; without even the implied warranty of

234

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

235

GNU General Public License for more details.

236

237

There is a copy of the GNU General Public License in the COPYING file

238

packaged with this plugin; if you cannot find it, write to the Free

239

Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA

240

02111-1307 USA

241

242

CONTACT

243

244

To report problems, comments, suggestions, patches, etc., you can email

245

the authors:

246

247

Nikita Borisov and Ian Goldberg <otr@cypherpunks.ca>

248

249

For more information on Off-the-Record Messaging, visit

250

http://www.cypherpunks.ca/otr/

Older »