Upload
hossam-el-hamalawy
View
188
Download
9
Embed Size (px)
Citation preview
Pidgin - secure instant messaging
Pidgin is a free and open source client that lets you organise and manage your different Instant Messaging
(IM) accounts using a single interface. The OTR plug-in allows for secure and authenticated communications
with Pidgin.
Homepage
www.pidgin.im
Computer Requirements
An Internet connection
All Windows Versions
Version used in this guide
Pidgin 2.5.2 and OTR 3.2.0
License:
Free and Open-Source
Software
Installing Pidgin and OTR
Follow any program-specific directions in theGuideIf there are none, simply click the link belowand choose a location to save the installerFind the installer on your computer anddouble-click it
Pidgin: OTR:
Required Reading
How-to Booklet chapter 7. Keeping your Internet Communication Private
Level: 1: Beginner, 2: Average, 3: Intermediate, 4: Experienced, 5: Advanced
Time required to start using this tool: 30 minutes
What you will get in return:
The ability to organise and manage some of the most popular instant messaging services through a
single program
The ability to have private and authenticated chat sessions
1.1 Things you should know about this tool before you start
Pidgin is a free and open source client that lets you organise and manage your different Instant Messaging
(IM) accounts using a single interface. Before you can start using Pidgin you must have an existing IM
account. For instance, if you have an email account with Gmail or Yahoo, you can use the IM service offeredby that company with Pidgin. Use the login details to access your IM account through Pidgin.
Note: All users are encouraged to learn as much as possible about their instant messaging service provider's
privacy and security policies.
Pidgin supports the following IM services: AIM; Google Talk; ICQ; IRC; MSN; QQ; Yahoo!; and all other IM
clients running the XMPP protocol.
Pidgin does not allow communication between different IM services. For instance, if you are using Pidgin to
access your Google Talk account, you won't be able to chat with a friend who is using Pidgin with his/her
Yahoo chat account. However, if you use Pidgin to connect to multiple accounts, then you can chat with friends
who are using any of those services. It is a good idea to use Pidgin for your instant messaging needs, as it
offers more security than the alternatives, and does not come bundled with unnecessary adware or spyware.
OTR (Off-the-Record) Messaging is a plugin developed specifically for Pidgin. It allows you to chat privately
and offers the following features:
Encryption: No one else can read your instant messages.Authentication: You are assured the correspondent is who you think it is.
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 1 of 18
Deniability: After the conversation, messages cannot be identified as having originated either from youor from your correspondent.
Perfect Forward Security: If you lose control of your private keys, no previous conversation iscompromised.
Note: You must first install the Pidgin software, and then install Pidgin OTR.
Using Pidgin
Before you can start using Pidgin, you must have an existing IM account with one of the providers listed
above. You must type your IM login details into Pidgin.
Note: If you do not have an existing account registered with one of the providers listed above, and would like
some help to do so, please refer to section 4.1 How to Create a Google Talk account.
2.1 How to Create a Pidgin account
Step 1. Select: Start > Programs > Pidgin to run Pidgin.
Figure 1: The Pidgin Buddy List Welcome screen
Step 2. Select: Accounts > Manage to activate the Accounts screen as follows:
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 2 of 18
Figure 2: The Accounts screen
Step 3. Click: to activate the Add Account screen as follows:
Figure 3: The Add Account screen displaying Basic and Advanced tabs
Step 4. Click the Protocol drop-down list to view supported messaging service protocols as follows:
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 3 of 18
Figure 4: The Add Account screen displaying the Protocol drop-down list
Step 5. Select the protocol that corresponds to your account.
Note: Different IM service providers will display their specific text fields for you to fill in. Some of them are
automatically filled in (for example, if you select Google Talk, both the Domain and Resource text fields arecompleted for you). However, all services require that you enter a screen name, local alias and a password.
Step 6. In the Screen name field, type in your email address, (for example, [email protected])
Step 7. In the Password field, type in your password for this specific account.
Step 8. In the Local Alias field, type a nickname you would like to be identified by. (This field is optional.)
Important: Check the Remember password option if you want Pidgin to remember your password. However, tooptimise privacy and security, it would be better to leave this unchecked, so that Pidgin will prompt you for your
password whenever you connect. This way, other people are prevented from logging in and pretending to be
you, when you leave your computer unattended for a period of time. Also, remember to exit or quit Pidgin when
you have finished your messaging session!
A completed Add Account screen would resemble the following:
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 4 of 18
Figure 5: Example of a Completed Add Account form
Tip: Google Talk, IRC, SILC and XMPP clients can easily request an encrypted connection. Please read
section 4.2 How to Enable a Secure Connection for more details.
Step 9. Click: to complete adding your account. This will simultaneously activate the updated
Accounts screen and the Buddy List screen as follows:
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 5 of 18
Figure 6: The Accounts screen updated Figure 7: The BuddyList screen in Active mode
After you have completed these steps, you are ready to add IM contact information for your friends (or
"buddies," as they are referred to in Pidgin).
2.2 How to Add a Buddy
Step 1. Select: Buddies > + Add Buddy as follows:
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 6 of 18
Figure 8: The Buddy List with the Buddies menu activated
This will activate the following screen:
Figure 9: The Add Buddy screen
Step 2. Select your account, where you are using the same messaging service as your 'buddy'.
Note: Both your buddy and yourself must be using the same messaging service, even if he/she is not using
Pidgin. For instance, if you have only added a Google Talk account to Pidgin, you cannot add a buddy who
uses MSN or Yahoo to this account. However, you can register and use multiple accounts simultaneously in
Pidgin, thereby chatting with one buddy over Google Talk and with another over Yahoo or MSN.
Step 3. In the Screen name field, type in your buddy's email address. (Remember: In Pidgin, a Screen namegenerally refers to an email address.)
Step 4. In the Alias field, type in a nickname for your buddy.
Step 5. Click:
Note: After you have added a buddy, a message will be sent to him/her requesting his/her approval and
authorisation for your request.
Figure 10: The Authorize buddy confirmation dialog box
After your buddy has authorised the request, he/she should follow similar steps to request your account.
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 7 of 18
Figure 11: The Add Buddy screen displaying buddy information
You will receive an authorisation request from them as follows:
Figure 12: The Add Buddy screen
Step 6. Click the Authorise button and your buddy will appear in the Buddy List as follows:
Figure 13: The Buddy List screen featuring a newly created buddy
2.3 How to Chat with Your Buddy
Step 1. Right-click on your buddy's name to activate a pop-up menu listing all the tasks you can perform as
follows:
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 8 of 18
Figure 14: The Buddy tasks menu
Step 2. Select IM from the pop-up menu to activate a chat window as follows:
Figure 15: A typical chat window in Pidgin
Now you're all set to chat with your buddy using Pidgin. However, you must perform a few more steps to ensure
that your chat sessions will be private and secure.
How to Secure Your Chat Session with OTR
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 9 of 18
Both communicating parties need to install and configure the OTR plugin before they can have private chat
sessions. Pidgin automatically recognizes when both of you have the plugin installed and configured. If you
request a private conversation with a friend who has not yet installed OTR, a message will be sent to that
person explaining how they can obtain the plugin.
3.1 How to Enable the Pidgin-OTR Plugin
Enabling the Pidgin-OTR plugin is the first step towards having private and secure messaging sessions. To
enable the Pidgin-OTR plugin, perform the following steps:
Step 1. Select: Tools > Plugins in the Pidgin Buddy List window as follows:
Figure 16: The Tools menu with Plugins selected
This will activate the Plugins screen as follows:
Step 2. Scroll down to the Off-the-Record Messaging option, then check it to enable this feature.
Figure 17: The OTR Plugins screen with Off-the-Record Messaging selected
Step 3. Click: to begin configuring the Off-the-Record Messaging screen.
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 10 of 18
3.2 How to Generate an Encryption Key
Secure chat sessions in Pidgin are enabled by generating a private key for the relevant account. The Off-the-Record configuration window is divided into the Config and the Known fingerprints tabs. The Config tab is usedto generate a key for each of your accounts and to set specific OTR options. The Known fingerprints tabcontains your friends' keys. You must possess a key for any buddy with whom you wish to chat privately.
Figure 18: The Off-the-Record Messaging screen displaying the Config tab
Step 1. To optimise your privacy, check the Enable private messaging, Automatically initiate privatemessaging and Don't log OTR conversations options in the Config tab as shown above.
Step 2. Click: to begin generating your secure key.
Shortly, a screen notifying you that a private key has been generated appears as follows:
Figure 19: Generating private key screen
Your buddy will need to perform the same steps on his/her own computer.
Important: You have now created a private key for your account. This will be used to encrypt your
conversations so that nobody else can read them, even if they manage to listen in between you and yourbuddies. The fingerprint is a long sequence of letters and numbers used to identify the key for a particular
account. It resembles the following:
Fingerprint: 55A3638C 5DCF5BB8 0C7A2815 70DA5122 06507354
Pidgin automatically saves and verifies your and your buddies fingerprints, so that you will not have to
remember them.
3.3 How to Authenticate a Private Conversation
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 11 of 18
There are 3 short steps involved in ensuring the security and privacy of your conversations.
The first step, which we have just completed in section 3.2 How to Generate an Encryption Key,
involves creating the key for your account.
The second step requires you and your buddy to request a secure conversation.
The third step is about verifying that your buddy is actually the person who you think he/she is. Thisprocess of confirming another person's identity is known as 'authentication' in Pidgin.
3.3.1 The Second Step
Step 1. Double-click on the account of a buddy who is currently online to begin a new IM conversation. If both
of you have the OTR plugin installed and properly configured you will notice that a new OTR icon appears atthe bottom of your chat window.
Figure 20: A Pidgin chat window displaying the OTR icon
Step 2. Click: to bring up a menu and select: Start private conversation
Your chat window will display the following message:
Attempting to start a private conversation with user@example
user@example has not been authenticated yet. You should authenticate this buddy.
Unverified conversation with user@example started.
and the OTR button will change to look as follows:
This means that you can now have an encrypted conversation with your buddy. However, this conversation is
not verified. Your buddy may actually be someone else sitting behind that computer, or someone pretending to
be your buddy. Here you will need to share a secret code word (pre-arranged earlier) to authenticate each
other.
3.3.2 The Third Step
In order to authenticate your buddy in Pidgin, you will need to perform one of the two identification methods.
You could authenticate each other by a code word, or by a question & answer process.
Using a code word for authentication
You can arrange a code word in advance, either by meeting each other in person or by using another
communications medium (like a telephone, voice chat by Skype or a mobile phone text message). Once you
both type in the same code word, your session will be authenticated.
Step 1. Right-click the OTR button in the chat window, then choose Authenticate Buddy as follows:
Figure 21: A Pidgin chat window displaying the OTR icon
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 12 of 18
An Authenticate Buddy window will pop up prompting you to choose the method for authentication.
Step 2. Click: on the drop-down menu and select: Shared Secret
Figure 22: The Authenticate buddy screen
Step 3. Type in the secret code word (it is case sensitive) and click the button.
Figure 23: The Shared Secret screen
Your buddy will see the same window at his/her end and will have to enter the same code word. If they match,your session will be authenticated.
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 13 of 18
Once the session is authenticated, the OTR button will change to . Your session is now secure and
you can be sure that you are really speaking with your buddy.
Using the question & answer for authentication
If you cannot share a code word over an alternative channel, then you have another option for authenticating
each other. Create a question and an answer to it. Your buddy will receive the question and if their answer
matches yours, you are authenticated. Obviously, the answer will need to be typed in exactly the same on both
ends.
Step 1. Right-click the OTR button in the chat window, then choose Authenticate Buddy as follows:
Figure 24: A Pidgin chat window displaying the OTR icon
An Authenticate Buddy window will pop up prompting you to choose the method for authentication.
Step 2. Click: on the drop-down menu and select: Question and Answer
Figure 25: The Authenticate buddy screen
Step 3. Enter a question and an answer to it. The question will be sent to your buddy. If their answer matches
yours, the authentication will be successful.
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 14 of 18
Figure 26: The Questions and Answer screen
Once the session is authenticated, the OTR button will change to source:Pidgin/screenshots-en/110.PNG.Your session is now secure and you can be sure that you are really speaking with your buddy.
Congratulations! You may now chat privately. The next time you and your buddy chat (using the same
computers), you can skip the first and third steps, above. You should only have to request a secure connection
and have your buddy accept it.
Notice that when you Select: Buddy List > Tools > Plugins > Off The Record Messaging > Configure
Plugin, the Known fingerprints tab now displays your buddy's account and a message that their identity hasbeen verified.
Figure 27: The Off-the-Record Messaging screen displaying the Known Fingerprints tab
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 15 of 18
Creating a Google Talk account
4.1 How to Create a Google Talk account
To create a Google Talk account, perform the following steps:
Step 1. Open your Internet browser and go to the Create Google Account page.
Figure 28: The Google Registration web page
Step 2. Type in the necessary registration details.
Note: In the Desired Login Name: field, type in a name for your email address/account. For reasons ofanonymity and confidentiality, it should, ideally, not correspond with your first and last names.
Step 3. Click the Check availability button to see if your desired login name is available. If it is not, you mighthave to come up with something a little more original!
Step 4. Click source:Pidgin/screenshots-en/34.PNG to accept the conditions and create your Google Talk
account after completing all necessary fields.
4.2 How to Enable a Secure Connection
Users who register and use Pidgin with a Google Talk, IRC, SILC or an XMPP compatible service, can
configure Pidgin to use a secure connection, otherwise known as the Secure Socket Layer (SSL) or TransportLayer Security (TLS).
In the Basic tab in the Add Account screen:
Step 1. Select your IM provider, and fill in the required details, then click the Advanced tab.
source:Pidgin/screenshots-en/31.png
Figure 29: The Modify Account screen displaying the Advanced tab
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 16 of 18
Step 2. Check the Require SSL/TLS to automatically enable a secure channel over which your messagingsession can take place.
FAQ and Review
Q: I shut down Pidgin last night. Today, when I launched the program again, I did not see any of my contacts,even though I knew they were online.
A: This happens sometimes if your account was not shut down properly (the Internet connection was droppedor your computer had crashed). You need to re-enable your account. To re-enable your account Select:Accounts > Add/Edit menu and check the box next to your account.
Figure 30: The The Accounts screen with a re-enabled account
Q: Can I use Pidgin-OTR to chat with friends in both MSN and Yahoo?
A: Although Pidgin-OTR supports a number of chat and messaging services, you have to use the sameprovider to initiate an IM session with your buddy. You both need to use an MSN or a Google Talk account forexample. However, in Pidgin you can register and be online with several IM accounts simultaneously. That's thebeauty of using a multi-protocol IM client.
Q: What would happen if I had to access my Pidgin-OTR account on another computer?
A: You would have to generate a new private key to use with your IM account on that computer. You can starta conversation with your buddy using this new key, but you will need to authenticate your session again.
Q: What if I forget the login password for my IM account? Or what if someone steals it? Will they have accessto my past and future conversations?
A: This is a very important question. First of all, if you forget your login password, you will have to generate anew IM account. Then, you can tell your friend about the new account by telephone, Skype voice-chat, orsecure email. Finally, you should create a new, authenticated session with him/her. If however, someonesteals your IM password, that person could try to impersonate you when using Pidgin. Luckily, he/she won't beable to authenticate the session without your shared code word, and so your buddy should be alerted andbecome suspicious. That's why authentication is so important. Furthermore, if you followed the instructionsabove and set the recommended preferences in the OTR 'Config' tab, then even someone who steals yourpassword won't have access to your past conversations, since you chose not to record them.
5.1 Questions to test yourself with after completing the chapter
What are the requirements for creating an account in Pidgin?
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 17 of 18
Is it possible to register and use several instant messaging accounts in Pidgin at once?
What are the requirements for having a private and authenticated chat session in Pidgin?
How many times do you need to 'authenticate' your chat session with a given buddy?
What is a fingerprint in Pidgin?
What will happen to your OTR preferences (including received keys' fingerprints) when you install Pidgin
and OTR on another computer?
Pidgin - secure instant messaging 06/03/2009 01:26
http://en.security.ngoinabox.org/book/export/html/148 18 of 18