How to chat with: Encryption, Authentication, and Secrecy

Note: Posting this on behalf of a Sythe user that would like to remain anonymous. I claim no rights to what is written here but have been given permission by the author to post it.

MSN, AIM, and other messengers send their messages in plain text so essentially, your chats are able to be intercepted and read by a stranger.



Who can intercept by chat messages and how?

• MiddleMan Attack --> A person connects to your network(wireless,etc) and runs a sniffer which will allow him to read ALL incoming/outgoing messages since they are in plain text
• Messenger Servers --> Messengers that use their own servers to deliver the messages(such as AIM) could intercept any messages since they are in plain text and read it
• Your ISP --> If a subpoena were to happen of your IRC, they could intercept all your messages
• A person who knows your password --> Could login to your msn account via web browser(for example) and see all the messages that are coming inbound

Do I really need to do this?

No, as a matter of fact most people wont. But for sensitive conversations(where sensitive information is sent around often) I would highly suggest it. The average sythe trader has no need for this level of security/encryption but you may find instances where it maybe useful. This will not work as a standard because for computer illiterate people, it will be too much of a hassle for them to bother with when they can not justify the effort.

Give me an example please.

Ok well lets show a proof of concept for the MiddleMan attack. Lets say someone gets your MSN password. They can login on your email account and sign in there and see all incoming messages + respond(if they wanted to). The MSN chat window is the standard window when talking to someone(I am using the pidgin client in the screenshot). The middleman is the person who knows your password reading your messages(intercepting).


So.. How do I encrypt my conversations?

I recommend a program called OTR. It can be used on Pidgin, Adium, Miranda, Kopete, etc(as well as others but these ones are documented). I personally prefer Pidgin because it takes less then 2 minutes , including the download time, to setup.

1. Download the client of your choice that is OTR compatible.

2. Then install the appropriate OTR package. For pidgin it is on their front page where it says "OTR plugin for Pidgin", click "Win32 installer for pidgin 2.x" and install.

3. Install OTR.

4. Open Pidgin > Tools > Plugins > Enable the Off The Record plugin.

5. Done .

Now what?
When you enable the plugin you will see an OTR bar popup in the messenger. Chat with someone who has OTR installed and initiate the OTR conversations( read the readme for any further help )

Enjoy