Biz & IT —

Take 5 minutes and up your opsec game with Tor Messenger [Updated]

Sending chat traffic via Tor and requiring OTR is a big win for privacy.

Take 5 minutes and up your opsec game with Tor Messenger [Updated]

On Thursday, the Tor Project released its first public beta of Tor Messenger, an easy-to-use, unified chat app that has security and cryptography baked in. If you care about digital security, you should ditch whatever chat program you're using and switch to it right now.

The app is specifically designed to protect location and routing information (by using Tor) and chat data in transit (by using the open source Off-The-Record, or OTR, protocol). For anyone who has used a similar app (like Pidgin or Adium), Tor Messenger’s interface will be fairly self-explanatory, but there are two notable quirks.

First, by default, it will not allow you to send messages to someone who doesn’t support OTR—but there is an option to disable that feature. Second, unlike Pidgin or Adium, Tor Messenger cannot log chats, which is handy if you’re privacy-minded.

Try it yourself

It's easy to download and install Tor Messenger on your platform of choice. After starting it up, the opening screen will ask you to set up your accounts. Tor Messenger supports a lot of your favorite chat protocols, including Google (GChat), Yahoo, Facebook, and any XMPP (formerly Jabber) account. Notably, if you’re still using an AOL Instant Messenger account, you’re out of luck.  (If you use Google/GChat with two-factor authentication, know that you’ll need to set up an app-specific password for use within Tor Messenger.)

If you don't have any prior, compatible messenger accounts, XMPP has become our favored chat protocol these days. If you want to sign up for a new XMPP account, you can quickly register one with the Calyx Institute. All you have to do within Tor Messenger is make up a username and password and then use the server: jabber.calyxinstitute.org.

Once connected, any pre-existing contact lists should show up. When starting a new chat conversation, Tor Messenger will warn you if you’re talking with someone who isn’t using OTR. And by default, the service won't let you message individuals that lack OTR.

Update, 11/1, 9:04am ET: When you start a new conversation, the chat window will prompt you to verify your contact’s OTR fingerprint.

This is crucial to making sure that someone isn’t impersonating you or your contact, and it's important that both parties verify each other. An OTR fingerprint, which can and should be public (I've tweeted mine and posted them in multiple places online), is a way to make 100 percent sure that the right account matches the right person on the right machine. In other words, it mitigates man-in-the-middle attacks. When Washington Post reporter Barton Gellman was chatting with Ed Snowden in Hong Kong, he almost missed him after initially sending the wrong fingerprint—Snowden briefly thought Gellman was an impostor.

In other chat apps (like Adium), key verification is usually done manually, simply by comparing the purported fingerprint to one that you know is authentic. For example, if you’re chatting with me, my chat app will broadcast my fingerprint, which should match my known one. If they match, you’re almost certainly talking to me. If not, someone may be impersonating me.

This method of key verification is tedious, and it requires examining each purported number and letter "4311D38B…" to the known authentic one. Humans are not good at comparing random long strings of numbers and letters, so Tor Messenger has come up with a good way of solving this problem. In addition to the manual key verification option, Tor Messenger has added a new "shared secret" option.

To verify an OTR fingerprint over Tor Messenger using this method, you need to come up with some commonly understood word or phrase and send it to your contact via another secure and private means. (Options include: Twitter DM, Signal/TextSecure, iMessage, PGP, and more.)

The shared secret might be something as simple as: "trickortreat"—it just has to be something that you and your contact will easily remember. When your contact is then prompted to verify the fingerprint, they use the shared secret. Once verified with Tor Messenger, you don’t need to do it a second time.

Channel Ars Technica