Encrypted chats through Adium

I discovered Adium many years ago and loved it instantly. Instead of having MSN Messenger, Yahoo Messenger, iChat and Facebook windows all over the place, it allowed me to combine all of it in one single app. That’s the main reason I used it and could care less about skins, sounds, icons and plugins. This was also long before I became concerned with privacy and security, I didn’t think about the fact that the MSN, Yahoo, Facebook and iChat servers were all located abroad and did not know about governments and agencies spying on us. Now I know better. I’ve spent a long time looking for good ways to secure my communications and never thought to look at the tools I already had. Then I accidentally stumbled onto Adium’s OTR encryption feature and have been using it ever since. OTR stands for Off-the-Record and is a cryptographic protocol that provides strong encryption for instant messaging (IM) conversations. OTR uses a combination of different encryption algorithms, perfect forward secrecy (PFS) and deniable encryption. Sounds good right? It is. And thanks to Adium you have this encryption right at your fingertips. OTR is not limited to Adium, other clients use it too but for OS X I’ve found Adium to be the best (and almost only) available option. There is a lot of material out there that allows you to learn more about OTR and it’s really interesting.

If you have a buddy list of some kind and chat using the following services, then you may want to consider Adium to encrypt those chats. Of course the person you are chatting with needs a chat client that supports OTR as well so it is able to decrypt your messages and send encrypted messages of it’s own. The currently supported messaging services are: – Google Talk – Facebook Chat – LiveJournal – AIM – ICQ – MobileMe / iChat (even though MobileMe no longer exists, your account still works) – MSN / .Net / Live – Yahoo Messenger – Twitter – Bonjour – IRC – MySpace IM – Skype – QQ and plenty more.

Worried about or warned to stay away from certain companies because of PRISM or other spy programs, don’t worry. If you encrypt your chats then you can use Facebook, Apple or Google servers for the service and still have confidential conversations. Use their servers and services for your benefits without giving them any of your data ?

Getting started First, do some research to find out if Adium is right for you. As I’ve mentioned before, always do your own research. Don’t just take my word for it or anyone else’s, see if you agree with the privacy policies etc. and then make up your own mind. You can find Adium’s website here, some info about Adium here and their privacy policy can be found… well, nowhere. It appears there isn’t one. I did hear it mentioned that no conversations or other traffic (other than updates and anonymous stats) go through Adium’s server (disable the collection of anonymous system profile in Preferences > General if you want). After monitoring Adium’s traffic for a while I found that this is indeed the case, as far as I can see. Once you feel you have done your homework and trust Adium to handle your private information, download and install it.

Setting up Adium Start by setting up one or more of your IM accounts in Adium. When that is done go to the Preferences > General. Disable the logging of messages or at least disable the logging of OTR-secured chats. Thanks to the way OTR works there is deniability that can be used in case logs are ever compromised but it’s better to take away this piece of the puzzle in case someone does ever get a hold of your computer/data/logs. Personally I do not keep logs of any kind. I find it respects the other party’s privacy and/or security whether they asked for it or not. And if my Mac is ever compromised and somehow my data is accessible, there won’t be any transcripts or logs to go through that can be used against me or anyone I’ve spoken with. (using a strong password and encryption to secure your hard drive(s) further help in securing any type of logging the system does etc.)

Next, while still in Preferences, click on Advanced and find ‘Encryption’. Here you can see the private keys that are generated for each account you have set up, your fingerprint for that account and saved fingerprints for buddies you have previously verified and had encrypted chats with. If you feel at any time that your account, computer, internet connection or the identity of the other party was compromised, use the ‘Regenerate’ button to create a brand new key/fingerprint. Or even if everything is OK you can create a new key just for piece of mind. Keep in mind that every time a new key is generated you have to somehow get this key to the receiver so they can verify your identity and that increases the risk of the key being intercepted. I was told that while opinions on regenerating the key differ, to just keep one key for a long time is best for now.

Make your way back to the Accounts tab and double-click on each account. One of the tabs in the window that opens is ‘Privacy’ and in there you can set OTR preferences. You can set one or more of your accounts to “Encrypt chats automatically”. What this will do is add an invisible string to your unencrypted messages which other OTR capable clients will respond to so if you are messaging to another OTR capable client, encryption will be enabled and if the other party is not OTR capable the string will be ignored and the chat session will proceed unencrypted.

Your first encrypted chat Open a chat window and you’ll see the lock icon at the top. Click this and select “Initiate Encrypted OTR Chat”.

Both you and the receiver will now see a pop-up message asking to verify each others fingerprints. Instead of just clicking “Accept”, contact the other party to verify this fingerprint!

Be smart when contacting the other party to verify their fingerprint. For example phone conversations are monitored by every government around the planet so this is not considered secure. Best is to write fingerprints down and exchange them in person. If that is not an option be creative but careful, you do not want your key intercepted. As mentioned, your key and the keys of users you have already verified are stored in Adium’s preferences so it is important to keep anyone other than yourself away from those preferences. Use a login password, full disk encryption like FileVault and a screensaver password so that these keys can not be compromised while you are away from your keyboard.

If your key/fingerprint is compromised at some point then future messages could be at risk but messages sent and received in the past can not be decrypted using this key. This is, in my opinion, one of the biggest advantages over PGP encryption or applications such as Cryptocat where years of messages can be decrypted if the key falls into the wrong hands or a flaw is discovered.

Anyway, that’s all there is to it! A quick setup and one button. All it takes to have some privacy and, if need be, deniability for your chat and messaging sessions. Some things to note about Adium: – It uses OS X’s File Quarantine feature so any files transferred through Adium will be flagged for extra security. – Resource usage is very low, some of the lowest i’ve seen in any chat or messaging application. – Adium is completely free. – OTR in Adium will be improving with the addition of the Socialist Millionaire protocol allowing for authentication via a shared secret rather than a fingerprint. I’ll write a follow-up post about that once the feature has been released.

Give Adium a try and check out the many other features it has to offer. Thanks to the guys I spoke with for providing me with a lot of the information ?

Leave a Reply

Your email address will not be published. Required fields are marked *