Welcome to our introduction to the OTR Messaging protocol.
We all use messaging services, like SMS, WhatsApp, iMessage, Google Hangouts and Facebook messenger at work or for private conversations. Unfortunately, popular services are highly compromised when it comes to privacy and we advise you to stay away. There are much better options. In this post, we will focus on Off-the-Record Messaging.
OTR stands for Off-the-Record Messaging and is a protocol that integrates message encryption into instant messaging. The encryption method used is the Advanced Encryption Standard (AES). The OTR protocol can be used with any chat or instant messaging service, so you can use your existing accounts. OTR makes the conversations absolutely private, even if you are using a popular messaging service that is not designed for security.
The protocol takes the encryption methods of PGP a step further. With PGP encryption, you can find out what keys were used to encrypt the message. With that information, it is possible to find out that two participants communicated with each other, but an adversary still cannot decrypt the PGP-message.
With the OTR protocol, that is not possible. This principle is called “plausible deniability”, because no one can ever prove that a conversation took place. Out of the chat methods mentioned in this chapter, OTR is designed to give you the most advanced privacy. If you are living under an authoritarian regime, you need OTR Messaging.
The plausible deniability benefit really comes into play if you contacted someone who is actually not trustworthy with OTR Messaging. That person might want to report you to the authorities. This is, however, not possible after your chat session ends. OTR uses a signature to open every conversation (authentication), but messages are not signed with your private key. They are only “marked” with a short-lived value similar to a private key. Therefore, you cannot decrypt a message at a later point, because you do not have the necessary key anymore. That also applies to the adversary that was trying to report you. They cannot even prove that the conversation took place, because the messages are unsigned. Neither can they make use of the “cryptographic nonsense” that messages become through OTR, at a later point. No one will be able to decrypt that, not even when they get hold of your original private key.
Unfortunately, OTR is only possible between 2 people at the moment. Group chats could be added in the future. Support for audio, video, photos and other files is not planned. That should not be a huge problem, since you can simply encrypt the file with a different method. Then you can send it however you want. An unencrypted email is safe if you send encrypted files as attachments. Unless the simple act of having email contact with someone is considered suspicious.
Please note: Always make sure that you are using the current version 4.0.2 of OTR. Version 1 has some significant security issues and is no longer recommended. It is vulnerable to man-in-the-middle attacks.
The OTR protocol follows four principles that make it secure. Those are:
Encryption is so effective that some countries even make using encryption a crime or legally force suspects to decrypt their data for law enforcement. How can these countries have the impudence to call themselves democracies?
On this website, you can check which countries have such laws.