Encryption and You

Posted by on December 24, 2011.

In the past, i’ve wrote about internet anonymityFacebook account hijacking, and i’ve briefly touched on password security (revision coming soon). Today we’re going to be talking about message encryption and why it is important to you.

As you should already be aware, Facebook stores more information about you than you even know about yourself. They collect personal information in at-least 57 categories, including all chat conversations you’ve ever had on Facebook. While Facebook may do a good job safeguarding this data, there is always the possibility of your account being hacked. Most people will find themselves having more than generic conversations on Facebook, and even though it may be convenient to have every previous conversation right at your fingertips (which are automatically stored in a history on Facebook), when your account ends up in the wrong hands you can say good-bye to privacy.

A solution to this issue has already been proposed in Ian Goldberg’s paper, Off-the-Record Communication, or, Why Not To Use PGP, so instead of rephrasing Ian’s article, I am going to summarize it (for your convenience), expand upon it, and then demonstrate implementation of off-the-record (OTR) communication with Facebook Chat. Finally, I will add a few concluding remarks, suggestions, and provide additional resources for learning.

The Basics, and a brief summary of OTR Communication, or, Why Not To Use PGP

The goal is simple:

The notion of an off-the-record conversation well-captures the semantics one intuitively wants from private communication: only the two parties involved are privy to the contents of the conversation; after the conversation is over, no one (not even the parties involved) can produce a transcript; and although the participants are assured of each other’s identities, neither they nor anyone else can prove this information to a third party. (Goldberg 2)

OTR provides:

  • Encryption – Messages will be encrypted (no one else can read your messages)
  • Authentication – You are sure the message is coming from the person you are conversing with.
  • Deniability – No one can prove you sent a message, however, your correspondant trusts you enough that any message sent by you is authentic.
  • Perfect Forward Secrecy (PFS) – If you lose a private key a message was encrypted with, no previous conversation is compromised.

If you would like to initiate an OTR conversation with a friend, all you need to do is initiate an encrypted chat and subsequently they should verify your fingerprint.

Fingerprint – A form of authentication that consists of 40 letters/numbers that let you identify an OTR user.

If you’d like to read more about OTR fingerprints (which, you should), check it out at cypherpunks.ca.

Why OTR with Facebook Chat?

When going OTR with Facebook Chat, you are provided the added benefits of OTR (encryption, authentication, deniability, and PFS) with the convenience of chatting with friends on Facebook. Although these messages will still be archived, they will only appear as encrypted messages and Facebook will never be able to view them. It is also important to note- an OTR conversation is only established when users on both sides of the conversation are capable of going OTR.

Before we get started…

Unfortunately, this process can’t be any more streamlined than what I am about to explain to you. I will now break down the next section into multiple parts- you only need to read the section that corresponds to the operating system you use.

Setting up OTR with Facebook Chat (on Windows/Linux)

To get chatting with OTR on Windows requires you to download an IM client that supports the XMPP protocol, as well as the OTR plugin. For the sake of this guide, I would suggest using Pidgin (for alternatives, see the Additional Resources section).

  1. Download and install the latest version of Pidgin @ pidgin.im.
  2. Upon starting Pidgin, add a new account- choosing the Facebook protocol. Enter your Facebook username and password.
    Note: Your username will not be the email address you log into Facebook with. If you are unsure of it, go to the General Account Settings and it will appear under ‘Username’.
  3. After adding, Pidgin will automatically try to log you in. If you are prompted to accept a SSL certificate, do so.
  4. Now, download and install the latest version of the OTR plugin for Pidgin @ cypherpunks.ca.
  5. Enable OTR by navigating to Tools > Plugins (CTRL+U) in Pidgin and checking the box to enable “Off-the-Record Messaging”.
  6. Generate a fingerprint for yourself by double clicking “Off-the-Record Messaging” plugin and click “Generate”. Once generated, be sure “Enable private messaging” and “Automatically initiate private messaging” are checked. From now on when you want to chat on Facebook, use Pidgin!

How to initiate an OTR conversation?

From the OTR menu at the top of the message window to your buddy, request to ‘Start private conversation’. Once a private conversation has been initiated, be sure to authenticate your buddy via fingerprint or question. Granted they properly authenticate, you should now be notified the private conversation is in effect.

Setting up OTR with Facebook Chat (on Mac)

To get chatting with OTR support on Mac only requires the popular IM client, Adium. Alternatives to Adium are available in the Additional Resources section.

  1. Download and install the latest version of Adium @ adium.im.
  2. Adium will run a setup assistant upon its first run. Choose to use Jabber as the service. Your Jabber ID will be username@chat.facebook.com and your password will be the one you use for Facebook. (ie. tom321@chat.facebook.com)
    Note: Your username will not be the email address you log into Facebook with. If you are unsure of it, go to the General Account Settings and it will appear under ‘Username’.
  3. For the most part, we’re setup. Fortunately, Adium comes with OTR support out of the box. Lets make sure OTR is automatically initiated as well as generate our fingerprint… In the Adium menu, go to ‘Preferences…’. (CMD+ ,). Double click your Facebook account, go to the Privacy tab, and be sure the encryption drop-down box is set to “Encrypt chats automatically”.
  4. Next, go to the Advanced tab, choose Encryption (on the sidebar), select your Facebook account from the drop-down box and click ‘Generate’. From now on when you want to chat on Facebook, use Adium!

How to initiate an OTR conversation?

Start a conversation with a friend (ie. me: “hey! lets go OTR.”). With the message window in focus, navigate to Contact > Encryption > ‘Initiate Encrypted OTR Chat’. Upon acceptance of your OTR proposal, you should then request verification of your buddy’s fingerprint by navigating to Contact > Encryption > ‘Verify…’. Once authenticated, happy private chatting!

Conclusion

Unfortunately, most people stay on-the-record because the convenience of chatting through facebook.com. For those who would like to support added privacy, I would highly suggest moving towards an IM client that supports OTR.

Additional Resources

Listed below are a few resources that may help you gain additional knowledge about OTR.

Leave a Reply