8 June 2013

Secure instant messaging: a brief guide

So, you’re angry about the NSA logging all your instant messages and phone calls, and want to do something about it? Here’s some info on what you can do.

To start off, I assume that your goal is cross-platform secure messaging. That is, solutions which don’t interoperate with other platforms aren’t useful, because not all your friends use the same OS as you. Also not useful is SMS, because not everyone uses their phone for everything.

That being the case, the clear winner is the OTR standard and XMPP.

Next, I’m going to shamelessly favor free and open source software. Why? Because it was recently revealed that Skype’s supposed end-to-end encryption is no such thing, and Microsoft is monitoring all the URLs sent. They reportedly pass on your data too. It’s harder to hide crap like that when the software is open source.

I’m also going to favor software that supports OTR ‘out of the box’, without needing you to install plugins or other add-on software.

Step 1: Choose your client software

Android

Both are open source multi-protocol multi-account IM clients with OTR support. Xabber has the best support for advanced features like delivery receipts (so you know the other person got your message). Gibberbot is more lightweight, and is dead easy to connect with your Google account (about which more later).

iPhone

Only one option for iPhone, as far as I can tell.

Mac OS X

Adium is the most ‘pure Mac’ experience, and probably your best bet. Jitsi has the advantage that it supports secure encrypted voice and video calls as well as IM. Psi+ is aimed at ‘power users’.

Windows

The popular proprietary client Trillian also supports OTR via a plugin. I don’t have any recent experience with Windows IM software, but Pidgin is probably a good bet for working OTR.

Linux

  • Kopete, the standard KDE IM program, ships with OTR support built in.
  • Pidgin is a good option for GNOME users. In Ubuntu, install pidgin-otr.
  • Jitsi works on Linux as well as Windows and OS X.
  • Gajim is a lightweight IM client which apparently has OTR.
  • Psi+ is an enhanced version of the open source Psi IM client. It runs on Mac OS X, Windows and Linux, and apparently now has OTR support built in.

Not mentioned

I’ve been unable to find any secure IM clients for Windows Phone or BlackBerry.

There are console-based clients which have OTR support, but I assume if you can handle a terminal window you probably don’t need my help picking an IM client.

Step 2: Choose your network

All of the above software uses XMPP, the Internet standard protocol for instant messaging. Unfortunately, right now the big players in IM refuse to make their IM systems interoperable because they want to trap you in their walled gardens.

  • Facebook have instructions for Pidgin and Adium, as well as generic Jabber/XMPP instructions under “Other”.
  • The site xmpp.net has a list of public XMPP providers. Unlike Facebook, these guys all talk to each other, so you can join any server and message anyone on any other server; this is known as “federation”. One option is DuckDuckGo.
  • Google still support XMPP via their Google Talk API. There are instructions available for configuring Pidgin, Kopete, Adium, and other clients. At the moment, Google still support federation if you log in with an XMPP client, but it’s possible that in the future they’ll shut that down and you’ll only be able to message people with Google accounts.
  • Microsoft recently killed off Windows Live Messenger (which supported XMPP), and pushed everyone over to Skype. The back end servers are still there, but I can’t see any point in starting to use a service that’s going away. Skype doesn’t currently seem to support XMPP access.
  • Apple used to use XMPP for IM, but iMessage uses a different (proprietary) protocol.

So the choice is yours. If you choose Facebook, you can only talk to other Facebook users. If you choose Google or some other XMPP provider, you can talk to anyone. I’m using Google, for at least as long as their XMPP keeps working.

Next: SMS solutions and alternatives.

© mathew 2017