background image

Chapter 4e. Using an Instant Messenger

This chapter will instruct you on how to use an instant messenger account with the Off-The-

Record (OTR) plugin.  OTR is a plugin that provides end-to-end encryption to instant messenger 
sessions, thus making the chats much more secure. Before using an instant messenger, understand 
the following issues with it, as detailed in the Whonix documentation at 

https://www.whonix.org/wiki/Chat

: 

“Most of instant messenger protocols are unsafe from a privacy point of view. This is not a 

Whonix specific problem. It is a general problem with instant messengers. [...]

Tor Exit Node eavesdropping

 can happen if no encryption to the server is enabled. Some protocols 

have encryption disabled by default, some do not support encryption at all. See als

Overview about 

Pidgin protocols and their encryption features

. If encryption to the server is enabled, the Tor Exit 

Node can no longer eavesdrop. One problem solved, another problem remains unsolved. 
The server could still gather interesting information. 

Account names 

Buddy list (list of contacts) 

Log login dates and times 

Timestamp of messages 

Who communicates with whom 

If the recipient knows the sender and the recipient uses a non-anonymous account or 
was ever logged in without Tor, this can be used as a hint who the sender is. 

Content of messages - Can be prevented using end-to-end encryption. This is covered [by] 
OTR. 

A server-based protocol designed with openness, security and privacy in mind is Jabber.”

With that in mind, it is strongly recommended that you use a Jabber account.  As of this 

writing, the most known Jabber server, Jabber.org, is not accepting new registrations.  However, this 
is unimportant.  If you create a jabber account with any Jabber server, you will be able to 
communicate with anyone who uses Jabber on any other server. Some Jabber servers offer different 
encryption services than others. In this tutorial, the Tor hidden service for jabber.calyxinstitute.org 
will be used as an example, which is a server with an A grade from the security rating system at 

https://xmpp.net/result.php?domain=jabber.calyxinstitute.org&type=client

.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

1. You first need to install two programs to use instant messaging, Pidgin and Pidgin-OTR. 

Pidgin is your instant messenger client. Pidgin-OTR is a plugin for Pidgin that provides end-
to-end encryption between yourself and the person on the other side of your chat. If you do 
not use Pidgin-OTR, assume that your communications can be intercepted and read. 
To install these programs, first you need to open up a Konsole session. Double-click on 
Konsole on your Desktop.

2. At the command prompt in the window that appears, type

sudo apt-get install pidgin pidgin-otr” and press “enter.” You may be prompted to enter 
your password. Type your password and press “enter.” When asked “do you want to 
continue? [Y/n]?” type “Y” and press enter.

3. When the installation process is finished and you've returned to a command prompt, type 

exit” and press “enter.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

4. For simplicity, now add a shortcut for Pidgin to your desktop. Click on the K start button 

and go to "Applications → Internet." Right-click on "Internet Messenger" and select "Add to 
Desktop." A shortcut to "Pidgin Internet Messenger" will now be on your desktop.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

5. After you add the icon to the Desktop, the Start Menu will still be open. Click on "Internet 

Messenger" to open Pidgin.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

6. On the next window that appears, click on the “Add” button.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

7. When the next window appears, open up an instance of KeePassX. Generate a password and 

anonymous account name for your instant messenger account in KeePassX and save it.  

8. Return to the Pidgin window. Now, you need to choose the protocol for Jabber. Click on the 

pulldown menu next to “Protocol” and choose “XMPP.” XMPP is the protocol for Jabber. 
Then, type the user name you wish to use next to “Username” and type 
“jabber.calyxinstitute.org” next to “Domain.” Then, click on the checkbox next to “Create 
this new account on the server.” Finally, click on the “Advanced” tab.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

9. Next, make sure the chosen option next to “Connection security” is “Require Encryption.” 

Then, to use the Tor hidden service, type “ijeeynrc6x2uy5ob.onion” in the field next to 
“Connect Server.” Then, uncheck the box next to “Show Custom Smileys.” Finally, click the 
“Add” button.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

10. The next window that appears will inform you that the SSL certificate you received from 

ijeeynrc6x2uy5ob.onion belongs to “*.calyxinstitute.org.” Click the “Accept” button.

11. In the next window, enter the username you wish to use again in the “User” field and copy 

the password you created with KeePassX into the “Password” field.  Finally, click the “OK” 
button.

12. If your account was successfully created, you will see the window below. Click on the 

“Close” button to continue.

Note: When you give out your Jabber screen name, it is similar to email. In this example, if 
you wanted to tell someone what your screen name was, it would be 
anonymousalias@jabber.calyxinstitute.org”. All Jabber accounts follow the 
username@jabberserverdomain syntax.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

13. Now you need to enable your account to log in.  Click on the checkbox under “Enabled” 

next to the Jabber account you created so the box is checked.  

14. The next window that appears will prompt you for your password. Copy your password 

from KeePassX and enter it into the field next to “Enter Password.” Then, click on the “OK” 
button.

Note: Do not use the “Save Password” option. Pidgin does not store passwords and 
account details in an encrypted format. Thus, if an attacker compromises your 
machine and reads your Pidgin configuration file, they can get the password to your 
Jabber account. 
The safest option is to use KeePassX to store your password and enter it 
into Pidgin when prompted as the program starts in the future. 

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

15. You will next be returned to the the “Accounts” window. Click on the “Close” button.

16. Next, from the Pidgin “Buddy List” window, click on “Tools → Plugins.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

17. Now, you need to configure the OTR plugin for future use. Scroll down until you see “Off-

the-Record Messaging.” Click the check box next to it so it is “enabled.” Then, click on 
“Configure Plugin.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

18. In the next window that appears, make sure every box is checked. Of particular importance 

is to mark the “Require private messaging” box. If someone does not have the option of 
chatting with you via an OTR encrypted session, then they aren't worth chatting with. Using 
an instant messenger service without OTR will put both you and the person you are 
talking to at risk of having your communications intercepted. 

When you are done marking the boxes, click on “Generate.” This will create your unique 
OTR private key for your account.  

Note: If you create more than one account, you will need to generate an OTR key for each.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

19. A “generating private key” window will next appear. When it says “done,” click the “OK” 

button.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

20. When you are returned to the previous “Off-the-Record Messaging” configuration window, 

click on the “Close” button.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

21. Next. Do the final configuration tweaks to Pidgin. Click on “Tools → Preferences.”

  

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

22. On the next window, click on the “Conversations” tab on the left side of the window. Then 

unmark the “show formatting on incoming messages,” “enable buddy icon animation,” 
“notify buddies that you are typing to them,” “highlight misspelled words,” “use smooth-
scrolling” and “resize incoming custom smileys” options. When your window looks like the 
image below, continue to the next step.

23. Click on the “Logging” tab on the left side of the window. Unmark every option here. When 

your screen looks like the image below, continue to the next step.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

24. Next, Click on the “Proxy” tab on the left hand side of the window. Then, select 

“Tor/Privacy (SOCKS 5)” in the pull down menu next to “Proxy type.”  Next, type 
“10.152.152.10” in the field next to “Host.”  Then, type “9103” in the field next to “Port.”

25. Click on the “Sounds” tab on the left side of the window. Enable the “mute sounds” option. 

When your screen looks like the image below, continue to the next step.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

26. Click on the “Status / Idle” tab on the left side of the window. Then, click on the pull down 

options next to “Report idle time” and select “Never.” Next, unmark the box next to “change 
to this status when idle.” Finally, click on the pull down options next to “Auto-reply” and 
select “Never.” When your screen looks like the image below, continue to the next step.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

27. Click on the “Themes” tab on the left side of the window. In the pull down options next to 

“Smiley Theme,” select “none.” Then, click on the “close” button.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

28. Next, when you have returned to the “Buddy Icons” window, click on “Tools → Privacy.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

29. In the pull down option field beneath the “Set privacy for: {your nickname},” select “Allow 

only the users on my buddy list.” Then click “Close.” 

Note: In the future, only users on your buddy list will be able to send you messages
There are trade-offs here.  On one hand, you will be creating a buddy list that will be stored 
on the Jabber server you use.  If an attacker gains access to the server, whether through an 
exploit or legal process, they will be able to access your buddy list and possibly profile you 
based on who it contains.  On the other hand, this also weakens the abilities of random 
attackers to exploit vulnerabilities in your client by directly sending you a message before 
you've authorized them to be in your buddy list. 

Congratulations. You have now installed and configured Pidgin for general use in 
Whonix.
 The remainder of this chapter will instruct you on how to chat with others using 
Pidgin with OTR.

 

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

30. To initiate a chat with someone, first add them to your Buddy List. From the “Buddy List” 

window, click on “Buddies → Add Buddy.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

31. In the next window, type the contact address of the person you wish to chat with in the field 

next to “Buddy's username.” This will be in the format of 
username@JabberServerDomain. Then, click on the pull down menu next to “add buddy 
to group” and select the group you wish to add the contact to. When finished, click the 
“Add” button. 

Note: The contact you add will not appear in your Buddy List immediately at this 
point.
 This is due to the fact that your contact must authorize you to add them to your 
Buddy List and, after you are authorized, must be online. 

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

32. When your newly added contact has authorized you to add them to your Buddy List, you 

will see their screen name appear in your Buddy List if they are online. You will also be 
prompted by Pidgin to authorize them to add you to their Buddy List. If it is someone you 
contacted, or someone you wish to chat with, click on the “Authorize” button.

33. Next, to chat with a contact in your Buddy List, double-click on their screen name.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

34. In the next window that appears, you need to start an OTR “private conversation.” Click on 

“OTR → Start private conversation.”

Note: Since you set private conversations as “required” in the OTR configuration, simply 
typing some text and sending it will also start a private conversation.  However, until the 
private conversation handshake is completed between you and the other user, anything that 
you've typed will not be seen by them. Thus, it's better to use the method above and wait for 
the confirmation that the private conversation has started. 

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

35. Eventually, you will receive a message that your “private conversation” has started. 

However, note the “Unverified” status message. Also, notice the “Unverified” icon towards 
the lower right corner that is highlighted in red in the image below. These inform you that 
you haven't verified the identity of the person your are chatting with yet. 

For future security purposes, you need to verify the identity of the sender. Click on the 
“Unverified” icon highlighted in red in the image above and select “Authenticate buddy.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

36. On the next screen, click on the pull down menu under “how would you like to authenticate 

your buddy” and choose “manual fingerprint verification.” The contact's fingerprint will be 
listed directly below your's, and is a series of five strings of random letters and numbers. 

If you currently have the ability to communicate with your contact in real time by another 
channel, such as IRC, have them repeat what their OTR fingerprint is. If it matches up, you 
are safe. If not, you may be experiencing a man-in-the-middle attack and, thus, may have an 
unsafe communication session. If the contact asks for your fingerprint, supply them with 
what is shown as your OTR fingerprint in this window by the same means. 

If you have no way to initially authenticate your contact in real time, find a means to 
confirm it with them later outside of Jabber. Other options may exist for this, such as an 
encrypted email signed with a corresponding GPG key (which will be discussed in the next 
chapter), Twitter, or some other communication service. 

If you choose to authenticate the contact without actually verifying their fingerprint, be wary 
of discussing anything sensitive in the Pidgin chat until you have confirmed that you are 
indeed chatting with the contact you want.

Once you have finished the manual verification procedure (or have concluded that you 
can't), select “I have” in the pull down menu preceding “verified that this is in fact the 
correct fingerprint for [contact name]”and click on the “Authenticate” button.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

37. Notice how the status of the conversation has changed to “Private,” which is highlighted in 

red in the image below. For all future conversations with this contact, if their OTR key has 
remained the same, the status will always be marked as private. IMPORTANT: If the 
status ever reverts to “Unverified,” you may not be talking to the contact. It could be 
that someone has hacked his Jabber account or that a server somewhere in the middle 
has meddled with the encryption process. Be very wary if a contact who you've verified 
reverts to an unverified status.

Sending messages at this point is straightforward. In the section of the screen shot below 
where you see “this is where you type text,” that is where you type messages to be sent to 
your contact.  When you are ready to send it, press the “enter” key. 

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

The message you sent will show up next to your name which will be blue. Messages you 
receive will show up next to the contact's name which will be red.

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

38. Pidgin is also controlled by an icon that sits in the lower right corner of your Taskbar. It is 

highlighted in red in th image below.

First, enable the icon to blink when you receive new messages. This will make it easier for 
you to know someone has sent you a message if you are using other windows in Whonix. 
Right-click on the Pidgin related icon in your Taskbar and select “Blink on New Message.”

Finally, to quit Pidgin, you need to do more than close your message windows or Buddy List 
window. Right-click on the Pidgin related icon in your Taskbar and select “Quit.”

Chapter 4E - A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System
background image

You've reached the end of the chapter on Pidgin and OTR. For future reference, remember 

these points.

1. Do not ever use a screen name that you have used outside of Whonix. Additionally, 

do not choose a screen name that can be correlated to your identity.

2. Make sure the Jabber provider you uses implements the proper encryption protocols 

at every level. Resources on the net will tell you if it does or does not. 
(calyxinstitute.org currently passes the test).

3. If you aren't using Off-The-Record encryption during your chat sessions, assume 

that they are being logged and that anyone can read them.

4. Just because you are using Off-the-Record encryption, don't assume that the 

person you are chatting with isn't logging your conversation. As with any other 
communication technology, do not share any real information about yourself which 
could identify you.

5. If anyone you've ever chatted with via Off-the-Record encryption changes from 

a “Verified” to an “Unverified” status, assume you are talking to an impostor.

6. DO NOT USE PIDGIN TO STORE PASSWORDS! All passwords and account 

details stored by Pidgin are unencrypted. If your machine is compromised by an 
attacker, they could gain access to your screen name by viewing Pidgin's 
configuration files if you use Pidgin to store passwords. Only use KeePassX to store 
your passwords.

Now you are ready to continue on to the next chapter that deals with one of the more 
underused technologies by beginners, anonymous email and GPG encryption.

Continue to Chapter 4F - Encrypted email with Icedove and Enigmail.