Home » Articles » Tutorial: XMPP/Jabber OTR
Click Here To Hide Tor

Tutorial: XMPP/Jabber OTR

Hey guys. Dave here again, back to teach you how to chat safely and securely via the XMPP/Jabber messaging protocol. This tutorial will be done on Windows 7, but the same idea should be transferred across Linux distros and Mac OSX.

The first thing you are going to want to download the XMPP client called Pidgin. This can be downloaded here. Once it is downloaded, go ahead with the install to completion.

zIUEdL6[1]

Once it is installed, start up Pidgin. You will be presented with two different Windows. Ignore them for now. We have to first go grab the software that will allow us to chat securely. It is called OTR, which stands for Off-the-Record messaging, and can be downloaded here.

Download and install it. Make sure that the Pidgin application is closed out from your screen and taskbar before installing OTR.

IJnP5Ue[1]

Great. OTR and Pidgin are now installed! No more downloads from here out in the tutorial, just a few simple configurations to Pidgin. The first thing we need to do is make the OTR plugin active in Pidgin. Do this by opening Pidgin, going to the “Tools” drop down, selecting “Plugins”, and clicking on the checkbox next to “Off-the-Record Messaging”.

XBmu7GP[1]

Once we are done with that, we can enter our XMPP account details and start chatting, or make a new account if you do not have one. If you need a list of free XMPP service providers, you can get one at this link.

For the example, I will make a new account with the wtfismyip.com service. You can register through the client, like I will show you how to do, or you can register online from this link.

The first step to register from the client will be to enter the username, password, and domain. The username and password will be your choosing, but the domain will be “wtfismyip.com” without the quotation marks. The “Resource” box should be left blank. Next, check the “Create this new account on the server” box at the bottom of the screen. It should look something like this.

Iu9NwdR[1]

The next steps, to take one more step to be even more secure, will to set Tor as a SOCKS5 proxy, so that not only are the messages encrypted with OTR, but the traffic is encrypted with Tor. To do that, click on the “Proxy” tab, and set your “Host” and “Port” accordingly. Make sure that Tor is running as well, or you will get connection errors!

Once this is done, click on the “Add” button, go back to the “Buddy List”, click on the “Accounts” drop down, click on “Manage Accounts”, and finally click the checkbox next to your account. This will send the request to the server, and ask you to confirm your new account.

pxs6Ocx[1]

If you get an error that pops up, don’t be worried. Sometimes, there is an error with the server, and you will have to register online. This has happened to me several times, and is normal. Just register on the website of the XMPP host you are using.

Once you have done all of this, you need to add your buddy and get in a chat with him or her. I will be using a fake account for this example, but the same actions transfer over to when you chat with a real account. All you need to do is click on the “OTR” button in the chat room, and click “Start a Private Conversation”. Wait a few seconds, and just like that, you are chatting securely via XMPP.

snKrfky[1]

I hope this tutorial has been helpful, and as always, if you have any questions or problems, feel free to post a comment, and I will do my best to help. Thank you so much.

19 comments

  1. Worth mentioning that you can add a little more security by using ofkztxcohimx34la.onion instead of wtfismyip.com as the server :)

    TheRealDeal Market also offers Jabber based notifications to vendors btw ;)

  2. thank mate well appreciated, easy steps to follow

  3. sounds like a good chat service but just like privnote how do we know this third party provider isn’t keeping records of chat logs, I mean they can swear up and down it’s off the record but real OPSEC means never ever trust sensitive info in the hands of a third party. If users were to encrypt everything they imput into this service then yea it would be useful.

  4. I am using Psi plus portable + Tor + GPG4USB. It’s cool!

  5. Of course the users should be encrypting on both ends. How else would you know if the person you are chatting with is who he / she claims to be ? The Feds used unencrypted chat between Ross and the dirty agents to nail all of them. Sometimes they encrypted, sometimes they didn’t. History teaches us to always encrypt.
    The same goes for email services or markets that provide auto-encryption. Do you really want to trust that 3rd party to encrypt your plain text for you ? Hell no. You paste your encrypted text on to the 3rd party site.

  6. Pidgin with OTR is great, it’s end to end encrypted, so even those running the servers can’t read it. For the ultra-paranoid, PGP encrypt your messages too. Even easier than Pidgin IMO is CryptoCat, a firefox addon that is end to end encrypted too. I think if you install CryptoCat into the Tor browser, PGP encrypt your messages, and use a VPN before Tor, you’ve got pretty much unassailable privacy.

  7. Sorry for the noob question. Butm, how do you find out your hoist and port?

  8. @LEWISL; just use the example as given here. You need to have the Tor browser running already for it to work (because the Tor browser runs Tor itself, which you then connect on 127.0.0.1:9150)

  9. How about setting up a private Jabber Server and chat with PGP? Its totally easy and fast…

  10. After I’ve selected OTR the option is Configure Plugin or cancel. You don’t say what to do at that point. Anybody?

  11. The link for OTR plug in not working even on the Pidgin website OTR plug in not available. Any one knows that is it still possible to log in to a OTR server and data will be encrypted?
    THX before hand

  12. Looking for help with this one please.
    I have Win7 installed, Pidgin 2.10.12, OTR 4.0.1 and my XMPP account is connecting fine through an onion server, and I can “talk” with another two users without enabling OTR; One user in the USA and another closer to home.
    We have exchanged fingerprints via other means, so can verify via this means.
    After I verify either users keys, Pidgin gives me the Green Private conversation icon. Also within the OTR plugin I can see that the keys of each user has been correctly verified, and ditto at their end too.
    Once we both go Private the other users can only see my text as a jumbled encrypted mess.
    Both these other users of course use a different ISP, and Zabber server too.
    In one case the other user was my son, and we setup his laptop at my place before he left to verify connection etc etc.
    If I choose to verify via a secret question/answer or secret statement, the result is still the same.
    I’m very frustrated by this and about to give up on Pidgin & OTR, especially as I get the same result from both users.
    Anyone with ideas, I’d be pleased to listen.

  13. Great all working and using XMPP Sever from Russia

    Thanks

  14. THANK YOU SO MUCH FOR THE HELP

  15. i can transfer files in my chat bypass firewall of windows with this method?

  16. Is this info still updated enough to be secure?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *