How To: XMPP OTR Chat with Pidgin

As a short follow-up to my Cryptoparty event post, here a short explanation on how to get started with XMPP (Jabber) OTR chat with Pidgin, to spread some (very basic) knowledge. I deviate from the advice given at the Cryptoparty, because I did not use Jitsi, but rather Pidgin. The reason for not using Jitsi is simply that my brother advised me not to use it, as it is build with Java. Therefore, I reverted to Pidgin, a messenger client I already used before, not so long ago. We did not go into the other steps at this Cryptoparty, so I am not sure in how far they conform with the advice that is usually given there on that. Anyways… Let’s get started!

Intro: Why bother?

To start with, it is probably a good idea to briefly think about what using OTR (off-the-record) chat is good for. The answer is fairly simple: While the government might not be after YOU – because you have nothing to hide (really nothing?), are an apolitical consumer of plenty useless stuff that strongly supports GDP growth etc. – some other people might be. Or, in case you are really not that interesting or lucrative of a target at all, an automated program written by some other people might be, because the marginal cost of this program going after another target is close to zero (or simply because the program does not include any option to aim well, as the developer did not bother to include that). OTR chat is one possible building block to getting more privacy and security. If you are interested in neither, and neither you or your friends ever had any related issues and you do not expect that to change in the future either, you can stop reading here.

1. Installing Pidgin

Pidgin is available for Windows, Mac OS and Linux via their own site.*

2. Registering for a XMPP Server

The XMPP server of the CCC would have been my first choice, however, it currently does not allow for any new registrations. One of the reasons for this is that they want to avoid making the problem of (unnecessary) over-centralization of communications infrastructure even worse.

As an alternative, Daniel suggested the server of Duck Duck Go to me, so I took that one. My trust in them is certainly not on the same level as my trust in the CCC, however, as I do not have any serious use for OTR myself at the moment anyways and this is rather about trying things, I thought it was good enough. Duck Duck Go gives a rather detailed explanation on how to register on their XMPP server in this old forum post.

3. Installing the OTR Plugin

The plugin for OTR is (currently?) not included in the standard download package of Pidgin. However, you can easily install it, after you download it from the site.

4. Authenticate & Try it out with someone

As a final step, you need to find someone else to chat over OTR with and authenticate the conversation with him or her. This is explained on the cyberpunks site.

5. ???

6. Profit

You can now chat with a (relatively) higher level of privacy and security! At the very least, compared to most other popular messenger options out there, like Skype, Whatsapp and Facebook Messenger.*

Addendum: Limitations of OTR

OTR is limited to 1-on-1 conversations, which is arguably a pretty severe restriction. OTR generally seems to be regarded as secure and I do not feel competent to evaluate that further. Important to note is that while OTR itself and also Pidgin and some other messengers to use it with are regarded as relatively secure*, Windows, for example, as a closed-source operating system is definitely not. So, the industrial espionage team of your competitor, the secret service of an evil government, the petty cybercriminal, or your tech-savy stalker could just screw you over via another attack vector. You do not need to make things easier than necessary for them though… right?


* Pidgin itself and Libpurple, a main component of Pidgin, sometimes has it’s security questioned.