Your Weekly Security Tip: OTR!

In the last episode, I talked about CryptoCat, which allows for secure, ephemeral, group chats in a browser plug-in. Today I want to give you abrief introduction to OTR, or off-the-record messaging, which some folks at the summit were trained on.


Yes we scan – PRISM surveillance program protest at Checkpoint Charlie

OTR is a protocol that allows for two people using certain chat protocols (such as Gchat or XMPP) to chat securely and encrypted. The main non-technical difference between CryptoCat and OTR is that OTR allows for end-to-end encryption wherein each person possesses their own key.


Take a deep breath. Let me start over: The reason you might want to use OTR is that it allows you to have a chat with someone that only you and that person can see. The encryption means that the chat cannot be intercepted by government agencies, hackers, or other adversaries. Key verification adds another layer of security, because it allows you to ensure that the other person you're chatting with is who they say they are, and not some stranger impersonating them.

Okay, I think I get it. So how do I use OTR?

OTR is available for Mac, and Windows users. It's also available for Android phones.

  • If you use Mac, OTR is available with a chat client called Adium. Here's how to install it.
  • If you use Windows, it's available with a chat client called Pidgin. Here's what to do.
  • If you use an Android phone, you can use an app called ChatSecure (but please note that it can be a bit buggy, so this isn't the best bet for beginners).

I've installed Adium/Pidgin/ChatSecure. What next?

First, pick your chat client.* If you're already using Gchat, that's the easiest way to start quickly and learn, or you can create a Jabber account (Try Dukgo or check out this list)

Please read the guides linked above (or the guides in Security in a Box!) to understand how to use the tools. If you don't understand something in the guides, let me know so I can fix it. Then, once you're ready…

LET'S TEST IT! Ask your friend to install any previously mentioned client, and chat them up for a test.

*Unfortunately, Google is being mean and has stopped allowing Gchat users to chat securely with users of other protocols. This means you can have an encrypted Gchat-to-Gchat conversation, or one between two Jabber clients, but not Gchat-to-Jabber or Facebook-to-Jabber.

Start the conversation

Authors, please log in »


  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.