How-to: Using Calyx's Jabber/XMPP server via its Tor hidden service with Pidgin and Off The Record (OTR)

This document is intended to explain how to use Calyx's Jabber/XMPP server via its Tor hidden service using the Pidgin instant messaging client and using OTR for end-to-end encryption. Having a working Tails system is a prerequisite for using the rest of this How-to. When you use Tails, all traffic is forced to go over the Tor network, so we can skip explaining how to get that set up. Instructions for getting started with tails are available here.

Some background and prerequisites:

Tails is a specialized Linux distribution that you can run from a USB stick or from a DVD. Tails is an acronym for "The amnesiac incognito live system" .. It is 'amnesiac' because it will not remember anything about you or what you did unless you explicitly tell it to. It is 'incognito' because it sends all your traffic over the Tor anonymity network by default.

Pidgin is an open-source multi-platform instant messaging client. Pidgin is included with the Tails distribution.

Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations.

Now let's jump right in.

Step 1: Start with a fresh installation of Tails Linux on a USB stick

I am assuming that you have installed tails on a USB stick and that you have booted from it and connected to the Internet.

Step 2: Run Pidgin and Creating a New Account over the Tor hidden service

The first step is to run Pidgin and then open the 'manage accounts' menu item. Then choose 'add a new account'. We will use a pretend user name called 'example'. At the end of this tutorial, you would have a working XMPP account at the Jabber ID ''

After filling in the new account screen, click on the 'Advanced' tab and fill in the 'Connect Server' with the Tor hidden address of the Calyx Jabber/XMPP server, which is ijeeynrc6x2uy5ob.onion. Be sure that the 'Create this new account on the server' checkbox is selected.

When that's done, click the 'Add' button in the lower right hand side of the window.

Within a few moments, a new window will pop up titled 'Create a new account' .. Fill in the username part of your Jabber ID and the password you want. Then hit the 'OK' button.

If all goes well, after you hit 'OK' another window will appear saying 'Registration successful'. Now all you have to do is enable that account within Pidgin's 'Manage accounts' screen and add your contacts.

Step 3: Using the account and ensuring OTR is always used.

In order to actually send messages over the Calyx server, you will need to ensure that the OTR Messaging plugin is installed and enabled in your Pidgin client, and ultimately that your client always sends OTR encrypted messages. If you send messages over the Calyx server that are not encrypted with OTR then the messages will be rejected by the server with an informational error message, the messages will not sent to your contact, and they will be thrown away.

Go to the Plugins menu:

Scroll down through the list of plug-ins until you get to "Off The Record Messaging". Make sure the OTR plugin is enabled.

Double-click on the "Off-the-Record Messaging" plugin and its preferences window will open.

First, make sure the right account is selected in "My private keys". Generate a private key if you don't have one already. Make note of your private key's fingerprint. You will need this later when you do key verification with your contacts. Remember that your buddy must also follow all of these steps before you can have an encrypted conversation.

Next, you want to change the "Default OTR Settings" as shown to

1) Require private messaging
2) Automatically initiate private messaging.

By default, OTR encrypted conversations are not logged to disk. Think carefully before enabling logging.

Step 4: Communicating with your contacts using OTR encryption, and authenticating key fingerprints

Close the Plugins window. Next, go to the 'Buddies' menu of Pidgin and select 'Add a Buddy'. When it asks for the buddy's username you would enter something like

Start a conversation with your buddy. When the window opens you will notice that near the lower right-hand corner there is an icon with a warning symbol and it says "Unverified". Click on that icon and select "Start private conversation". Assuming that the software the person on the other end is configured to use Off the Record also, you should then get a notification saying something like "Unverified conversation with started." What has happened is that your XMPP client and your contact's client have completed an exchange of public keys, and then generated ephemeral session keys to have encrypted communication.

Click on the "Unverified" icon again but this time select "Authenticate Buddy". This is where you will need the OTR private key fingerprint that you made note of earlier. In order for you to authenticate that the buddy you are chatting with is really who you think it is, and not an impersonator, you each need to confirm each other's OTR fingerprints - preferably offline. Some options for confirming people's OTR fingerprints include:

1) via GPG encrypted email
2) in person, face to face
3) over the telephone when you know their voice well enough to know it's really them on the phone
4) when their OTR fingerprint is listed on their website / twitter profile / printed on their business card

Pidgin supports 3 methods for authentication: Question and Answer, Shared Secret, and Manual fingerprint verification. If you know that the person on the other end is also using Pidgin, you can choose any of the methods. Be aware that if you choose Shared Secret or Question and Answer that your secret or answer must be exact ( including capitalization and spacing ) or else verification will fail.

Some other client software, such as Adium do not support all of these methods of authentication. The safest bet in terms of compatibility is to manually verify key fingerprints using one of the above listed methods.