Off The Record - what it is and why we recommend it for communications security

Off The Record (OTR) is an encryption protocol often used for secure instant messaging. We require users to use end-to-end OTR encryption first and foremost to protect their own privacy and to secondly to protect the operators of the server.

OTR has several notable properties which we think are worth taking a look at:

1. End to end encryption - When you use Off the Record to encrypt your instant messaging you are encrypting from end-to-end. That is to say, the only two parties that can decrypt the messages are the two people having the conversation over instant messaging. Third parties who might be able to overhear or capture the traffic but do not have access to the encryption keys are unable to understand the concent of the conversation. This protects the participants in the conversation, and it also protects the service provider since it cannot be forced or coerced into spying on its users.

2. Developed by independent cryptographers - Unlike other encryption protocols, such as Secure Socket Layers (SSL), which was built through the bureaucracy of the Internet Engineering Task Force, OTR came out of the CypherPunk movement. There has been concern in the wake of the Snowden revelations that some of the more formally developed IETF and NIST standards for encryption may have been intentionally weakened for the purpose of being able to maintain surveillance. The Cypherpunk-developed OTR was much less influenced by outside forces such as government agencies and standards bodies.

3. Designed to be resistant to decryption after the fact - OTR implements a cryptographic property known as "Foward Secrecy". In traditional public key encryption systems, data was encrypted using the private key of each communicating party. If that private key was later compromised and fell into the hands of an adversary, the encrypted traffic (if it had been captured) could be decrypted after the fact. Forward Secrecy works in a different way. It uses what are called 'session keys' for encrypting the data. The session keys are ephemeral, meaning that they only exist for a short time and then they are discarded. The session keys are securely negotiated between the two communicating parties for each communications session and are derived from the private keys, but are for one time use only. At the end of each session, the session keys get thrown away and new session keys are negotiated. Therefore capturing the private key does not help an adversary decrypt the communications after the fact, since they would also need the session keys for each session, but those are constantly changing and being thrown away.

Many XMPP clients support OTR encryption.

Some recommended options are:

ChatSecure for Apple iOS or Android*

Pidgin available for Windows, Mac OS X, and Linux

Adium for Mac OS X only

Jitsifor Windows, Mac OS X, and Linux

* ChatSecure for Android has a special "Burner Account" option which will automatically create an account on the Calyx Jabber server over Tor using a randomized username