The Shœstring Foundation Weblog

The Shœstring Foundation Weblog, Miscellaneous Byproducts

Matthias Bauer
bauerm (at) shoestringfoundation · org
reop pubkey
Vignettes by George Herriman

Subscribe to a syndicated feed of my weblog, brought to you by the wonders of RSS.

Blosxom Logo

Sun, 28 Dec 2014

Off-the-Record Internet Relay Chat

As everybody but the worst conspiracy theorist knows, everything sent over the Internet is recorded and can be used against us (the buzzing noise you're hearing is an armed drone circling the building).

Encrypting e.g. Internet Relay Chat a la PGP would protect the message on the wire from eavesdropping. But if the message is recorded (which it is), then a compromise of the involved secret keys would allow decryption at a later date. And since thorough inspection of laptops at airports is routine, we can assume that keys do get compromised now and then. With classical public key crypto, the potentially incriminating content is also digitally signed, so it can be used as a strong evidence against the utterer.

Can we make conversations on the Internet more like private conversations, which are not normally recorded and where utterances are not signed? This was answered to the affirmative in Borisov, Goldberg and Brewer's paper Off-the-Record Communication . And there's an implementation.

A working constellation for OTR conversation on IRC consists of

  1. a pure Python implementation of OTR in the module python-potr
  2. weechat IRC client
  3. Python plugin for weechat
  4. script which adds a /OTR command to the standard IRC commands, to initiate OTR conversations etc.
There're other clients supporting OTR, e.g pidgin and irssi as packaged for various linux distributions.

For private conversations on IRC I would strongly suggest using OTR.

Update (Dec 28 2014)

The Weechat OTR plugin is at github now:
as is the python otr module:
There are serious interoperability problems between various implementations. What seems to verk is

version 1.0.1
python-otr (potr)
version 1.0.1 (the VERSION in the says (1,0,0, 'final') whereas the version in says '1.0.1')
version 1.5.0
With the /otr policy:
allow_v2 (allow OTR protocol version 2) : on
html_escape (escape HTML special characters in outbound messages) : off
html_filter (filter HTML in incoming messages) : on
log (enable logging of OTR conversations) : on
require_encryption (refuse to send unencrypted messages) : on
send_tag (advertise your OTR capability using the whitespace tag) : on

[/projects] permanent link