Profanity has another cool feature that sets it apart from the native chat, Google Chat, namely Off-the-Record Messaging (OTR). This encryption protocol allows you to send secret messages to your friends that even Google itself wouldn't be able to decipher.
OTR support and plugins are available for many instant messaging applications, so it is by no means a requirement for your friends to run Profanity on a Raspberry Pi. Take a look at http://en.wikipedia.org/wiki/Off-the-Record_Messaging for a partial list of client software. The following are the steps to send secret messages:
- The first thing we're going to do is generate your private key for the chat service over which you'd like to send encrypted messages, as each service requires its own key. You can think of the private key as something that will unlock your secret conversations.
Connect to your chat service of choice, then type the following command (this may take a good few minutes to run):
> /otr gen - Now we can try to initiate an encrypted OTR conversation with this command:
> /otr start "Your Friend"If your friend's client supports OTR, it should automatically detect that you want to establish a secure channel and enable encryption.
You should now see that the encryption indicator in the blue top bar next to your friend's name has changed from [unencrypted] to [OTR] [untrusted].
Your conversation is now encrypted until either you or your friend ends the OTR session with the
/otr endcommand. - However, how do you know that your friend is indeed your friend and not a sneaky agent simply logged in to your friend's account? That's where the authentication feature of OTR comes in handy.
There are three methods available in Profanity to help you verify that your friend is really who you think they are:
Fingerprint verification: This is the classic method that all OTR-capable clients should support. An OTR fingerprint is like an identification string that is unique to your private key.
Type the following command to view your OTR fingerprint:
> /otr myfpNow your friend does the same on their end. Then you two need to find a way to communicate each other's fingerprints outside of the chat. You could scribble them down and meet up for coffee, or, if you're not quite as paranoid, call up your friend and exchange the last four characters of your fingerprints.
To see if your friend's fingerprint checks out, type the following command while in the OTR chat window:
> /otr theirfpIf it matches what your friend told you, you would use the following command to flag your friend as trusted:
> /otr trustYou should now see that the encryption indicator on the blue top bar next to your friend's name has changed from [untrusted] to [trusted].
Question and answer: This method allows you to verify the identity of your friend by asking a question and receiving the expected answer. For example:
> /otr question "Which berry is essential to me?" raspberryYour friend will be presented with the question in quotes. If your friend issues the following command:
> /otr answer raspberryYou should see that the encryption indicator on the blue top bar next to your friend's name has changed from [untrusted] to [trusted].
Shared secret: This method allows you to verify the identity of your friend with a password that you two have agreed upon outside of chat. For example:
> /otr secret squirrelYour friend will be prompted to provide a secret using the same command, and if it matches you should see that the encryption indicator on the blue top bar next to your friend's name has changed from [untrusted] to [trusted].
- Once you've established an encrypted, trusted conversation with your friend, you may want to ensure that any future conversations with that friend are always OTR enabled. We do this by changing the OTR policy with the following command:
/otr policy always "Your Friend"