Online security veteran?

  • Online security veteran?

    Advanced guides to enhance your surveillance self-defense skill set.

    Congratulations! You've already taken steps to improve the safety of your online communications. Now you want to take it to the next level, and with this playlist, you can. You'll learn how to understand threats, verify the identity of the person you're communicating with, and add some new tools to your repertoire.

  • Assessing Your Risks

    Trying to protect all your data from everyone all the time is impractical and exhausting. But, do not fear! Security is a process, and through thoughtful planning, you can assess what’s right for you. Security isn’t about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

    In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This process is called “threat modeling.”

    This guide will teach you how to threat model, or how to assess your risks for your digital information and how to determine what solutions are best for you.

    What might threat modeling look like? Let’s say you want to keep your house and possessions safe, here are a few questions you might ask:

    What do I have inside my home that is worth protecting?

    • Assets could include: jewelry, electronics, financial documents, passports, or photos

    Who do I want to protect it from?

    • Adversaries could include: burglars, roommates, or guests

    How likely is it that I will need to protect it?

    • Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?

    How bad are the consequences if I fail?

    • Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?

    How much trouble am I willing to go through to prevent these consequences?

    • Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?

    Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you may not want to invest too much money in a lock. But, if the risk is high, you’ll want to get the best lock on the market, and consider adding a security system.

    Building a threat model will help you to understand threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face.

    What is threat modeling and where do I start?

    Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:

    1. What do I want to protect?
    2. Who do I want to protect it from?
    3. How bad are the consequences if I fail?
    4. How likely is it that I will need to protect it?
    5. How much trouble am I willing to go through to try to prevent potential consequences?

    Let’s take a closer look at each of these questions.

    What do I want to protect?

    An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

    Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

    Who do I want to protect it from?

    To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

    Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

    Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.

    How bad are the consequences if I fail?

    There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

    The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

    Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

    Write down what your adversary might want to do with your private data.

    How likely is it that I will need to protect it?

    Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

    It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

    Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

    Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

    How much trouble am I willing to go through to try to prevent potential consequences?

    Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.

    For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

    Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

    Threat modeling as a regular practice

    Keep in mind your threat model can change as your situation changes. Thus, conducting frequent threat modeling assessments is good practice.

    Create your own threat model based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it’s still relevant to your situation.

    Last reviewed: 
  • Choosing Your Tools

    With so many companies and websites offering tools geared towards helping individuals improve their own digital security, how do you choose the tools that are right for you?

    We don’t have a foolproof list of tools that can defend you (though you can see some common choices in our Tool Guides). But if you have a good idea of what you are trying to protect, and who you are trying to protect it from, this guide can help you choose the appropriate tools using some basic guidelines.

    Remember, security isn't about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats. Check out our Assessing your Risks guide for more information.

    Security is a Process, not a Purchase

    The first thing to remember before changing the software you use or buying new tools is that no tool or piece of software will give you absolute protection from surveillance in all circumstances. Therefore, it’s important to think about your digital security practices holistically. For example, if you use secure tools on your phone, but don’t put a password on your computer, the tools on your phone might not help you much. If someone wants to find out information about you, they will choose the easiest way to obtain that information, not the hardest.

    Secondly, it’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. If your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools, you don't need to buy some expensive encrypted phone system that claims to be "NSA-proof." Alternatively, if you face a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tactics—like arranging a set of harmless-sounding, pre-arranged codes to convey messages—rather than risk leaving evidence that you use encryption software on your laptop. Coming up with a set of possible attacks you plan to protect against is called threat modeling.

    Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.

    How Transparent is it?

    There's a strong belief among security researchers that openness and transparency leads to more secure tools.

    Much of the software the digital security community uses and recommends is open-source. This means the code that defines how it works is publicly available for others to examine, modify, and share. By being transparent about how their program works, the creators of these tools invite others to look for security flaws and help improve the program.

    Open-source software provides the opportunity for better security, but does not guarantee it. The open source advantage relies, in part, on a community of technologists actually checking the code, which, for small projects (and even for popular, complex ones), may be hard to achieve.

    When considering a tool, see if its source code is available and whether it has an independent security audit to confirm the quality of its security. At the very least, software or hardware should have a detailed technical explanation of how it functions for other experts to inspect.

    How Clear are its Creators About its Advantages and Disadvantages?

    No software or hardware is entirely secure. Seek out tools with creators or sellers who are honest about the limitations of their product.

    Blanket statements that say that the code is “military-grade” or “NSA-proof” are red flags. These statements indicate that the creators are overconfident or unwilling to consider the possible failings in their product.

    Because attackers are always trying to discover new ways to break the security of tools, software and hardware needs to be updated to fix vulnerabilities. It can be a serious problem if the creators are unwilling to do this, either because they fear bad publicity or because they have not built the infrastructure to do so. Look for creators who are willing to make these updates, and who are honest and clear about why they are doing so.

    A good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future.

    What Happens if the Creators are Compromised?

    When security toolmakers build software and hardware, they (just like you) must have a clear threat model. The best creators explicitly describe what kind of adversaries they can protect you from in their documentation.

    But there's one attacker that many manufacturers do not want to think about: themselves! What if they are compromised or decide to attack their own users? For instance, a court or government may compel a company to hand over personal data or create a “backdoor” that will remove all the protections their tool offers. So consider the jurisdiction(s) where the creators are based. If you’re worried about protecting yourself from the government of Iran, for example, a US-based company will be able to resist Iranian court orders, even if it must comply with US orders.

    Even if a creator is able to resist government pressure, an attacker may attempt to break into the toolmakers' own systems in order to attack its customers.

    The most resilient tools are those that consider this as a possible attack and are designed to defend against this. Look for language that asserts that a creator cannot access private data, rather than promises that a creator will not. Look for institutions with a reputation for fighting court orders for personal data.

    Has it Been Recalled or Criticized Online?

    Companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.

    It's a lot of work for one person to keep up with the latest news about a tool. If you have colleagues who use a particular product or service, work with them to stay informed.

    Which Phone Should I Buy? Which Computer?

    Security trainers are often asked: “Should I buy Android or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?” There are no simple answers to these questions. The relative safety of software and devices is constantly shifting as new flaws are discovered and old bugs are fixed. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.

    Some general advice is almost always true, however. When you buy a device or an operating system, keep your device up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan.

    Now that you’ve considered the threats you face, and know what to look for in a digital security tool, you can more confidently choose tools that are most appropriate for your unique situation.

    Products Mentioned in Surveillance Self-Defense

    We try to ensure that the software and hardware mentioned in SSD complies with the criteria listed above. We have made a good faith effort to only list products that:

    • have a solid grounding in what we currently know about digital security,
    • are generally transparent about their operation (and their failings),
    • have defenses against the possibility that the creators themselves will be compromised, and
    • are currently maintained, with a large and technically-knowledgeable user base.

    We believe that they have, at the time of writing, a wide audience who is examining them for flaws, and would raise concerns to the public quickly. Please understand that we do not have the resources to examine or make independent assurances about their security. We do not endorse these products and cannot guarantee complete security.

    Last reviewed: 
  • Key Verification

    When encryption is used properly, your communications or information should only be readable by you and the person or people you’re communicating with. End-to-end encryption protects your data from surveillance by third parties, but if you’re unsure about the identity of the person you’re talking to, its usefulness is limited. That’s where key verification comes in. By verifying public keys, you and the person with whom you’re communicating add another layer of protection to your conversation by confirming each other’s identities, allowing you to be that much more certain that you’re talking to the right person.

    Key verification is a common feature of protocols that use end-to-end encryption, such as PGP and OTR. On Signal, they're called "safety numbers." To verify keys without the risk of interference, it's advisable to use a secondary method of communicating other than the one you’re going to be encrypting; this is called out-of-band verification. For example, if you are verifying your OTR fingerprints, you might email your fingerprints to one another. In that example, email would be the secondary communications channel.

    Verifying Keys Out-of-band

    There are several ways to do this. If it can be arranged safely and is convenient, it is ideal to verify keys face-to-face. This is often done at key-signing parties or amongst colleagues.

    If you cannot meet face-to-face, you can contact your correspondent through a means of communication other than the one for which you’re trying to verify keys. For example, if you’re trying to verify PGP keys with someone, you could use the telephone or an OTR chat to do so.

    Regardless of the program that you use, you will always be able to locate both your key and the key of your communication partner.

    Although the method of locating your key varies by program, the method of verifying keys remains approximately the same. You can either read your key’s fingerprint aloud (if you are face-to-face or using the telephone) or you can copy and paste it into a communications program, but whichever you choose, it is imperative that you check every single letter and numeral.

    Tip: Try verifying keys with one of your friends. To learn how to verify keys in a specific program, visit that program’s how-to guide.

    Last reviewed: 
  • An Introduction to Public Key Cryptography and PGP

    PGP stands for Pretty Good Privacy. It's actually very good privacy. If used correctly, it can protect the contents of your messages, text, and even files from being understood even by well-funded government surveillance programs. When Edward Snowden says “encryption works,” it's PGP and its related software that he is talking about. It should be noted that it's not unheard of for governments to steal private keys off of particular people's computers (by taking the computers away, or by putting malware on them using physical access or with phishing attacks), which undoes the protection and even allows for reading old mail. This is comparable to saying that you might have an unpickable lock on your door, but somebody might still be able to pickpocket you in the street for your key, then copy it and sneak it back into your pocket—and hence get into your house without even picking the lock.

    Unfortunately, PGP is also pretty bad at being easy to understand, or use. The strong encryption that PGP uses—public key encryption—is ingenious, but hard to wrap your head around. PGP software itself has been around since 1991, which makes it the same vintage as the early versions of Microsoft Windows, and its appearance hasn't changed much since then.

    The good news is that there are many programs available now which can hide the ancient design of PGP and make it somewhat easier to use, especially when it comes to encrypting and authenticating email—the main use of PGP. We've included guides to installing and operating this software elsewhere.

    Before you play around with PGP or other programs that use it, though, it's worth spending a few minutes understanding the basics of public key encryption: what it can do for you, what it can't do, and when you should use it.

    A Tale of Two Keys

    When we use encryption to fight surveillance, here's what we're trying to do:

    We take a clearly readable message like “hello mum.” We encrypt that into a coded message that is incomprehensible to anyone looking at it (“OhsieW5ge+osh1aehah6,” say). We send that encrypted message over the Internet, where it can be read by lots of people, but hopefully not understood by any of them. Then, when it arrives at its destination, our intended recipient, and only our intended recipient, has some way of decrypting it back into the original message.

    How does our recipient know how to decode the message, when nobody else can? It must be because they know some extra information that nobody else knows. Let's call this the decoding key, because it unlocks the message inside the code.

    How does the recipient know this key? Mostly, it's because the sender has previously told them the key, whether it's “try holding the message up in a mirror” or “take each letter and convert it to the next letter in the alphabet.” There's a problem with this strategy though. If you're worried about being spied upon when you send your coded message, how do you send the recipient the key without someone spying on that conversation too? There's no point sending an ingeniously encrypted message if your attacker already knows the key to decoding it. And if you have a secret way to send decoding keys, why don't you just use that for all your secret messages?

    Public-key cryptography has a neat solution for this. Each person in a conversation has a way of creating two keys. One is their private key, which they keep to themselves and never let anyone else know. The other is a public key, which they hand out to anyone who wants to communicate with them. It doesn't matter who can see the public key. You can put it online where everyone can see it.

    The “keys” themselves are, at heart, actually very large numbers, with certain mathematical properties. The public key and private key are connected. If you encode something using the public key, then someone else can decode it with its matching private key.

    Let's see how that might work. You want to send a secret message to Aarav. Aarav has a private key, but like a good public key encryption user, he has put its connected public key on his web page. You download the public key, encrypt the message using it, and send it to him. He can decode it, because he has the corresponding private key – but nobody else can.

    Sign of the Times

    Public key cryptography gets rid of the problem of smuggling the decoding key to the person you want to send a message to, because that person already has the key. You just need to get hold of the matching public, encoding key, which the recipient can hand out to everyone, including spies. Because it's only useful for encoding a message, it is useless for anyone trying to decode the message.

    But there's more! If you encode a message with a certain public key, it can only be decoded by the matching private key. But the opposite is also true. If you encode a message with a certain private key, it can only be decoded by its matching public key.

    Why would this be useful? At first glance, there doesn't seem to be any advantage to making a secret message with your private key that everyone in the world (or at least, everyone who has your public key) can crack. But suppose I wrote a message that said “I promise to pay Aazul $100,” and then turned it into a secret message using my private key. Anyone could decode that message—but only one person could have written it: the person who has my private key. If I've done a good job keeping my private key safe, that means me, and only me. In effect, by encoding it with my private key, I've made sure that it could only have come from me. In other words, I've done the same thing with this digital message as we do when we sign a message in the real world.

    Signing also makes messages tamper-proof. If someone tried to change that “I promise to pay Aazul $100” into “I promise to pay Bob $100,” they would not be able to re-sign it using my private key. So a signed message is guaranteed to originate from a certain source, and not be messed with in transit.

    So public key cryptography lets you encrypt and send messages safely to anyone whose public key you know. If others know your public key, they can send you messages, which only you can decode. And if people know your public key, you can sign messages so that those people will know they could only have come from you. And if you know someone else's public key, you can decode a message signed by them, and know that it only came from them.

    It should be clear by now that public key cryptography becomes more useful, the more people know your public key. It should also be apparent that you need to keep your private key very safe. If someone else gets a copy of your private key, they can pretend to be you, and sign messages claiming that they were written by you. PGP has a feature that lets you “revoke” a private key, and warn people it's no longer trustable, but it's not a great solution. The most important part of using a public key cryptography system is to guard your private key very carefully.

    How PGP Works

    Pretty Good Privacy is mostly concerned with the minutiae of creating and using public and private keys. You can create a public/private key pair with it, protect the private key with a password, and use it and your public key to sign and encrypt text. It will also let you download other people's public keys, and upload your public keys to “public key servers,” which are repositories where other people can find your key. See our guides to installing PGP-compatible software in your email software.

    If there's one thing you need to take away from this overview, it's this: you should keep your private key stored somewhere safe, and protected with a long password. You can give your public key to anyone you want to communicate with you, or who wants to learn whether a message truly came from you.

    Advanced PGP: The Web of Trust

    You may have spotted a potential flaw in how public key cryptography works. Suppose I started distributing a public key that I say belongs to Barack Obama. If people believed me, they might start sending secret messages to Barack, encrypted using the key. Or they might believe anything signed with that key is a sworn statement of Barack. This is quite rare, and yet it has actually happened to some people in real life, including to some of the authors of this document—some people writing to them have been fooled! (We don't know for sure in these instances whether or not some of the people who make the fake keys were really able to intercept the messages in transit and read them, or whether it was the equivalent of a prank to make it more inconvenient for people to have a secure conversation.)

    Another sneaky attack is for an attacker to sit between two people talking online, eavesdropping on their entire conversation, and occasionally inserting the attackers own misleading messages into the conversation. Thanks to the design of the Internet as a system that ferries messages across many different computers and private parties, this attack is entirely possible. Under these conditions (called a “man-in-the-middle attack”), exchanging keys without prior agreement can get very risky. “Here's my key,” announces a person who sounds like Barack Obama, and sends you a public key file. But what's to say someone didn't wait until that moment, jam the transmission of Obama's key, and then insert his or her own?

    How do we prove that a certain key really does belong to a certain person? One way is to get the key from them directly, but that's not much better than our original challenge of getting a secret key without someone spotting us. Still, people do exchange public keys when they meet, privately and at public cryptoparties.

    PGP has a slightly better solution called the “web of trust.” In the web of trust, if I believe a key belongs to a certain person, I can sign that key, and then upload the key (and the signature) to the public key servers. These key servers will then pass out the signed keys to anyone who asks for them.

    Roughly speaking, the more people who I trust that have signed a key, the more likely it is that I will believe that key really belongs to who it claims. PGP lets you sign other people's keys, and also lets you trust other signers, so that if they sign a key, your software will automatically believe that key is valid.

    The web of trust comes with its own challenges, and organizations like EFF are currently investigating better solutions. But for now, if you want an alternative to handing keys to one another in person, using the web of trust and the public key server network are your best option.

    Metadata: What PGP Can't Do

    PGP is all about making sure the contents of a message are secret, genuine, and untampered with. But that's not the only privacy concern you might have. As we've noted, information about your messages can be as revealing as their contents (See “metadata”). If you're exchanging PGP messages with a known dissident in your country, you may be in danger for simply communicating with them, even without those messages being decoded. Indeed, in some countries you can face imprisonment simply for refusing to decode encrypted messages.

    PGP does nothing to disguise who you are talking to, or that you are using PGP to do so. Indeed, if you upload your public key onto the keyservers, or sign other people's keys, you're effectively showing the world what key is yours, and who you know.

    You don't have to do that. You can keep your PGP public key quiet, and only give it to people you feel safe with, and tell them not to upload it to the public keyservers. You don't need to attach your name to a key.

    Disguising that you are communicating with a particular person is more difficult. One way to do this is for both of you to use anonymous email accounts, and access them using Tor. If you do this, PGP will still be useful, both for keeping your email messages private from others, and proving to each other that the messages have not been tampered with.

    Last reviewed: 
  • How to: Use OTR for Mac

    Adium is a free and open source instant messaging client for OS X that allows you to chat with individuals across multiple chat protocols, including Google Hangouts, Yahoo! Messenger, Windows Live Messenger, AIM, ICQ, and XMPP.

    OTR (Off-the-record) is a protocol that allows people to have confidential conversations using the messaging tools they’re already familiar with. This should not be confused with Google's “Off the record,” which merely disables chat logging, and does not have encryption or verification capabilities. For Mac users, OTR comes built-in with the Adium client.

    OTR employs end-to-end encryption. This means that you can use it to have conversations over services like Google Hangouts without those companies ever having access to the contents of the conversations.  However, the fact that you are having a conversation is visible to the provider.

    Why Should I Use Adium + OTR?

    When you have a chat conversation using Google Hangouts on the Google website, that chat is encrypted using HTTPS, which means the content of your chat is protected from hackers and other third parties while it’s in transit. It is not, however, protected from Google, which have the keys to your conversations and can hand them over to authorities or use them for marketing purposes.

    After you have installed Adium, you can sign in to it using multiple accounts at the same time. For example, you could use Google Hangouts and XMPP simultaneously. Adium also allows you to chat using these tools without OTR. Since OTR only works if both people are using it, this means that even if the other person does not have it installed, you can still chat with them using Adium.

    Adium also allows you to do out-of-band verification to make sure that you’re talking to the person you think you’re talking to and you are not being subject to a man-in-the-middle attack. For every conversation, there is an option that will show you the key fingerprints it has for you and the person with whom you are chatting. A "key fingerprint" is a string of characters like "342e 2309 bd20 0912 ff10 6c63 2192 1928,” that’s used to verify a longer public key. Exchange your fingerprints through another communications channel, such as Twitter DM or email, to make sure that no one is interfering with your conversation. If the keys don't match, you can't be sure you're talking to the right person. In practice, people often use multiple keys, or lose and have to recreate new keys, so don't be surprised if you have to re-check your keys with your friends occasionally.

    Limitations: When Should I Not Use Adium + OTR?

    Technologists have a term to describe when a program or technology might be vulnerable to external attack: they say it has a large “attack surface.” Adium has a large attack surface. It is a complex program, which has not been written with security as a top priority. It almost certainly has bugs, some of which might be used by governments or even big companies to break into computers that are using it. Using Adium to encrypt your conversations is a great defense against the kind of untargeted dragnet surveillance that is used to spy on everyone's Internet conversations, but if you think you will be personally targeted by a well-resourced attacker (like a nation-state), you should consider stronger precautions, such as PGP-encrypted email.

    Installing Adium + OTR On Your Mac

    Step 1: Install the program

    First, go to in your browser. Choose “Download Adium 1.5.9.” The file will download as a .dmg, or disk image, and will probably be saved to your “downloads” folder.

    Double-click on the file; that will open up a window that looks like this:

    Move the Adium icon into the “Applications” folder to install the program. Once the program is installed, look for it in your Applications folder and double-click to open it.

    Step 2: Set up your account(s)

    First, you will need to decide what chat tools or protocols you want to use with Adium. The setup process is similar, but not identical, for each type of tool. You will need to know your account name for each tool or protocol, as well as your password for each account.

    To set up an account, go to the Adium menu at the top of your screen and click “Adium” and then “Preferences.” This will open a window with another menu at the top. Select “Accounts,” then click the “+” sign at the bottom of the window. You will see a menu that looks like this:

    Select the program that you wish to sign in to. From here, you will be prompted either to enter your username and password, or to use Adium’s authorization tool to sign in to your account. Follow Adium’s instructions carefully.

    How to Initiate an OTR Chat

    Once you have signed in to one or more of your accounts, you can start using OTR.

    Remember: In order to have a conversation using OTR, both people need to be using a chat program that supports OTR.

    Step 1: Initiate an OTR Chat

    First, identify someone who is using OTR, and initiate a conversation with them in Adium by double-clicking on their name. Once you have opened the chat window, you will see a small, open lock in the upper left-hand corner of the chat window. Click on the lock and select “Initiate Encrypted OTR Chat.”

    Step 2: Verify Your Connection

    Once you have initiated the chat and the other person has accepted the invitation, you will see the lock icon close; this is how you know that your chat is now encrypted (congratulations!) – But wait, there’s still another step!

    At this time, you have initiated an unverified, encrypted chat. This means that while your communications are encrypted, you have not yet determined and verified the identity of the person you are chatting with. Unless you are in the same room and can see each other’s screens, it is important that you verify each other’s identities. For more information, read the module on Key Verification.

    To verify another user’s identity using Adium, click again on the lock, and select “Verify.” You will be shown a window that displays both your key and the key of the other user. Some versions of Adium only support manual fingerprint verification. This means that, using some method, you and the person with whom you’re chatting will need to check to make sure that the keys that you are being shown by Adium match precisely.

    The easiest way to do this is to read them aloud to one another in person, but that’s not always possible. There are different ways to accomplish this with varying degrees of trustworthiness. For example, you can read your keys aloud to one another on the phone if you recognize each other’s voices or send them using another verified method of communication such as PGP. Some people publicize their key on their website, Twitter account, or business card.

    The most important thing is that you verify that every single letter and digit matches perfectly.

    Step 3: Disable Logging

    Now that you have initiated an encrypted chat and verified your chat partner’s identity, there’s one more thing you need to do. Unfortunately, Adium logs your OTR-encrypted chats by default, saving them to your hard drive. This means that, despite the fact that they’re encrypted, they are being saved in plain text on your hard drive.

    To disable logging, click “Adium” in the menu at the top of your screen, then “Preferences.” In the new window, select “General” and then disable “Log messages” and “Log OTR-secured chats.” Remember, though, that you do not have control over the person with whom you are chatting—she could be logging or taking screenshots of your conversation, even if you yourself have disabled logging.

    Your settings should now look like this:

    Also, when Adium displays notifications of new messages, the contents of those messages may be logged by the OS X Notification Center. This means that while Adium leaves no trace of your communications on your own computer or your correspondent's, either your or their computer's version of OS X may preserve a record. To prevent this, you may want to disable notifications.

    To do this, select "Events" in the Preferences window, and look for any entries that say "Display a notification." For each entry, expand it by clicking the gray triangle, and then click the newly-exposed line that say "Display a notification," then click the minus icon ("-") at the lower left to remove that line." If you are worried about records left on your computer, you should also turn on full-disk encryption, which will help protect this data from being obtained by a third party without your password.

    Last reviewed: 
JavaScript license information