Surveillance
Self-Defense

Online security veteran?

  • Online security veteran?

    Advanced guides to enhance your surveillance self-defense skill set.

    Congratulations! You've already taken steps to improve the safety of your online communications. Now you want to take it to the next level, and with this playlist, you can. You'll learn how to understand threats, verify the identity of the person you're communicating with, and add some new tools to your repertoire.

  • Your Security Plan

    Trying to protect all your data from everyone all the time is impractical and exhausting. But, have no fear! Security is a process, and through thoughtful planning, you can put together a plan that’s right for you. Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

    In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This is the process of security planning, often referred to as “threat modeling.”

    This guide will teach you how to make a security plan for your digital information and how to determine what solutions are best for you.

    What does a security plan look like? Let’s say you want to keep your house and possessions safe. Here are a few questions you might ask:

    What do I have inside my home that is worth protecting?

    • Assets could include: jewelry, electronics, financial documents, passports, or photos

    Who do I want to protect it from?

    • Adversaries could include: burglars, roommates, or guests

    How likely is it that I will need to protect it?

    • Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?

    How bad are the consequences if I fail?

    • Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?

    How much trouble am I willing to go through to prevent these consequences?

    • Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?

    Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you’ll want to get the best lock on the market, and consider adding a security system.

    Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries’ capabilities, along with the likelihood of risks you face.

    How do I make my own security plan? Where do I start?

    Security planning helps you to identify what could happen to the things you value and determine from whom you need to protect them. When building a security plan answer these five questions:

    1. What do I want to protect?
    2. Who do I want to protect it from?
    3. How bad are the consequences if I fail?
    4. How likely is it that I will need to protect it?
    5. How much trouble am I willing to go through to try to prevent potential consequences?

    Let’s take a closer look at each of these questions.

    What do I want to protect?

    An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

    Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

    Who do I want to protect it from?

    To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

    Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

    Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done security planning.

    How bad are the consequences if I fail?

    There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

    The motives of adversaries differ widely, as do their tactics. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

    Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

    Write down what your adversary might want to do with your private data.

    How likely is it that I will need to protect it?

    Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

    It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

    Assessing risks is both a personal and a subjective process. Many people find certain threats unacceptable no matter the likelihood they will occur because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don’t view the threat as a problem.

    Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

    How much trouble am I willing to go through to try to prevent potential consequences?

    There is no perfect option for security. Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.

    For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

    Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

    Security planning as a regular practice

    Keep in mind your security plan can change as your situation changes. Thus, revisiting your security plan frequently is good practice.

    Create your own security plan based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your plan and check back in to determine whether it’s still relevant to your situation.

    Last reviewed: 
    1-10-2019
  • Choosing Your Tools

    With so many companies and websites offering tools geared towards helping individuals improve their own digital security, how do you choose the tools that are right for you?

    We don’t have a foolproof list of tools that can defend you (though you can see some common choices in our Tool Guides). But if you have a good idea of what you are trying to protect, and who you are trying to protect it from, this guide can help you choose the appropriate tools using some basic guidelines.

    Remember, security isn't about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats. Check out our Assessing your Risks guide for more information.

    Security is a Process, not a Purchase

    The first thing to remember before changing the software you use or buying new tools is that no tool or piece of software will give you absolute protection from surveillance in all circumstances. Therefore, it’s important to think about your digital security practices holistically. For example, if you use secure tools on your phone, but don’t put a password on your computer, the tools on your phone might not help you much. If someone wants to find out information about you, they will choose the easiest way to obtain that information, not the hardest.

    Secondly, it’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. If your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools, you don't need to buy some expensive encrypted phone system that claims to be "NSA-proof." Alternatively, if you face a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tactics—like arranging a set of harmless-sounding, pre-arranged codes to convey messages—rather than risk leaving evidence that you use encryption software on your laptop. Coming up with a set of possible attacks you plan to protect against is called threat modeling.

    Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.

    How Transparent is it?

    There's a strong belief among security researchers that openness and transparency leads to more secure tools.

    Much of the software the digital security community uses and recommends is open-source. This means the code that defines how it works is publicly available for others to examine, modify, and share. By being transparent about how their program works, the creators of these tools invite others to look for security flaws and help improve the program.

    Open-source software provides the opportunity for better security, but does not guarantee it. The open source advantage relies, in part, on a community of technologists actually checking the code, which, for small projects (and even for popular, complex ones), may be hard to achieve.

    When considering a tool, see if its source code is available and whether it has an independent security audit to confirm the quality of its security. At the very least, software or hardware should have a detailed technical explanation of how it functions for other experts to inspect.

    How Clear are its Creators About its Advantages and Disadvantages?

    No software or hardware is entirely secure. Seek out tools with creators or sellers who are honest about the limitations of their product.

    Blanket statements that say that the code is “military-grade” or “NSA-proof” are red flags. These statements indicate that the creators are overconfident or unwilling to consider the possible failings in their product.

    Because attackers are always trying to discover new ways to break the security of tools, software and hardware needs to be updated to fix vulnerabilities. It can be a serious problem if the creators are unwilling to do this, either because they fear bad publicity or because they have not built the infrastructure to do so. Look for creators who are willing to make these updates, and who are honest and clear about why they are doing so.

    A good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future.

    What Happens if the Creators are Compromised?

    When security toolmakers build software and hardware, they (just like you) must have a clear threat model. The best creators explicitly describe what kind of adversaries they can protect you from in their documentation.

    But there's one attacker that many manufacturers do not want to think about: themselves! What if they are compromised or decide to attack their own users? For instance, a court or government may compel a company to hand over personal data or create a “backdoor” that will remove all the protections their tool offers. So consider the jurisdiction(s) where the creators are based. If you’re worried about protecting yourself from the government of Iran, for example, a US-based company will be able to resist Iranian court orders, even if it must comply with US orders.

    Even if a creator is able to resist government pressure, an attacker may attempt to break into the toolmakers' own systems in order to attack its customers.

    The most resilient tools are those that consider this as a possible attack and are designed to defend against this. Look for language that asserts that a creator cannot access private data, rather than promises that a creator will not. Look for institutions with a reputation for fighting court orders for personal data.

    Has it Been Recalled or Criticized Online?

    Companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.

    It's a lot of work for one person to keep up with the latest news about a tool. If you have colleagues who use a particular product or service, work with them to stay informed.

    Which Phone Should I Buy? Which Computer?

    Security trainers are often asked: “Should I buy Android or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?” There are no simple answers to these questions. The relative safety of software and devices is constantly shifting as new flaws are discovered and old bugs are fixed. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.

    Some general advice is almost always true, however. When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan.

    Now that you’ve considered the threats you face, and know what to look for in a digital security tool, you can more confidently choose tools that are most appropriate for your unique situation.

    Products Mentioned in Surveillance Self-Defense

    We try to ensure that the software and hardware mentioned in SSD complies with the criteria listed above. We have made a good faith effort to only list products that:

    • have a solid grounding in what we currently know about digital security,
    • are generally transparent about their operation (and their failings),
    • have defenses against the possibility that the creators themselves will be compromised, and
    • are currently maintained, with a large and technically-knowledgeable user base.

    We believe that they have, at the time of writing, a wide audience who is examining them for flaws, and would raise concerns to the public quickly. Please understand that we do not have the resources to examine or make independent assurances about their security. We do not endorse these products and cannot guarantee complete security.

    Last reviewed: 
    10-7-2019
  • Key Verification

    Read Key Concepts in Encryption first if encryption keys are unfamiliar to you.

    When you communicate online using end-to-end encryption, each person you send a message to has their own unique public key. You use this key to encrypt messages to them, so that only they can decode them.

    But how do you know which public key to use?

    Suppose you get an email that claims to be from your friend Esra’a. The email includes a PGP public key file to secure future messages. Or, suppose someone claiming to be Esra’a sends you a chat request on an encrypted messenger application like WhatsApp, Signal, or Wire, along with a security code that you can use to encrypt future messages.

    A text message on a smartphone that says it’s from your friend, Esra’a. She says “Hello!” and sends another message with a public key file (pubkey.asc), and the emojis for “sparkles” and “key.”

    These messages might not be from Esra’a at all!

    Even though you are using what you think is Esra’a’s public key, you may be encrypting your messages using a key that came from a different person entirely—which means this fake Esra’a will be able to decode all your future messages.

    To make sure you are using someone’s correct encryption key (and that others know that they are using the correct encryption key for you), it’s important to perform key verification

    When And Where To Verify Keys

    Different secure messaging systems have different ways to verify keys, but all of them encourage you to check those keys outside of the messaging system itself. This is called out-of-band verification. So in our case, you should find some other way to check that online Esra’a is the same as real life Esra’a. You can do this by calling Esra’a on the phone, or meeting Esra’a in person to verify the public encryption key she sent you actually belongs to her.

    Why use out-of-band verification?

    • Without definitively knowing who a key came from, you can’t rely on a secure messaging system since it’s not completely secure yet!
    • It’s often harder to fake someone’s communications in more than one service. For instance, if you ask to verify Signal fingerprints using a FaceTime video chat, the fake person would have to be able to both run a fake Signal account *and* a fake FaceTime account, *and* disguise themselves as your friend on video.
    An illustration of a video chat

    An illustration of a video chat with Esra’a. You ask her to verify the new key she sent you on Signal. She looks worried and confused.

    Here are a few questions you might be asking yourself: 

    Question: Can’t I just ask online-Esra’a some security questions to prove it’s really her? For example, what if I asked:  “If you’re the real Esra’a, what was I wearing the last time we met?” 

    Answer: The problem is that a fake Esra’a could be talking to the real Esra’a at the same time pretending to be you. Fake Esra’a could ask the real Esra’a the questions you ask, and immediately send you her real answers! This is called a “Man-in-the-middle” or “machine-in-the-middle” attack. It’s not common, but it does happen, and that’s why out-of-band verification is important for key verification.

    Two people holding smartphones. The person on the left (the sender) sends their public key fingerprint by chat. Before the person on the right (the receiver) receives the message, a bad actor  (the man-in-the-middle) intercepts the sender’s message, changes a few of the fingerprint characters and numbers, and sends a similar-looking public key fingerprint to the receiver. On the right is a view of the receiver's phone. The message appears to come from the original sender, but it’s actually the corrupted, fake message from the person in the middle.

    Question: What if I’m certain I’m talking to the right person? Do I still need to verify keys?

    Answer: Let’s say you got your keys from a source you think is reliable (like a mutual friend). Even if you’re absolutely positive you are talking to the right person, it’s still wise to verify keys. The process can be reassuring and it shows that you are both take the security of your messages seriously.

    Question: When should I verify keys? 

    Answer: You should verify keys when you use a new messaging tool to communicate, or when someone’s keys you communicate with change. Below are some reasons a person’s keys might change: 

    • A PGP user might set old keys to expire.
    • Phone messaging apps often tie a key to a particular phone, so if a user buys a new phone, they might be required to use a new key. 
    • Sometimes people lose keys, or forget the passwords they use to protect their keys. 

    When you see someone use a new key for the first time, you should verify it.

    So, how might we check these keys?

    Verifying Keys Out-of-band

    Encryption keys are very long sets of numbers, which makes them hard to read aloud and check manually. To make key verification easier, communication software can show you a “fingerprint” or “safety number,” based on the key, which is shorter and easier to check. Fingerprints can be a smaller number, a set of common words, or even a graphic or image.

    To verify keys your contact will most likely read or show you the fingerprint of their key, while you check it against the fingerprint of the key you have for them on your device. After you’ve verified your contact’s key, they can verify your key by asking you to read or show them your key fingerprint as they check it against the copy on their device. Once you both know you have the right keys, you can communicate more securely.

    There are several ways to verify keys out-of-band. Here are the most common methods:

    1. Verifying keys in person, or 
    2. Verifying keys over another medium than the medium in which you are communicating.

    Verifying keys in person

    Verifying keys in person is the most ideal method. This is because it is easier to confirm someone is who they say they are when you’re face-to-face with them than, say, when you’re chatting with them by text, email, or social media chat (where impersonation and phishing attempts are easier). 

    In person, you have your public key fingerprint available and your friend double-checks that every single character from your public key fingerprint matches what they have for your public key fingerprint. It’s a little tedious, but it’s really worth doing. The in-person method might happen when people exchange business cards with their public key fingerprints, or when colleagues see each other at a meeting.

    Each end-to-end encrypted messaging app is different and some provide alternative ways to check key fingerprints. Currently, there is no universal term for what the practice is called and how it is implemented. For one app you might have to read each character of the fingerprint and ensure it matches what you see on your screen versus your friend’s screen. In another, you might scan a QR code on another person’s phone in order to “verify” their key.

    Let’s imagine that An Ming meets her friend, Ghassan, at an event. They decide that it’s best to communicate with each other using an end-to-end encryption app on their smartphones so they install Signal or WhatsApp. While An Ming and Ghassan are physically close in proximity of each other, they take advantage of these apps’ key verification capabilities.

    Two people hold up their smartphones with QR codes and a string of random letters and numbers visible on their screens. They verify each other’s key fingerprints by scanning the other person’s QR code with their phone cameras. Locks and green checkmarks float above their phones.

    Verifying keys over another medium

    If you can’t verify keys in person, you can contact your friend using a different way of communication—a way other than the one you’re using to verify keys. 

    For example, if you’re trying to verify PGP keys with someone, you could use the telephone or an OTR chat to do so. Try to verify keys over a medium that is more secure than the one you’re ultimately trying to secure (e.g. through another encrypted communication ). Why? Because it would be difficult for an adversary to intercept your messages from all these different mediums simultaneously.

    Let’s say that An Ming and Ghassan decide to also use PGP. An Ming sends Ghassan her PGP public key fingerprint through another medium—like Signal—making sure that each character matches her public key fingerprint. Ghassan would then cross-check that every character of An Ming’s public key fingerprint match the public key he has on file for An Ming.

    A laptop open, with a PGP public key and 10 block fingerprint of four random letters and numbers in each block. It is paired with a happy face. On the right, a second method of encrypted communication: a phone open to the Signal encrypted messaging app, shown with that same happy face and the same character and number set for the 10 block fingerprint.

    Regardless of the app that you use, you will always be able to locate both your key and the key of your communication partner.

    Although locating your key can vary by app, the key verification methods remain approximately the same. You can either read your key’s fingerprint aloud (if you are face-to-face or using the telephone) or you can copy and paste it into a communications program, but whichever you choose, it is important that you check every single letter and number.

    Lastly, many of these end-to-end encryption apps indicate if the keys change. As we previously mentioned, it’s important to be on the lookout for when your friends’ keys change—be sure to verify that this is an expected change with them. You can do so in person or over another medium. For example, some people send their friends a message when they are about to get a new phone so that their friends are not startled by a new key notification.

    Verify keys with one of your friends. To learn how to verify keys in a specific app, visit that app’s how-to guide.

    PGP’s Web of Trust And Other Key Verification Aids

    Out-of-band key verification can be hard to organize, especially if you have lots of contacts. While it’s always a good idea, some tools can help give you strong hints that you’re using the right key.

    PGP allows you to sign other people’s keys, which means that you officially vouch that this key really belongs to the person it says it is from. PGP users can meet each other at key-signing parties, where they check each other’s identities, and then sign their keys. Your PGP software can decide whether to trust a key based on how many people have signed it—and whether you already trust those signers. This network of PGP users, all verifying and vouching for each other, is called “the web of trust.” The web of trust helps you assess the validity of new keys, but it’s like getting a recommendation from a friend: it doesn’t beat checking out the person yourself.

    Thanks to the web of trust, PGP also lets you download keys for new contacts from the PGP keyservers. Your software can upload your key, tied to your email address to a keyserver. Then any PGP users can ask the keyservers for the right key for a particular email address.

    There’s nothing stopping bad actors from uploading wrong keys for an email address or identity to the keyservers—indeed, this has happened in the past—but if a key is signed as valid by a lot of people you know, it is more likely to be real. Again, if you get a key from a keyserver, it’s best to verify it directly with the user, or in person, as soon as possible.

    A bad actor might create and upload a key whose fingerprint is almost, but not quite, the same as the real keys to the keyservers. This is why you should check every digit of a fingerprint carefully!

    Some services, like Keybase.io, let users confirm the validity of a key by letting their users prove their identities using social media. These services demonstrate that the person who uses a certain key is also the person who runs a certain Twitter account or Facebook account. Once again, it helps make the case that a key is the right one to use, but verify in person or directly to be absolutely sure!

    For more information about public keys and how key verification works, check out our Surveillance Self-Defense guides on Key Concepts in Encryption, and A Deep Dive on End-to-End Encryption.

    Last reviewed: 
    7-23-2019
  • Key Concepts in Encryption

    Under some circumstances, encryption can be fairly automatic and simple. But there are ways encryption can go wrong. The more you understand it, the safer you will be against such situations. We recommend reading the “What Should I Know About Encryption?” guide first if you haven’t already.

    In this guide, we will look at five main ideas. These are important concepts for understanding encryption in transit:

    • A cipher, a key
    • Symmetric and asymmetric encryption
    • Private and public keys
    • Identity verification for people (public key fingerprints)
    • Identity verification for websites (security certificates)

    A Cipher, A Key

    You’ve probably seen something that, on its face, is not understandable to you. Maybe it looks like it’s in another language, or like it’s gibberish—there’s some sort of barrier to being able to read and understand it. This doesn’t necessarily mean that it’s encrypted.

    What differentiates something that is not understandable from something that’s encrypted?

    Encryption is a mathematical process used to scramble information, so that it can be unscrambled only with special knowledge. The process involves a cipher and a key.

    A cipher is a set of rules (an algorithm) for encrypting and decrypting. These are well-defined steps that can be followed as a formula.

    A key is a piece of information that instructs the cipher in how to encrypt and decrypt. Keys are one of the most important concepts for understanding encryption.

    One Key or Many Keys?

    In symmetric encryption, there is one single key to both encrypt and decrypt information.

    Older forms of encryption were symmetric. For the “Caesar cipher” used by Julius Caesar, the key to encrypt and decrypt a message was a shift of three. For example, “A” would be changed to “D.” The message “ENCRYPTION IS COOL” would be encrypted to “HQFUBSWLRQ LV FRRO” using the key of three. That same key would be used to decrypt it back to the original message.

    Symmetric encryption is still used today—it often comes in the form of “stream ciphers” and “block ciphers,” which rely on complex mathematical processes to make their encryption hard to crack. Encryption today includes many steps of scrambling data to make it hard to reveal the original content without the valid key. Modern symmetric encryption algorithms, such as the Advanced Encryption Standard (AES) algorithm, are strong and fast. Symmetric encryption is widely used by computers for tasks like encrypting files, encrypting partitions on a computer, completely encrypting devices and computers using full-disk encryption, and encrypting databases like those of password managers. To decrypt this symmetrically-encrypted information, you’ll often be prompted for a password. This is why we recommend using strong passwords, and provide tutorials for generating strong passwords to protect this encrypted information.

    Having a single key can be great if you are the only person who needs to access that information. But there’s a problem with having a single key: what if you wanted to share encrypted information with a friend far away? What if you couldn’t meet with your friend in person to share the private key? How could you share the key with your friend over an open Internet connection?

    Asymmetric encryption, also known as public key encryption, addresses these problems. Asymmetric encryption involves two keys: a private key (for decryption) and a public key (for encryption).

    Symmetric Encryption

    Asymmetric Encryption

    • Fast
    • Slow
    • Doesn’t require a lot of computing power
    • Requires a lot of computing power
    • Useful for encrypting both large and small messages
    • Useful for encrypting small messages
    • Requires sharing the key for encryption and decryption
    • The decryption key does not need to be shared — only the “public key” for encryption is shared
    • Cannot be used for verifying identities (authentication)
    • Can be used for identity verification (authentication)

    Symmetric and asymmetric encryption are often used together for encrypting data in transit.

    Asymmetric Encryption: Private and Public Keys

    Private and public keys come in matched pairs, because the private key and public key are mathematically tied together. You can think of it like a rock that is split in half. When held back together, the two halves fit in place to form the whole. No other rock-half will do. The public key and private key files are much the same, but are ultimately composed of computer-readable representations of very large numbers.

    Although it is called a “public key,” it can be confusing to think of the public key as an actual, literal key to open things. It doesn’t quite serve that function. For more in-depth information on public keys and private keys, see SSD’s deep dive on public key cryptography.

    A public key is a file that you can give to anyone or publish publicly. When someone wants to send you an end-to-end encrypted message, they’ll need your public key to do so.

    Your private key lets you decrypt this encrypted message. Because your private key allows you to read encrypted messages, it becomes very important to protect your private key. In addition, your private key can be used to sign documents so that others can verify that they really came from you.

    Since the private key is ultimately a file on a device that requires protection, we encourage you to password protect and encrypt the device where the private key is stored. On Surveillance Self-Defense, we have guides for strong passwords and device encryption.

    Public Key

    Private Key

    • A file that can be shared widely (can be shared over the Internet easily)
    • A file that must be kept safe and protected
    • Sender needs the public key to encrypt information to the recipient
    • Used to decrypt encrypted messages that are addressed to the matched public key
    • Represented by a “public key fingerprint,” which is used for verifying identities (authentication)
    • Used for digital signatures, allowing a way to verify a sender’s identity (authentication)
    • Can be optionally posted to permanent, publicly-accessible databases, such as “keyservers” (keyservers are prominent in PGP encrypted email)
     

    In some ways, you can think of sending information in transit like sending a postcard. In the postcard illustration on the left (below), a sender writes: “HI! :-)” The sender addresses it to the message recipient. This message is unencrypted, and anyone passing the message along the way can read it.

    On the right is that same postcard, with the message encrypted between the sender and receiver. The message still conveys the message “Hi! :-)” but now it looks like a block of encrypted gibberish to the rest of us.

    How is this done? The sender has found the recipient’s public key. The sender addresses the message to the recipient’s public key, which encrypts the message. The sender has also included their signature to show that the encrypted message is really from them.

    Note that the metadata—of who is sending and who is receiving the message, as well as additional information like time sent and received, where it passed through, and so on—is still visible. We can see that the sender and receiver are using encryption, we can tell that they are communicating, but we can’t read the content of their message.

    Who Are You Encrypting To? Are They Who They Really Say They Are?

    Now, you might be wondering: “I get that my public key lets someone send me an encrypted message, and that my private key lets me read that encrypted message. But what if someone pretends to be me? What if they create a new public and private key, and impersonate me?”

    That’s where public key cryptography is especially useful: It lets you verify your identity and your recipient’s identity. Let’s look at the capabilities of the private key more closely.

    In addition to letting you read encrypted messages that are sent to your public key, your private key lets you place unforgeable digital signatures on messages you send to other people, as though to say “yes, this is really me writing this.”

    Your recipient will see your digital signature along with your message and compare it with the information listed from your public key.

    Let’s look at how this works in practice.

    Identity Verification for People: Public Key Fingerprints

    When we send any kind of message, we rely on the good faith of people participating. It’s like in the real world: We don’t expect a mail delivery person to meddle with the contents of our mail, for example. We don’t expect someone to intercept a friend’s letter to us, open and modify it, and send it to us, as though nothing had been changed. But there’s a risk this could happen.

    Encrypted messages have this same risk of being modified, however, public key cryptography allows us a way to double-check if information has been tampered with, by double-checking someone’s digital identity with their real-life identity.

    The public key is a giant block of text in a file. It is also represented in a human-readable shortcut called a key fingerprint.

    The word “fingerprint” means lots of different things in the field of computer security.

    One use of the term is a “key fingerprint,” a string of characters like “65834 02604 86283 29728 37069 98932 73120 14774 81777 73663 16574 23234” that should allow you to uniquely and securely check that someone on the Internet is using the right private key.

    In some apps, this information can be represented as a QR code that you and your friend scan off each other’s devices.

    You can double-check that someone’s digital identity matches who they say they are through something called “fingerprint verification.”

    Fingerprint verification is best done in real-life. If you’re able to meet with your friend in person, have your public key fingerprint available and let your friend double-check that every single character from your public key fingerprint matches what they have for your public key fingerprint. Checking a long string of characters like “342e 2309 bd20 0912 ff10 6c63 2192 1928” is tedious, but worth doing. If you’re not able to meet in person, you can make your fingerprint available through another secure channel, like another end-to-end encrypted messaging or chat system, or posted on a HTTPS site.

    Verifying someone’s key fingerprint gives you a higher degree of certainty that it’s really them. But it’s not perfect because if the private keys are copied or stolen (say you have malware on your device, or someone physically accessed your device and copied the file), someone else would be able to use the same fingerprint. For this reason, if a private key is “stolen,” you will want to generate a new public and private key pair, and give your friends your new public key fingerprint.

    Summary: Public-Key Encryption Capabilities

    In general, using public-key encryption can provide users:

    Secrecy: A message encrypted with public-key cryptography allows the sender to create a message that is secret, so that only the intended recipient can read it.

    Authenticity: A recipient of a message signed with public-key cryptography can verify that the message was authentically crafted by the sender if they have the sender’s public key.

    Integrity: A message signed or encrypted with public-key cryptography, in general, cannot be tampered with, otherwise the message will not decrypt or verify correctly. This means that even unintentional disruption of a message (e.g. because of a temporary network problem) will be detectable.

    Identity Verification for Websites and Services: Security Certificates

    You might wonder: “I can verify public key fingerprints, but what’s the equivalent for the web? How can I double-check that I’m using a service that really is the service that it says it is? How can I be sure that no one is interfering with my connection to a service?”

    Someone using end-to-end encryption shares their public key widely so others can verify that they are who they say they are. Similarly, when using transport-layer encryption, your computer automatically checks to confirm whether a public key for a service is who it really says it is, and that it is encrypting to the intended service: this is called a security certificate.

    Below, you can see an example of the security certificate for SSD from a generic Web browser. This information is often accessible by clicking the HTTPS lock in your Web browser and pulling up the certificate details.

    The Web browser on your computer can make encrypted connections to sites using HTTPS. Websites often use security certificates to prove to your browser that you have a secure connection to the real site, and not to some other system that’s tampering with your connection. Web browsers examine certificates to check the public keys of domain names—(like www.google.com, www.amazon.com, or ssd.eff.org). Certificates are one way of trying to determine if you know the correct public key for a person or website, so that you can communicate securely with them. But how does your computer know what the right public key is for sites you visit?

    Modern browsers and operating systems include a list of trusted Certificate Authorities (CAs). The public keys for these CAs are pre-bundled when you download the browser or buy a computer. Certificate Authorities sign the public key of websites once they’ve validated them as legitimately operating a domain (such as www.example.com). When your browser visits an HTTPS site, it verifies that the certificate the site delivered has actually been signed by a CA that it trusts. This means that a trusted third-party has verified that the site is who they are claiming to be.

    Just because a site’s security certificate has been signed by a Certificate Authority, does not mean that the website is necessarily a secure site. There are limits to what a CA can verify—it can’t verify that a website is honest or trustworthy. For example, a website may be “secured” using HTTPS, but still host scams and malware. Be vigilant, and learn more by reading our guide on malware and phishing.

    From time to time, you will see certificate-related error messages on the Web. Most commonly this is because a hotel or cafe network is trying to intercept your connection to a website in order to direct you to their login portal before accessing the web, or because of a bureaucratic mistake in the system of certificates. But occasionally it is because a hacker, thief, or police or spy agency is breaking the encrypted connection. Unfortunately, it is extremely difficult to tell the difference between these cases.

    This means you should never click past a certificate warning if it relates to a site where you have an account or are reading any sensitive information.

    Putting It All Together: Symmetric Keys, Asymmetric Keys, & Public Key Fingerprints.

    The example of Transport-Layer Security Handshakes

    When using transport-layer encryption, your computer’s browser and the computer of the website you’re visiting are using both symmetric algorithms and asymmetric algorithms. 

    Let’s examine a concrete example of how all these ideas work together: when you connect to this HTTPS website (https://ssd.eff.org/), what happens?

    When a website uses HTTPS, your browser and the website’s server have a very fast set of interactions called “the handshake.” Your browser—the likes of Google Chrome, Mozilla Firefox, Tor Browser, and so forth—is talking to the server (computer) hosting our website, https://ssd.eff.org.

    In the handshake, the browser and server first send each other notes to see if they have any shared preferences for encryption algorithms (these are known as “cipher suites”). You can think of it like your browser and our ssd.eff.org server are having a quick conversation: they’re asking each other what encryption methods they both know and should communicate in, as well as which encryption methods they prefer. (“Do we both know how to use an asymmetric algorithm like RSA in combination with a symmetric algorithm like AES? Yes, good. If this combination of encryption algorithms doesn’t work for us, what other encryption algorithms do we both know?”)

    Then, your browser uses asymmetric encryption: it sends a public key certificate to ssd.eff.org to prove that you are who you say you are. The site's server checks this public key certificate against your public key. This is to prevent a malicious computer from intercepting your connection.

    Once your identity is confirmed, the site’s server uses symmetric encryption: it generates a new, symmetric, secret key file. It then asymmetrically encrypts your browser’s public key, and sends it to your browser. Your browser uses its private key to decrypt this file.

    If this symmetric key works, your browser and website’s server use it to encrypt the rest of their communications. (This set of interactions is the transport layer security (TLS) handshake.) Thus, if all goes right in the handshake, your connection to ssd.eff.org shows up as Secure, with HTTPS beside ssd.eff.org.

    For a deeper dive on public and private keys, as well as verification, read our SSD guide on public key encryption next.

    Last reviewed: 
    11-26-2018
  • A Deep Dive on End-to-End Encryption: How Do Public Key Encryption Systems Work?

    If used correctly, end-to-end encryption can help protect the contents of your messages, text, and even files from being understood by anyone except their intended recipients. It can also be used to prove that a message came from a particular person and has not been altered.

    In the past few years, end-to-end encryption tools have become more usable. Secure messaging tools like Signal (iOS or Android)—for voice calls, video calls, chats and file sharing— are good examples of apps that use end-to-end encryption to encrypt messages between the sender and intended recipient. These tools make messages unreadable to eavesdroppers on the network, as well as to the service providers themselves.

    With that said, some implementations of end-to-end encryption can be difficult to understand and use. Before you begin using end-to-end encryption tools, we strongly recommend taking the time to understand the basics of public key cryptography.

    The type of encryption we’re talking about in this guide, which end-to-end encryption tools rely on, is called public key cryptography, or public key encryption. To read about other types of encryption, check out our What Should I Know About Encryption? guide.

    Understanding the underlying principles of public key cryptography will help you to use these tools successfully. There are things that public key cryptography can and can’t do, and it’s important to understand when and how you might want to use it.

    What Does Encryption Do?

    Here’s how encryption works when sending a secret message:

    1. A clearly readable message (“hello mum”) is encrypted into a scrambled message that is incomprehensible to anyone looking at it (“OhsieW5ge+osh1aehah6”).
    2. The encrypted message is sent over the Internet, where others see the scrambled message, “OhsieW5ge+osh1aehah6”
    3. When it arrives at its destination, the intended recipient, and only the intended recipient, has some way of decrypting it back into the original message (“hello mum”).

    Symmetric Encryption: A Story of Passing Secret Notes with a Single Key

    Julia wants to send a note to her friend César that says “Meet me in the garden,” but she doesn’t want her classmates to see it.

    Julia’s note passes through a bunch of intermediary classmates before reaching César. Although neutral, the intermediaries are nosy and can easily sneak a peek at the message before passing it on. They are also making copies of this message before passing it on and noting the time at which Julia is sending this message to César.

    Julia decides to encrypt her message with a key of 3, shifting the letters down the alphabet by three. So A would be D, B would be E, etc. If Julia and César use a simple key of 3 to encrypt, and a key of 3 to decrypt, then their gibberish encrypted message is easy to crack. Someone could “brute force” the key by trying all the possible combinations. In other words, they can persistently guess until they get the answer to decrypt the message.

    The method of shifting the alphabet by three characters is a historic example of encryption used by Julius Caesar: the Caesar cipher. When there is one key to encrypt and decrypt, like in this example where it’s a simple number of 3, it is called symmetric cryptography.

    The Caesar cipher is a weak form of symmetric cryptography. Thankfully, encryption has come a long way since the Caesar cipher. Using amazing math and the help of computers, a key can be generated that is much, much larger, and is much, much harder to guess. Symmetric cryptography has come a long way and has many practical purposes.

    However, symmetric cryptography doesn’t address the following issue: what if someone could just eavesdrop and wait for Julia and César to share the key, and steal the key to decrypt their messages? What if they waited for Julia and César to say the secret for decrypting their messages by 3? What if Julia and César were in different parts of the world, and didn’t plan on meeting in person?

    How can César and Julia get around this problem?

    Let’s say that Julia and César have learned about public key cryptography. An eavesdropper would be unlikely to catch Julia or César sharing the decryption key—because they don’t need to share the decryption key. In public key cryptography, encryption and decryption keys are different.

    Public Key Encryption: A Tale of Two Keys

    Let’s look at the problem more closely: How does the sender send the symmetric decryption key to the recipient without someone spying on that conversation too? In particular, what if the sender and recipient are physically far away from each other, but want to be able to converse without prying eyes?

    Public-key cryptography (also known asymmetric cryptography) has a neat solution for this. It allows each person in a conversation to create two keys—a public key and a private key. The two keys are connected and are actually very large numbers with certain mathematical properties. If you encode a message using a person’s public key, they can decode it using their matching private key.

    Julia and César are now using their two computers to send encrypted messages using public key cryptography, instead of passing notes. Their classmates passing the notes are now replaced with computers. There are intermediaries between Julia and César: Julia and César’s respective Wi-Fi points, Internet Service Providers, and their email servers. In reality, it may be hundreds of computers in between Julia and César that facilitate this conversation. These intermediaries are making and storing copies of Julia and César’s messages each time they are passed through.

    They don’t mind that the intermediaries can see them communicating, but they want the contents of their messages to remain private.

    First, Julia needs César’s public key. César sends his public key (file) over an insecure channel, like unencrypted email. He doesn’t mind if the intermediaries get access to it because the public key is something that he can share freely. Note that the key metaphor breaks down around here; it’s not quite right to think of the public key as a literal key. César sends the public key over multiple channels, so that the intermediaries can't send one of their own public keys on to Julia instead.

    Julia receives César’s public key file. Now Julia can encrypt a message to him! She writes her message: “Meet me in the garden.”

    She sends the encrypted message. It is encrypted only to César.

    Both Julia and César can understand the message, but it looks like gibberish to anyone else that tries to read it. The intermediaries are able to see metadata, like the subject line, dates, sender, and recipient.

    Because the message is encrypted to César’s public key, it is only intended for César and the sender (Julia) to read the message.

    César can read the message using his private key.

    To recap:

    • Public key cryptography allows someone to send their public key in an open, insecure channel.
    • Having a friend’s public key allows you to encrypt messages to them.
    • Your private key is used to decrypt messages encrypted to you.
    • Intermediaries—such as the email service providers, Internet service providers, and those on their networks—are able to see metadata this whole time: who is sending what to whom, when, what time it’s received, what the subject line is, that the message is encrypted, and so on.

    Another Problem: What About Impersonation?

    In the example with Julia and César, the intermediaries are able to see metadata this whole time.

    Let’s say that one of the intermediaries is a bad actor. By bad actor, we mean someone who intends to harm you by trying to steal or interfere with your information. For whatever reason, this bad actor wants to spy on Julia’s message to César.

    Let’s say that this bad actor is able to trick Julia into grabbing the wrong public key file for César. Julia doesn’t notice that this isn’t actually César’s public key. The bad actor receives Julia’s message, peeks at it, and passes it along to César.

    The bad actor could even decide to change the contents of the file before passing it along to César.

    Most of the time, the bad actor decides to leave the contents unmodified. So, the bad actor forwards along Julia’s message to César as though nothing has happened, César knows to meet Julia in the garden, and ~gasp~ to their surprise, the bad actor is there too.

    This is known as a man-in-the-middle attack. It’s also known as a machine-in-the-middle attack.

    Luckily, public key cryptography has a method for preventing man-in-the-middle attacks.

    Public key cryptography lets you double-check someone’s digital identity with their real-life identity through something called “fingerprint verification.” This is best done in real-life, if you are able to meet with your friend in person. You’d have your public key fingerprint available and your friend double-checks that every single character from your public key fingerprint matches what they have for your public key fingerprint. It’s a little tedious, but it’s really worth doing.

    Other end-to-end encrypted apps also have a way to check for fingerprints, though there are some variations on what the practice is called and how it is implemented. In some instances, you’ll read each character of the fingerprint extremely carefully and ensure it matches what you see on your screen, versus what your friend sees on their screen. In others, you might scan a QR code on another person’s phone in order to “verify” their device.” In the example below, Julia and César are able to meet in person to verify their phone fingerprints by scanning each other’s QR codes using their phone’s camera.

    If you don’t have the luxury of meeting in person, you can make your fingerprint available through another secure channel, like another end-to-end encrypted messaging app or chat system, or a HTTPS site.

    In the below example, César sends his public key fingerprint to Julia using a different end-to-end encrypted app with his smartphone.

    To review:

    • A man-in-the-middle attack is when someone intercepts your message to someone else. The attacker can alter the message and pass it along or choose to simply eavesdrop.
    • Public key cryptography lets you address man-in-the-middle attacks by providing ways to verify the recipient and sender’s identities. This is done through fingerprint verification.
    • In addition to being used to encrypt a message to your friend, your friend’s public key also comes with something called a “public key fingerprint.” You can use the fingerprint to verify your friend’s identity.
    • The private key is used to encrypt messages, as well as for digitally signing messages as you.

    Sign of the Times

    Public key cryptography makes it so you don’t need to smuggle the decryption key to the recipient of your secret message because that person already has the decryption key. The decryption key is their private key. Therefore, all you need to send a message is your recipient’s matching public, encrypting key. And you can obtain this easily because your recipient can share their public key with anyone, since public keys are only used to encrypt messages, not decrypt them.

    But there's more! We know that if you encrypt a message with a certain public key, it can only be decrypted by the matching private key. But the opposite is also true. If you encrypt a message with a certain private key, it can only be decrypted by its matching public key.

    Why would this be useful? At first glance, there doesn't seem to be any advantage to sending a secret message with your private key that everyone who has your public key can decrypt. But suppose you wrote a message that said “I promise to pay Aazul $100,” and then turned it into a secret message using your private key. Anyone could decrypt that message—but only one person could have written it: the person who has your private key. And if you’ve done a good job keeping your private key safe, that means you, and only you, could’ve written it. In effect, by encrypting the message with your private key, you’ve made sure that it could have only come from you. In other words, you’ve done the same thing with this digital message as we do when we sign a message in the real world.

    Signing also makes messages tamper-proof. If someone tried to change your message from “I promise to pay Aazul $100” to “I promise to pay Ming $100,” they would not be able to re-sign it using your private key. So, a signed message guarantees it originated from a certain source and was not messed with in transit.

    In Review: Using Public Key Cryptography

    Let’s review. Public key cryptography lets you encrypt and send messages safely to anyone whose public key you know.

    If others know your public key:

    • They can send you secret messages that only you can decode using your matching private key and,
    • You can sign your messages with your private key so that the recipients know the messages could only have come from you.

    And if you know someone else’s public key:

    • You can decode a message signed by them and know that it only came from them.

    It should be clear by now that public key cryptography becomes more useful when more people know your public key. The public key is shareable, in that it’s a file that you can treat like an address in a phone book: it’s public, people know to find you there, you can share it widely, and people know to encrypt messages to you there. You can share your public key with anyone who wants to communicate with you; it doesn’t matter who sees it.

    The public key comes paired with a file called a private key. You can think of the private key like an actual key that you have to protect and keep safe. Your private key is used to encrypt and decrypt messages.

    It should also be apparent that you need to keep your private key very safe. If your private key is accidentally deleted from your device, you won’t be able to decrypt your encrypted messages. If someone copies your private key (whether by physical access to your computer, malware on your device, or if you accidentally post or share your private key), then others can read your encrypted messages. They can pretend to be you and sign messages claiming that they were written by you.

    It’s not unheard of for governments to steal private keys off of particular people's computers (by taking the computers away, or by putting malware on them using physical access or phishing attacks). This undoes the protection private key cryptography offers. This is comparable to saying that you might have an unpickable lock on your door, but somebody might still be able to pickpocket you in the street for your key, copy the key and sneak it back into your pocket and hence be able to get into your house without even picking the lock.

    This goes back to threat modeling: determine what your risks are and address them appropriately. If you feel that someone would go through great trouble to try to get your private key, you may not want to use an in-browser solution to end-to-end encryption. You instead may opt to just have your private key stored on your own computer or phone, rather than someone else’s computer (like in the cloud or on a server).

    Review of Public Key Cryptography, and A Specific Example: PGP.

    So, we went over symmetric encryption and public key encryption as separate explanations. However, we should note that public key encryption uses symmetric encryption as well! Public key encryption actually just encrypts a symmetric key, which is then used to decrypt the actual message.

    PGP is an example of a protocol that uses both symmetric cryptography and public key cryptography (asymmetric). Functionally, using end-to-end encryption tools like PGP will make you very aware of public key cryptography practices.

    What Exactly Are Keys. And How Are Keys Tied Together?

    Public key cryptography is based on the premise that there are two keys: one key for encrypting, and one key for decrypting. How it basically works is you can send a key over an insecure channel, like the Internet. This key is called the public key. You can post this public key everywhere, in very public places, and not compromise the security of your encrypted messages.

    This shareable key is the public key: a file that you can treat like an address in a phone book: it’s public, people know to find you there, you can share it widely, and people know to encrypt to you there.

    The public key comes paired with a file called a private key. You can think of the private key like an actual key that you have to protect and keep safe. Your private key is used to encrypt and decrypt messages.

    We’re going to examine the key generation in a commonly-used public key cryptography algorithm called RSA (Rivest–Shamir–Adleman). RSA is often used to generate key pairs for PGP encrypted email.

    The public key and private key are generated together and tied together. Both rely on the same very large secret prime numbers. The private key is the representation of two very large secret prime numbers. Metaphorically, the public key is the product number: it is made up of the same two very large prime numbers used to make the private key. What’s amazing is that it’s very hard to figure out which two large prime numbers created the public key.

    This problem is known as prime factoring, and some implementations of public key cryptography take advantage of this difficulty for computers to solve what the component prime numbers are. Modern cryptography allows us to use randomly chosen, ridiculously gigantic prime numbers that are hard to guess for both humans and computers.

    And, the strength here is that people can share their public keys over insecure channels to let them encrypt to each other! In the process, they never reveal what their private key (secret prime numbers) is, because they never have to send their private key for decrypting messages in the first place.

    Remember: For public key cryptography to work, the sender and the recipient need each other’s public keys.

    Another way you can think of it: The public key and private key are generated together, like a yin-yang symbol. They are intertwined.

    The public key is searchable and shareable. You can distribute it to whoever. You can post it on your social media, if you don’t mind that it reveals the existence of your email address. You can put it on your personal website. You can give it out.

    The private key needs to be kept safe and close. You just have one. You don’t want to lose it, or share it, or make copies of it that can float around, since it makes it harder to keep your private messages private.

    How PGP Works

    Let's see how public key cryptography might work, still using the example of PGP. Let’s say you want to send a secret message to Aarav:

    1. Aarav has a private key and, like a good public key encryption user, he has put its connected public key on his (HTTPS) web page.
    2. You download his public key.
    3. You encrypt your secret message using Aarav’s public key and send it to him.
    4. Only Aarav can decode your secret message because he’s the only one with the corresponding private key.

    Pretty Good Privacy is mostly concerned with the minutiae of creating and using public and private keys. You can create a public/private key pair with it, protect the private key with a password, and use it and your public key to sign and encrypt text.

    If there's one thing you need to take away from this overview, it's this: Keep your private key stored somewhere safe and protect it with a long passphrase.

    Metadata: What Public Key Encryption Can't Do

    Public key encryption is all about making sure the contents of a message are secret, genuine, and untampered with. But that's not the only privacy concern you might have. As we've noted, information about your messages can be as revealing as their contents (See “metadata”).

    If you exchange encrypted messages with a known dissident in your country, you may be in danger for simply communicating with them, even if those messages aren’t decoded. In some countries you can face imprisonment simply for refusing to decode encrypted messages.

    Disguising that you are communicating with a particular person is more difficult. In the example of PGP, one way to do this is for both of you to use anonymous email accounts, and access them using Tor. If you do this, PGP will still be useful, both for keeping your email messages private from others, and proving to each other that the messages have not been tampered with.

    Now that you’ve learned about public key cryptography, try out using an end-to-end encryption tool like Signal for iOS or Android.

    Last reviewed: 
    11-29-2018
  • How to: Use OTR for macOS

    NOTE: This guide is not being actively reviewed or updated, and is currently retired. If you would like to use Adium or another form of OTR messaging for macOS, please refer to those services’ websites and documentation for information on how to install and use them.

    Adium is a free and open source instant messaging client for OS X that allows you to chat with individuals across multiple chat protocols, including Google Hangouts, Yahoo! Messenger, Windows Live Messenger, AIM, ICQ, and XMPP.

    OTR (Off-the-record) is a protocol that allows people to have confidential conversations using the messaging tools they’re already familiar with. This should not be confused with Google's “Off the record,” which merely disables chat logging, and does not have encryption or verification capabilities. For Mac users, OTR comes built-in with the Adium client.

    OTR employs end-to-end encryption. This means that you can use it to have conversations over services like Google Hangouts without those companies ever having access to the contents of the conversations.  However, the fact that you are having a conversation is visible to the provider.

    Why Should I Use Adium + OTR?

    When you have a chat conversation using Google Hangouts on the Google website, that chat is encrypted using HTTPS, which means the content of your chat is protected from hackers and other third parties while it’s in transit. It is not, however, protected from Google, which have the keys to your conversations and can hand them over to authorities or use them for marketing purposes.

    After you have installed Adium, you can sign in to it using multiple accounts at the same time. For example, you could use Google Hangouts and XMPP simultaneously. Adium also allows you to chat using these tools without OTR. Since OTR only works if both people are using it, this means that even if the other person does not have it installed, you can still chat with them using Adium.

    Adium also allows you to do out-of-band verification to make sure that you’re talking to the person you think you’re talking to and you are not being subject to a man-in-the-middle attack. For every conversation, there is an option that will show you the key fingerprints it has for you and the person with whom you are chatting. A "key fingerprint" is a string of characters like "342e 2309 bd20 0912 ff10 6c63 2192 1928,” that’s used to verify a longer public key. Exchange your fingerprints through another communications channel, such as Twitter DM or email, to make sure that no one is interfering with your conversation. If the keys don't match, you can't be sure you're talking to the right person. In practice, people often use multiple keys, or lose and have to recreate new keys, so don't be surprised if you have to re-check your keys with your friends occasionally.

    Limitations: When Should I Not Use Adium + OTR?

    Technologists have a term to describe when a program or technology might be vulnerable to external attack: they say it has a large “attack surface.” Adium has a large attack surface. It is a complex program, which has not been written with security as a top priority. It almost certainly has bugs, some of which might be used by governments or even big companies to break into computers that are using it. Using Adium to encrypt your conversations is a great defense against the kind of untargeted dragnet surveillance that is used to spy on everyone's Internet conversations, but if you think you will be personally targeted by a well-resourced attacker (like a nation-state), you should consider stronger precautions, such as PGP-encrypted email.

    Installing Adium + OTR On Your Mac

    Step 1: Install the program

    First, go to https://adium.im/ in your browser. Choose “Download Adium 1.5.9.” The file will download as a .dmg, or disk image, and will probably be saved to your “downloads” folder.

    Double-click on the file; that will open up a window that looks like this:

    Move the Adium icon into the “Applications” folder to install the program. Once the program is installed, look for it in your Applications folder and double-click to open it.

    Step 2: Set up your account(s)

    First, you will need to decide what chat tools or protocols you want to use with Adium. The setup process is similar, but not identical, for each type of tool. You will need to know your account name for each tool or protocol, as well as your password for each account.

    To set up an account, go to the Adium menu at the top of your screen and click “Adium” and then “Preferences.” This will open a window with another menu at the top. Select “Accounts,” then click the “+” sign at the bottom of the window. You will see a menu that looks like this:

    Select the program that you wish to sign in to. From here, you will be prompted either to enter your username and password, or to use Adium’s authorization tool to sign in to your account. Follow Adium’s instructions carefully.

    How to Initiate an OTR Chat

    Once you have signed in to one or more of your accounts, you can start using OTR.

    Remember: In order to have a conversation using OTR, both people need to be using a chat program that supports OTR.

    Step 1: Initiate an OTR Chat

    First, identify someone who is using OTR, and initiate a conversation with them in Adium by double-clicking on their name. Once you have opened the chat window, you will see a small, open lock in the upper left-hand corner of the chat window. Click on the lock and select “Initiate Encrypted OTR Chat.”

    Step 2: Verify Your Connection

    Once you have initiated the chat and the other person has accepted the invitation, you will see the lock icon close; this is how you know that your chat is now encrypted (congratulations!) – But wait, there’s still another step!

    At this time, you have initiated an unverified, encrypted chat. This means that while your communications are encrypted, you have not yet determined and verified the identity of the person you are chatting with. Unless you are in the same room and can see each other’s screens, it is important that you verify each other’s identities. For more information, read the module on Key Verification.

    To verify another user’s identity using Adium, click again on the lock, and select “Verify.” You will be shown a window that displays both your key and the key of the other user. Some versions of Adium only support manual fingerprint verification. This means that, using some method, you and the person with whom you’re chatting will need to check to make sure that the keys that you are being shown by Adium match precisely.

    The easiest way to do this is to read them aloud to one another in person, but that’s not always possible. There are different ways to accomplish this with varying degrees of trustworthiness. For example, you can read your keys aloud to one another on the phone if you recognize each other’s voices or send them using another verified method of communication such as PGP. Some people publicize their key on their website, Twitter account, or business card.

    The most important thing is that you verify that every single letter and digit matches perfectly.

    Step 3: Disable Logging

    Now that you have initiated an encrypted chat and verified your chat partner’s identity, there’s one more thing you need to do. Unfortunately, Adium logs your OTR-encrypted chats by default, saving them to your hard drive. This means that, despite the fact that they’re encrypted, they are being saved in plain text on your hard drive.

    To disable logging, click “Adium” in the menu at the top of your screen, then “Preferences.” In the new window, select “General” and then disable “Log messages” and “Log OTR-secured chats.” Remember, though, that you do not have control over the person with whom you are chatting—she could be logging or taking screenshots of your conversation, even if you yourself have disabled logging.

    Your settings should now look like this:

    Also, when Adium displays notifications of new messages, the contents of those messages may be logged by the OS X Notification Center. This means that while Adium leaves no trace of your communications on your own computer or your correspondent's, either your or their computer's version of OS X may preserve a record. To prevent this, you may want to disable notifications.

    To do this, select "Events" in the Preferences window, and look for any entries that say "Display a notification." For each entry, expand it by clicking the gray triangle, and then click the newly-exposed line that say "Display a notification," then click the minus icon ("-") at the lower left to remove that line." If you are worried about records left on your computer, you should also turn on full-disk encryption, which will help protect this data from being obtained by a third party without your password.

    Last reviewed: 
    1-19-2017
Next:
JavaScript license information