Skip to content


How to communicate securely via Facebook chat (encrypting messages with OTR)

Facebook chat has provided XMPP support for several years now. Which means that you can use it from third-party applications, such as Pidgin. In a few words for those who don’t already know it, Pidgin is an open source multiprotocol instant messaging client, formerly known as Gaim (for more details, cf its Wikipedia entry).

Among other things, Pidgin features plugins, and notably the Off-the-Record (OTR) Messaging plugin. This plugins allows you to encrypt your IMs without much hassle: it will handle the key exchange via Diffie–Hellman key exchange with any of your contact who also has OTR installed. Then your conversation will be encrypted using AES 128 I believe (at least that’s what was used in 2009 according to this post), with a key unique to the conversation (a new key is created at each conversation start, and actually you can even renew the key during a conversation). The nice thing about it is if some day your private key (used for the key exchange) is leaked, it won’t allow decryption of former conversations.

On Windows, setting up OTR is trivial. Basically, once you’ve installed Pidgin, just download and install pidgin-otr-4.0.0-1.exe (or any newer version), and then activate it in the Pidgin plugin list (if you had Pidgin running during the installation, you’ll first have to restart it.
The only part which is a bit tricky is actually to configure Pidgin to connect to Facebook: the username required is the username in your Facebook URL, not the e-mail you use to log in. So if your facebook page is http://www.facebook.com/JohnDoe, in Pidgin enter JohnDoe as username. For more details, see this nice guide How to enable Facebook Chat in Pidgin using XMPP.

Bonuses:

Posted in privacy, software.


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Sorry about the CAPTCHA that requires JS. If you really don't want to enable JS and still want to comment, you can send me your comment via e-mail and I'll post it for you.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA