ChatSecure Offers Easy-to-Use Mobile Instant Messaging with Built-In Protection on Multiple Levels
ChatSecure, an instant messaging utility for Android and iOS, recently introduced a new feature. For those familiar with the utility, it can be summed up in one sentence. “ChatSecure has made it really easy for users to set-up and use disposable instant messaging accounts with OTR encryption that can talk over Tor.” However, if this sentence leaves you puzzled, keep reading, and we’ll try to explain it. Here we go …
Issue: ISP Surveillance
Solution: Transport Encryption
You expect a lot from instant messaging tools. You do not want a third party to be able to intercept and read your messages. Your Internet service provider (ISP) and other entities that control the physical networks through which your messages flow may try to extract them from the traffic passing through their infrastructure. However, you can protect yourself by using transport encryption protocols such as SSL/TLS. That’s the encryption that makes accessing HTTPS websites secure. All popular services such as Google Hangouts or Facebook Chat, as well as most instant messaging software, support SSL/TLS and usually employ it by default. If you use Google Hangouts or Facebook Chat within a browser, the browser automatically takes care of encryption. If you use a standalone instant messaging client such as Pidgin or Jitsi, then you may need to make sure this feature is turned on.
Issue: Service Provider Surveillance or Hacking
Solution: Message Encryption
A service provider might have access to your online communications as well. If you use Google Hangouts, whether you use it within a browser or a dedicated instant messaging client, your messages are SSL/TLS encrypted between you and Google’s servers. However, you can still read your previous conversations online in an unencrypted format once you log into Gmail, and so can Google. If somebody obtains your login credentials (with the help of malware or social engineering attacks), he too can read your messages on Google’s server. To protect against this, you have to use a different type of encryption called “end-to-end.” This means that you need to encrypt the messages on your computer first. The messages are then sent across the Internet in an encrypted format and only decrypted once they reach the final recipient. Because only the sender and the recipient know the encryption keys, the Internet service provider has no way of knowing what the messages contain.
It may sound daunting at first, but end-to-end encryption can be a fully automatic process when using technologies such as the Off-The-Record (OTR) protocol. OTR is supported by many instant messaging clients, such as Pidgin, Adium, Jitsi, and ChatSecure (for Android and iOS devices). It is a mature protocol that has many nice features. For example, it allows you to authenticate the people with whom you are communicating to make sure they are who you think they are. To do this, the two parties check each other’s “fingerprints,” or short codes, by exchanging them over a different communication channel. You might send them via SMS, Skype, or even postal mail. The goal is to match the code you receive over that new channel with the one you see in your OTR-enabled software. If the two match, you’re talking to the right person. There are many excellent guides that teach how to set-up OTR with different instant messaging clients, but remember that for OTR to work, both parties have to run some kind of OTR-enabled software, though it does not have to be the same software on both ends. You can find a quick setup manual for Windows online here: https://securityinabox.org/pidgin_main.
Issue: Metadata Collection by Service Providers
Solution: Tor Network
Some surveillance is based on metadata analysis, such as an analysis of who talks to whom, when, from where, and for how long. Metadata can be an extremely valuable source of information. There may be situations when you may want to hide your location (and thereby your identity), and a popular solution that helps you do this is the Tor network. If you connect to a website through Tor, the website does not know where you are located or who you are, unless you provide this information voluntarily. The most popular way to use Tor is via the freely available Tor browser. However, some instant messaging software can also connect to the Internet through Tor. Instructions on how to use Tor with instant messaging software can easily be found online. Note that if you connect to an instant messaging server through Tor, while your location will be hidden, your identity will likely be broadcast via your unique username.
Issue: Human-Readable or Permanent Usernames
Solution: Disposable, Random Usernames
Ok, now imagine that you are able to connect securely, and Tor hides your location. What if you also want to remain anonymous in a conversation? This could be useful in a number of situations. For example, people who talk to journalists and human rights defenders often have valid reasons for protecting their identity. That said, if your email is firstname.lastname@example.org, the other party and Internet service provider will likely be able to guess your name and age. Even if your username does not contain personal information, if you have the same username elsewhere on the Internet, a simple search could reveal your identity. To prevent this kind of exposure, the U.S.-based Guardian Project, the developers of ChatSecure, developed a feature for Android devices called ”Secret Identity.” After activating this feature, ChatSecure connects over Tor to a free instant messaging server maintained by the US-based Calyx Institute. It then registers a string of random characters as your username, saves the credentials inside ChatSecure, and logs you into the service. You will need to install Orbot, an Android implementation of Tor, for this feature to work. As of January 2015, the latest version of ChatSecure for iOS also supports Tor and Calyx Institute accounts but does not generate those for you automatically like the Android version does. So you will need to set-up your account manually on Calyx Institute’s website and add the credentials in ChatSecure on iOS manually. Once you have your generated username, you can use it over and over again or set-up a new one every time you use ChatSecure.
Now, let’s go back to the original statement. “ChatSecure has made it really easy for users to set up and use disposable instant messaging accounts with OTR encryption which can talk over Tor.” ChatSecure can use SSL/TLS to protect you from ISP snooping. It supports OTR, so your Internet service provider cannot read your conversations, and you can verify the identity of your correspondents. It connects through Tor, so the service provider does not know your location; and it generates random usernames, protecting your anonymity.
Additional information is available on ChatSecure’s website (https://chatsecure.org).
Also try Calyx Institute’s instant messaging server with other chat software such as Pidgin, Jitsi, and Adium (https://www.calyxinstitute.org/projects/public_jabber_xmpp_server).