Jabber

9 May 2023 8 minutes

Jabber messenger

In this article, you’ll learn about anonymity, including what Jabber is. Jabber is an alias for XMPP – Instant Messaging Protocol. Many clients have been built on its basis, among which Psi and Pidgin are very popular. Each of the latter has its own advantages and disadvantages, but in essence both are absolutely identical. As a rule, PGP plugins are installed and do not require additional actions for configuration. Like PGP, the OTR (off-the-record) protocol allows the exchange of encrypted messages, but has additional characteristics.

Jabber is an alias for XMPP – Instant Messaging Protocol. Many clients have been built on its basis, among which Psi and Pidgin are very popular. Each of the latter has its own advantages and disadvantages, but in essence both are absolutely identical.
Over the years of its existence, XMPP has undergone qualitative changes, and clients have grown with many plugins, due to which it can compete with more modern messaging programs. From the point of view of security, OTR and PGP extensions remain the leaders among them. What does OTR offer? OTR offers – PFS (perfect forward secrecy), even if the root key is compromised, the session keys (as well as the data encrypted by them) will not be compromised and it is impossible to establish the author of the message after the end of the session. In the article, we will consider client installation and PGP and OTR settings. Depending on the specific client, the procedure may differ. For example, in the list of Psi plugins, OTR is already installed and all you need to do is activate it and configure it. The choice of the client is entirely up to the user and, with correct configuration, does not affect the security of data exchange in any way. Pidgin was chosen for the demonstration. First, VPN or PROXY even for server registration. There are many servers on which registration is possible, and each of them has its own policy regarding both IP fixation and storage of user messages. Therefore, both during registration and as an included client, you need to take care of your own anonymity.

Client installation and PGP and OTR configuration

Depending on the specific client, the procedure may differ. For example, the Psi plugin list already has OTR installed and all you have to do is activate it and configure it, while Pidgin assumes that all the required plugins will be delivered to the system manually. The choice of the client is entirely up to the user and when set up correctly does not affect the security of data exchange. Pidgin was chosen for the demonstration.

Preparation

First, VPN or PROXY even for registration on the server. There are many servers on which registration is possible, and each of them has its own policy on both IP capture and storage of user messages. Therefore, both when registering and for the included client, you need to take care of your own anonymity.

Second, the choice of server. The most popular is https://xmpp.jp, but there are many such servers and some of them do not log in, which is a definite plus. For example, you can use the following:

The secure

click here

Some clients like Psi will offer to register at the first start and will provide a list of servers. Let’s use one of them, but before that it is recommended to study the information about it or at least choose servers not from the US or Europe.

PGP


There is a lot written about Pretty Good Privacy in the section above. In the context of Jabber, it should be noted that most clients support their own key generation, however, it is still recommended to keep all keys with you and generate them locally if possible.
Typically, PGP plugins are installed and do not require additional steps to configure.

OTR

Like PGP, the off-the-record (OTR) protocol allows the exchange of encrypted messages, but has additional features. So, in addition to the ability to encrypt messages and authenticate the interlocutor, OTR offers:

  • PFS (perfect forward secrecy) even if the root key is compromised, the session keys (as well as the data encrypted by them) will not be compromised.
  • inability to identify the author of the message after the session.

This means that even if a third party receives the content of the messages (some servers store users’ correspondence), it will no longer be possible to prove their authorship.
Since this protocol is not as widespread as PGP, the details of its device in this course will not be given. A brief overview of the protocol mechanism can be found in the article: https://invisibleuser.com/guide/how-otr-messaging-works

Client installation

  1. To install the xmpp client use the command:

sudo apt install pidgin

After that, when you start the program, the user will be prompted to add an account.

Screenshot 1. Accounts window.

Screenshot 2. Example of filling out the form.

2. Also, for greater security, you can run Jabber through a proxy – all the necessary settings can be found in more detail about the proxy below.

When all the settings are set, you can click Add and the account will be activated automatically.

!!! If the account was not previously registered through the site, you must check Create this new account on the server!!!
(if desired, you can fill in the Resource field: it is needed so that the interlocutor knows from which resource they are currently communicating with him)

Proxy

Existing and working Tor can be used as additional protection. It is important that TOR should work throughout the use of the messenger. To do this, run and connect TOR. Return to the messenger, in the Tools tab select Preferences -> Proxy. Here 9150 is the port on which Thor is spinning by default.

After that, you need to restart the messenger.

OTP Plugin

1. Now that your account is up and running, you can take care of messaging security. First you need to install and activate the OTP module.
To install the desired plugin, just use the command:

sudo apt install pidgin-otr

After the plugin is successfully installed, you need to go to Tools -> Plugins in the main messenger window and select the desired plugin from the presented plugins, click on Configure Plugin

Screenshot 1. On the configuration tab, you need to click Generate to get a pair of keys, as well as tick all the above items.

2. On the configuration tab, you need to click Generate to get your key pair, as well as check all the above items.
The OTP module is then activated. Trusted user Depending on whether the interlocutor’s OTP is configured or not, the messenger behavior scenario may change. However, if the latter has OTR activated, you will see the following picture when you receive the message. Because the other party is currently only claiming to be a specific user, their status is defined as Unverified. To verify the identity of the author, click on OTR or Unverified and select authenticate from the menu.
At this stage, the user will be offered three options for identity authenticity:

  • question-answer: the user asks a question that can only be answered by a specific person
  • secret word: usually agreed in advance through other secure communication channels
  • fingerprint reconciliation: possible if a particular person has previously provided their fingerprint key.

3. We use the first option, where you will be asked to fill in the following fields:


Screenshot 3. Window with authentication fields

4. As soon as the question and answer are entered, you need to click Authenticate and the interlocutor on the other side of the screen will ask:

5. If the answer is entered correctly, the user will see the corresponding message.

Screenshot 5. Corresponding message.

6. And the status of the interlocutor will change from Unverified to Private.

Screenshot 6. Example.

7. A similar procedure should be performed for the user and his interlocutor – a reminder will be displayed after the first authentication.

Screenshot 7. Reminder.

8. Otherwise it will be considered unverified.

9. To save the contact of the interlocutor, you need to click on COnversation -> Add, add data if necessary, and then save the account.

Screenshot 9. Saving the account.

10. The caller will then appear in the contact sheet. If it is not visible, most likely the interlocutor went offline. To view all contacts, whether active or not, in the Buddy List window, go to Buddies -> Show and check the Offline Buddies checkbox.

Screenshot 10. Example of an interlocutor in contacts.
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.