OTR-encrypted Instant Messaging With Miranda IM

I still didn't manage to finally make the switch from Windows to Linux. Currently I am pleased with Ubuntu, but still waiting for my 6.06 "Dapper Drake" discs to arrive (ordered the first day shipping requests for Dapper were accepted at launchpad). I want to make sure a fresh out-of-the-box install works (upgrading from 5.10 on my laptop worked just fine!), so I can rely on that, just in case.

Anyway, fortunately there is a lean, yet widely extensible instant messaging client available on the Windows platform, Miranda IM. For a few years, as far as I can remember, this has been my primary, undisputed choice (and yes, I know piles of alternative single- and multi-protocol-clients, thank you very much). Starting with ICQ, I now solely use the open Jabber/XMPP network.

Although Jabber is security-wise superior over most (all?) proprietary IM protocols (authentication, c2s- and [sadly only] sometimes s2s connection encryption), there are still some issues (which aren't necessarily Jabber's shortfall). End-to-end-encryption is the way to go to be sufficiently private, so far.

There is a GnuPG plugin available for Miranda, but I found it to be unstable; it is abandoned and doesn't work with current Miranda versions at all.

Now, finally, here is the good news: There is an OTR ([1], [2]) encryption plugin not only available for Miranda, but also works! \o/

OTR uses known, open and proven standards including AES for encryption, SHA-1 for hashing and Diffie-Hellman for key exchange.

Compared to GnuPG/PGP, OTR offers some advantages: Since a new key is exchanged for each message and the latter won't be signed, after the end of the conversation it cannot be proved, who the original author is and which messages belong to the thread or not. And because there is no (single) private key that might get compromised, past messages cannot be decrypted. Also, no passphrase has to be entered (usually when connecting the IM client to the server) and clients on multiple machines can be used without further preparations (apart from a one-time installation of the plugin) like copying the private key.

Of course, I verified that the encryption actually works. Therefore, I temporarily disabled TLS for my c2s connection and sniffed some traffic from/to remote port 5222 (default for unencrypted connections) using an old version (2.2) of Analyzer, which happens to not crash my machine unlike Wireshark (formerly Ethereal) does every now and then. As expected, the conversations with contacts also using the OTR plugin were indeed encrypted, while the chats with the other people were not.

I successfully use the plugin with Miranda (oh, I might consider upgrading, the current stable is and 0.5 is just on the way, too) and the Unicode distribution of the tabSRMM plugin.

Oh, and by the way, OTR should work with whatever IM protocol your OTR-capable client supports, not just Jabber. But don't tell anyone ;)