The Signal Protocol used by Signal and WhatsApp is superior for a variety of reasons for the task of messaging. It's based off of Off-the-Record (OTR) where one of the benefits is deniability.
One of the big challenges with PGP/GPG is that an adversary can intercept and store encrypted messages until they are able to break, obtain, force disclosure of the encryption keys and then decrypt the entire archive of stored messages.
Using OTR it's extremely difficult to use conversations as proof of anything and it's very difficult to store messages and wait and then use the messages against you.
See "Off-the-Record Communication, or, Why Not To Use PGP"
https://otr.cypherpunks.ca/otr-wpes.pdf
See also talks by Moxie Marlinspike:
If this bothers you, learn to use OTR with Pidgin and Adium and use GPG in your email clients. You can't trust telecoms, but you can trust your own encryption standards. This is the sad reality of our times.
I love that the government may have all my chat/email history -- but the truly important stuff is just garbled for them.
I suggest reading his essay before you jump to any conclusions. He wasn't even the first person to think that GPG/PGP is cumbersome. Did you know that ten years earlier, the initial introductory paper for the OTR protocol was subtitled "or, Why Not To Use PGP"?
XMPP+otr is probably the best alternative in that scenario. For Windows, you have Pidgin plus the otr plugin for example, and for Android you have Xabber or ChatSecure which both have otr support.
Thanks for the amazing post! I wholeheartedly agree.
If anyone is looking to get a new OS, I've been quite happy with Crunchbang; it's light and very easy to use, and doesn't have the security concerns that Ubuntu does.
Also, shoutout to the OTR plugin for Pidgin. The person with whom you are chatting also needs to have the plugin installed, but it's a very solid way to keep your chats secure.
The main downside I can think of for using a FLOSS OS is that Adobe no longer supports Flash for Linux beyond the 11.2 version. So if you watch a lot of online videos or play flash games, it may not work reliably for you, especially if you use Firefox. Don't let that dissuade you, though! The Chromium browser helps a lot.
To add to what /u/ThatRoboticsGuy said, https://www.torproject.org/ might be the best bet for your communication with your friend. Tell him over an open channel to install it, then connect through that. Or, alternatively, a chat client that supports OTR. https://otr.cypherpunks.ca/
Be aware though that the simple use of encryption may be seen as a threat by state agencies. So really, a bit of a catch 22. :(
> Just 0.06 per cent of emails are encrypted
That's a lot more than I would have thought. I have never seen an encrypted mail in normal communication ever and I have been on the Internet since PGP was the hot new thing.
Reason of course is trivial: PGP integration has always been complete ass and it's ineffective on top, as all the metadata remains in clear text. Also signing mails by default creates more risk for yourself, not less, so that was stupid as well. Later protocols like OTP address this.
I did use GPG integration into Jabber/XMPP/Gaim quite a bit, as that was nicely done and completely transparent once you setup the keys.
As someone who uses OTR and GPG for anything the least bit serious and Tails for truly confidential discussions I'm not exactly someone who doesn't care about privacy. However there's a difference between spying and collecting the type of information steam does. I've gone through literally everything they have on me and didn't find anything worrying.
Dearest Nikki,
I wish to communicate with you. I neither confirm nor deny that my intentions are amorous in nature. Given that I wish to maintain plausible deniability, I have decided to use the Off-The-Record messaging protocol. As far as endpoint security is concerned, I am using a combination of red-black systems with Fox-IT data diodes (EAL7+) to guarantee security.
If you will kindly do the same on your side, I think we can have a chat sometime.
Provably Yours
UneducatedLoser
Pidgin with otr works with most of those interfaces. It's much easier to sell people on "hey, you can install this client that will work with facebook/googletalk/etc and there's this plugin that makes it work like snapchat."
People have been working on crypto communication networks for years. See whisper systems, bitmessage, et al.
Simply changing the keys every connect does not eliminate man in the middle attacks, without delving down to possible implementation issues, one threat strikes me straight away - what if you were intercepted on first contact? what if the attacker has the ability to selectively drop packets?
"Decentralize" is not a magic key word that just makes threats go away. If anything it creates a billion more of them. I would rather trust a couple servers and end to end encrypt my content. Decentralization would be awesome...but it is damn difficult to get it right.
A one-time pad is not secure....it has the property of perfect secrecy. THESE ARE NOT THE SAME THING.
Perfect Secrecy is the concept that a cryptanalyst can gain no information from the cipher text e.g. frequency analysis. It does not mean that the communication between the two parties is secure.
A naive one time pad is vulnerable to all forms of attack e.g. ciphertext malleability - if an attacker knows the structure of the underlying message they can reorder messages and swap bytes with little consequence.
While we are on the subject of flaws...subsequent key exchanges and forward secrecy are subject to all kind of threats. See https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html and https://whispersystems.org/blog/advanced-ratcheting/
Basically what I am trying to say is....yes...we all want secure end-to-end messaging....lots of people are working on it. Email works because it can interoperate at a number of levels - any widespread replacement needs to have a similar level of flexibility - achieving all that and being transparent to the user is hard.
You can use [Finch](https://en.wikipedia.org/wiki/Finch_(software\)) and the skype web plugin for that.
Finch uses libpurple and is compatible with pidgin and pidgin plugins.
The skype web plugin uses skype's web API so you don't even need to have the skypeforlinux binary installed to use this.
Also, using finch or pidgin, it's possible to set up end to end encryption with the OTR plugin.
It's not a browser plugin but OTR (https://otr.cypherpunks.ca/) provides this in the context of IM. The software all exists but at some point in time you have to type in the unsecured message via your keyboard / touch screen and herein lies the weakest link.
If I compromise your computer / device and install a keylogger, or better yet, deliver the keylogger to you in the form of an important security update (haha) then it doesn't matter what software you use. Every message, user name, password - the whole lot - is recorded and becomes easily accessible.
Since secret chats are not used by default, all metadata and most chat contents are available to anyone with access to their servers.
Regarding secret chats, just last week someone demonstrated a cryptographic attack and a MitM attack on Telegram.
OTR is believed safe against state-level adversaries[1].
[1] http://media.ccc.de/browse/congress/2014/31c3_-_6258_-_en_-_saal_1_-_201412282030_-_reconstructing_narratives_-_jacob_-_laura_poitras.html#video (around the 33 minute mark)
The general answer here and on /r/privacy will be that if you can't see the source code then you can't trust it. It's good advice, but can't get frustrating at times.
For your chat program, check out the list of IMs that support off-the-record messaging. I personally use ChatSecure/Signal for secure messaging on my phone.
Dafür gibt es z.B. off-the-record messaging, bei dem die Nachrichten keine digitale Signatur haben und nach dem Absenden beliebig verfälscht werden können, wodurch man die Nachricht nicht "nachweisen" kann.
Deniability - The messages you send do not have digital signatures that are verifiable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he or she sees are authentic and unmodified.
Ist zudem natürlich verschlüsselt während der Unterhaltung.
Back in the AOL Instant Messenger days, I used a plugin to Pidgin that implemented "Off the Record" encryption. The (open source) protocol supports a secure key exchange over a network you don't trust. It seems like that might solve the issue?
Horrible Warrant Canary: https://www.cyph.com/privacypolicy.
ToS is not set up yet (yes, we do read this): https://www.cyph.com/termsofservice
Privacy Policy says, "We absolutely, 100%, NEVER and NEVER WILL ever send or store plaintext versions of your encrypted data" which implies they can/have plaintext versions of your encrypted data.
Use OTR (https://otr.cypherpunks.ca/) - Cypherpunks. Open Source. End to End crypto, etc.
Good intentioned article but some naive assumptions. Just a few things for everyone's edification (these things need to be repeated as often as necessary until it's ingrained)
The described method only secures the body of the message. The rest of the email envelope contains a lot of privacy violating metadata which is used by entities like the NSA.
The article promotes the use of a browser plugin but does not link to the source code for it. That should be included in the article so that people can review the code. Here: https://github.com/diegocr/eComm
Email is a poor channel to use for sensitive communication, no matter how the payload is encrypted. If you need to securely communicate to someone over the internet, it's better to use something vetted, entirely private (OTR: https://otr.cypherpunks.ca/) over an anonymized route (TOR: https://www.torproject.org/)
My goto for privacy-related software is PRISM break. They have a section on instant messaging here that could help you out.
I've had success with Pidgin (XMPP client) and the OTR plugin. OTR is the encryption protocol that goes with the XMPP protocol. And apparently TextSecure uses an "improved" version of OTR. Right now TextSecure is only available for Android though fyi but hopefully an iOS build eventually releases.
Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing:
No one else can read your instant messages.
You are assured the correspondent is who you think it is.
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
If you lose control of your private keys, no previous conversation is compromised.
PGP does not provide forward secrecy. See this discussion or Off-the-Record Communication, or, Why Not To Use PGP (.pdf, Borisov et al., WPES 2004). Forward secrecy extensions were proposed for OpenPGP in August 2000, but I'm not sure what happened to that proposal, other than expire in February 2001.
I am not sure this is the best but you can use Pidgin http://www.pidgin.im/
With the OTR plugin https://otr.cypherpunks.ca/
For pretty good security, OTR has been reviewed several times and continues to be developed on. No system is secure and should be treated as such however these two pieces of software should provide a good starting point.
The Off the Record (OTR) encryption protocol can be added to any IM service, so long as there's a client that supports it. It's a strong protocol, with good encryption, forward secrecy, and deniable authentication.
It's no good for offline messaging though. For that you typically need something like PGP, which is strongly encrypted and authenticated, but doesn't have forward secrecy or deniable authentication.
Moxie Marlinspike was able to improve the OTR protocol for his TextSecure program for Android phones to have the same features and asynchronous/offline messaging (and a bunch of other improvements), and I think it would be great if it were supported by IM programs too, but not yet unfortunately.
There are cryptography libraries built on top of Swift but I'm not aware of one that specifically caters to chat platforms. If I'm wrong, then please let me know so that I can learn. The libraries I'm aware of merely provide cryptography features but there is more to securing chat than just encrypting a string. To properly secure chat you need to a way to securely share keys, provide proof that who you are talking to is who they claim to be, a way to provide forward secrecy, etc.
I am personally a fan of the C library libotr which is designed with all those in mind.
When it comes to cryptography, there are many, many ways to get it wrong in subtle but dangerous ways.
If you are going to implement encryption for a chat platform, then please read up as much as possible on the subject if you haven't already.
It seems that your comment contains 1 or more links that are hard to tap for mobile users. I will extend those so they're easier for our sausage fingers to click!
Here is link number 1 - Previous text "OTR"
^Please ^PM ^/u/eganwall ^with ^issues ^or ^feedback! ^| ^Delete
> Deniability
>The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.
Very recommended around the world, to have more privacy, you can use VPNs or/and Tor, since register at a server and while chatting... Host your own XMPP server is a option too.
Ah, eu também não acho confiável. Não confio em nenhum software proprietário, seja da Apple, do Google (a base do Android é software livre mas ele vem com muitos penduricalhos), etc. Mas o fato é que foram nos tribunais lutar contra isso e ganharam, abrindo um precedente (pelo que eu entendo, case law lá nos EUA são mais importantes que aqui no Brasil). O FBI teve que descriptografar sem a ajuda da Apple, e não encontrou nenhuma informação relevante, e aí desistiram de apelar.
Uma opção para ter uma criptografia por cima do que já existiria no protocolo é usar algo como OTR. Mas é inconveniente, ambas as partes precisam instalar.
edit: FBI–Apple encryption dispute.
>you are going to make expert declarations as fact then you do need to prove your qualifications.
I major in computer science and develop the only high-assurance FOSS IM tool available.
>Your ego isn't relevant here
Precisely my point. Even if I had PhD I wouldn't dream of saying something such as "I have a degree on this so I'm by definition correct".
>your actual knowledge is
And hence my dissection on why ephemeral communication via PGP isn't a possibility. I suggest you start reading from something like OTR by Goldberg, Borisov and Brewer.
>but it's the best we have for email that I know of.
Then we should stop using emails as a medium to transfer communication that requires end-to-end encryption, forward secrecy and/or deniability.
>You said you shouldn't be using it at all.
The context from the very start was all secure communication. But as PGP also works for digital signatures, I added clarification. I hope this isn't too confusing.
>"which it isn't used for anyway."
So you're saying every user of PGP knows about it not having deniable authentication and forward secrecy?
I'm not saying trust me. I'm saying learn some technical knowledge to understand the subject by reading the documents I linked to. Or have another tool that you can demo with: Pidgin "off the record" messaging.
True end to end encryption needs both parties to use the same key.
I'll try to simplify it for you. This is iMessage currently:
>You give Tim a note to give Sergey securely.
>Tim uses something between you and Tim to keep the note safe. Sergey doesn't know this passphrase.
>Tim knows the contents of the note. The note is safe while Tim goes to Sergey.
>Tim gives Sergey the note after they exchange their separate secret passphrase that you don't know.
>You, Tim and Sergey all know the secret note.
This is true end to end encryption:
>You and Sergey both agree'd on a secret passphrase for any communications between you two.
>You give Tim a note that can only be opened with the secret passphrase.
>Tim heads to Sergey with the note. No one else can read the note because of you and Sergeys passphrase keeping it safe.
>Tim gives Sergey the note. Tim couldn't see anything inside of the note, because he didn't have the passphrase either.
>You and Sergey know the secret.
Edit: clarity in example.
Any and all US companies should be considered compromised. Lavabit showed us there are gag orders and the consequences of not following them.
>is encrypted end to end
This is a broad, and false, statement. It's true that it's end to end encryption from device to device, but they can still decrypt it. End to end encryption isn't truly end to end if you never share the key outside of the specific network you communicate on. How do you think your iOS devices can read the messages when you switch devices? Because Apple told it the key to decrypt the messages. You should read about true end to encryption, like this Off the Record plugin.
I should have read the whole thread before writing my last reply.
You say "I want to send text messages from Desktop to Raspberry over internet and I want the messages to be encrypted." If that is all you need, just get OTR: https://otr.cypherpunks.ca/
1) I believe most cryptanalysts take the view that double encryption is pointless. Either your encryption works or it doesn't. Case in point, if both systems use the same password you've not achieved much, and if they use different passwords how will you remember them both - if you have to write down the passwords to do this you probably do more harm than good.
2) PGP lacks forward secrecy so if you're concerned about future proofing your communications you really should be looking at OTR messaging if possible.
2) Even if you're looking for long-term-archive I still wouldn't worry too much about quantum computers. Even if these were readily available and cheap (ha!) it doesn't (generally) nullify encryption, just makes it easier to crack, but it's still hard.
3) There are no simple answers to key storage. The best advice here is keep it simple. I suggest keypassX, (or encrypted 7zip if you prefer), keep it on a usb stick with a backup usb stick at a friends house, salt the password with your 1st phone numer (or similar) and try your best to internalise the password.
4) The idea is that you have a day-to-day key that you use for communication etc. Should you fear that this is compromised you throw it away and generate a new one from your master key. This only helps with communication, with archive you'd still have to reencrypt everything with the new key and delete the old copies. If you're in a siltation where you often need to prove your identity to relatively unknown counter-parties (Think Edward Snowden, Satoshi Nakomoto, leet haxorz) it makes a lot of sense. If you're just looking to encrypt chat with friends then OTR messaging is much easier to manage.
Yes, you'd also need to authenticate each of your contacts at least the first time via some shared secret. There's a library called OTR that makes this relatively easy to set up, but unfortunately still too complicated for the average user to be bothered with.
The only Android apps I've found that support it out of the box are IM+ and ChatSecure.
O WhatsApp havia prometido e até agora não aparece nada... parece que nem foi feito.
Uma boa opção sempre foi o OTR (Off The Record). É um plugin do pidgin e funciona independente do protocolo de chat. Pena que não tem uma versão mobile disso. Mas no desktop, funciona muito bem.
I don't see how this accomplishes anything that standard OTR over XMPP (or other protocol) doesn't. The self destruct is a complete gimmick. If you have root access on your device you'll be able to screenshot without notification, and probably disable the self destruct
The lack of proof of sender is also present in OTR, but in a more thought out way in terms of cryptography (it's deliberately possible to forge the sender's signature post communication), instead of this services definition which seems to be "no sender info is shown on screen so screenshots are anonymous"
Plus this seems to be a closed source client (if it was open you could just comment out the self destruct code), which apparently is end to end encrypted, but goes through their servers, and you have to use their client. What's the point?
Yes, PGP or GPG encryption is good practice. Learning curve and adoption are a problem, the user should be in control of their opsec, not a 3rd party.
I don't think it's outside the realm of possibility that PGP/GPG will likely be cracked or has been already (dependent on key strength and algorithm).
security is a matter of layers.
OTR offers value as described here: https://otr.cypherpunks.ca/
If you have an interest in privacy and security, consider using TAILS and other projects offered by Tor, https://www.torproject.org/
An Instant Messaging Bundle is rumored to help with adoption http://thehackernews.com/2014/02/tor-instant-messaging-bundle-new.html
Be aware that in any scenario it is still a game of cat and mouse.
Your hardware is an attack surface that can be bugged. Example: your keyboard emits or monitor emits signals, sounds, frequencies, your screen can display can be reconstructed from a distance (TEMPEST).
You can build a device from raw materials but risk leaking identifying a fingerprint of this device.
The rabbit hole goes deep. Keep it simple and layered if you want to maintain a level of sanity.
Just try and avoid plaintext if you can (lol).
I'm always puzzled to see conversations such as this one, that don't start out by comparing the product to 'off the record' https://otr.cypherpunks.ca/
It's free. It's open source. it's multiplatform. pidgin+otr plugin for pc, chatsecure on Android an IOS.
"Textbook RSA" is a real technical term. It's mathematics as explained by a textbook, but without the additional properties to actually make it secure. Typically you don't encrypt the actual message with an asymmetric algorithm, but instead a symmetric key that's used to encrypt the actual message. Even more common is to not use asymmetric encryption at all, only for signatures.
The original OTR paper, <em>Off-the-Record Communication, or, Why Not To Use PGP</em> is a very approachable explanation for how to do end-to-end encryption properly. Messages are encrypted with AES. Keys are generated with Diffie-Hellman. RSA is only used at the very beginning to validate identity.
New applications shouldn't be using RSA anymore, but rather elliptic curves. They're smaller, faster, and more secure. You can't go wrong with Ed25519.
Thanks for the info, I'm gonna look into it. When I've started using Pidgin I remeber the privacy options were basically either a PGP plugin or the OTR one. OMEMO wasn't a thing yet.
afaik it was only possible once, when the messaging protocol was still based on xmpp, so you could use custom clients + an OTR plugin, or a custom client which supported it natively (https://en.wikipedia.org/wiki/Off-the-Record_Messaging), and iirc also via Cryptocat
You could the method that OTR (Off-the-record messaging protocol) uses, that relies on giving away the MAC keys when the message authentication is done.
In the situation of screenshots, you could always claim they are forged (which given that there are a lot of easy to use [messaging app] screenshot forgers online, isn't exactly implausible) because there's no other proof of authenticity (such as them being available for someone else to see).
The applications with self-deleting messages are made to target a "friendly now but hostile later" situation, where the receipt is trusted in the moment, but possibly not later (such as sharing sensitive material to someone that is currently trusted, but using self-destruction to avoid possible blackmailing in the future). The "disable screenshots" way is of course only effective as long as there's not a widely-known way to skip that prevention.
It's basically scrambling the message in a way only the sender and the receiver can see it's content. That allows for privacy. So you could say it's important if you have the need to be private.
A really good practice is to ask yourself if you have the need to stablish good opsec.
It seems that your comment contains 1 or more links that are hard to tap for mobile users. I will extend those so they're easier for our sausage fingers to click!
Here is link number 1 - Previous text "OTR"
^Please ^PM ^/u/eganwall ^with ^issues ^or ^feedback! ^| ^Delete
Did you mean this? https://www.reddit.com/r/SilkRoad/comments/1ajbgq/mac_gpgtools_tutorial_feedback_requested/
Beware of using PGP for communicating about illegal things, though. The way it's designed, it doesn't provide forward secrecy (i.e., if your private key is compromised, all past communications can be decrypted) and it does enforce non-repudiation (i.e., if you sign a message with your private key, any third party can prove that you are the one who signed it). This means that you don't have plausible deniability: you can't claim someone else forged the message. If you're looking for a safe way to communicate, try OTR (Off the Record) messaging: https://otr.cypherpunks.ca/. Like PGP, it provides encryption and authentication, but unlike PGP it also provides deniability and forward secrecy.
in short: "Alice and Bob do an unauthenticated Diffie-Hellman (D-H) key exchange to set up an encrypted channel, and then do mutual authentication inside that channel."
one of the white papers ( from https://otr.cypherpunks.ca/index.php#docs ) on the site can better explain how this otherwise vexing problem was cleverly solved.
Use an encrypted chat session with perfect forward secrecy, like https://otr.cypherpunks.ca/
Remember, in the post-snowden era, the phone lines are all tapped too.
This is ideal for the occasional password, but obviously doesn't scale if you have hundreds or thousands to distribute.
copied from MsBliss' post from thebarbarians
> Hey Y'all so to clear things up here is my contact info, feel free to contact me for messages or Direct Deals. I will get set up on a market or two today or tomorrow :) Here is my Jabber info and also a step by step tutorial of how to get Jabber with OTR (encrypted communication plugin) > > [redacted] > > If you don't know how to use jabber, here: download here https://otr.cypherpunks.ca/[2] > > download pidgin with OTR, then create an account here: https://duck.co/[3] > > then follow this tutorial https://duck.co/help/community-platform/xmpp[4]
Once you get Pidgin working with dukgo.com, you should load the Off The Record (OTR) encryption plugin, if you haven't already:
Download and install OTR:
https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.1.exe
You should configure Pidgin to run through Tor to give you anonymity:
Download, install and run the Tor Browser Bundle (if you don't already have it):
https://www.torproject.org/download/download-easy.html.en
Start Pidgin.
Make sure that the icon is not hidden in the system tray. Right click on the clock and select "Customize notification icons". Make sure that Pidgin is set to "Show icon and notifications". Hit OK.
Right click on the Pidgin icon in the system tray and select Preferences.
Select the Proxy tab.
Check mark "Use remote DNS with SOCKS4 proxies".
Select:
Proxy type: Tor/Privacy (SOCKS5) Host: 127.0.0.1 Port:9150
Hit Close.
Right click on the Pidgin icon in the system tray again and select Plugins.
Check mark the "Off-the-Record-Messaging" plugin.
Select Configure Plugin.
Make sure that all of the boxes are check marked.
You should create a new account on dukgo.com once you have pidgin connected through Tor as any account you used before using Tor has been linked to your home IP address.
You may want to consider using Tails instead, since pidgin is already setup with OTR and Tor by default:
Lol. Are they outlawing HTTPS as well?
What about banking websites?
Surely they don't allow passwords on their computers, shades on their windows, pants, or headphones either, right?
GNU Privacy Guard
Off-The-Record Messaging
Greenwald's GPG instructions from Snowden
>The government still needs Google’s permission to access the servers and read Hangouts data,
>which the company readily admits it has given.
Of course they did.
It may be difficult for some people to get away from this service. Google chat/Hangouts is convenient because it still offers an XMPP service, allowing the use of third-party clients.
But the only safe way to use Google's chat services is to wrap your communications in OTR encryption.
Keep in mind that people who use Google chat/Hangouts on their own domain (i.e. not @gmail.com or @*.google.com) are using Google Apps, so all their communications are being handled by Google.
Always use OTR!
OTR (supported in Pidgin, Adium, and other chat clients) over XMPP (via Google Chat or a public server) is preferable to this JavaScript nonsense
OTR is an encrypted messaging protocol and not a routing protocol. OTR is independent to the connection [1]. Bitmessage is a very good solution, but constant messaging on a mobile device is too taxing [2].
Sources:
[1] https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html
[2] https://bitmessage.org/bitmessage.pdf
What do you mean you don't receive messages while Steam is opened? You really should, and I do. I'd submit a bug report on Google Code.
Side note, if you're using Pidgin, you might also want to install OTR (Should be available in your repos), it allows secure communication with someone over whatever protocol you're using, including Steam.
This is little more than a token gesture. Microsoft's products are compromised in many ways, including software vulnerabilities and through direct NSA access to the infrastructure of programs such as Skype under programs like PRISM.
If Microsoft really cared about privacy, they would do something like implementing OTR per default in, say, Skype to at least protect text messages. But they don't, and here's why: This would be a palpable step towards privacy, and the NSA would never let it fly.
Posting this link helps to enforce a false narrative; that they actually care. In a way you became a PR agent of theirs. Unwittingly of course, but still.
How about integrating libotr that would allow you to add security on top of insecure protocols like irc https://otr.cypherpunks.ca/README-libotr-4.0.0.txt
OTR is suitable for 1 to 1 p2p communications.
OTR is not yet suitable for multi-party https://lists.cypherpunks.ca/pipermail/otr-users/2009-May/001647.html
Tu dis n'importe quoi. OTR n'est pas craqué et a de la perfect forward secrecy.
Ils peuvent analyser tout le traffic sortant qu'ils veulent..
TOR est open source et pour l'instant safe à condition de chiffrer également le traffic jusqu'à ton endpoint. Et en excluant les possibles zéro days du browser si tu en utilises un.
Excactly. My original question was more a question about why OTR doesn't think its worth encrypting the key material pr. default when GnuPG/PGP does. Especially since the original paper that introduced OTR was titled "Off-the-Record Communication, or, <strong>Why Not To Use PGP</strong> [PDF]".