How to securely instant message online using OTR – Windows

DDoS mitigation and Performance Tuning Improvements
December 23, 2016
Internet of Things : Are you ready for IoT?
January 4, 2017
Show all

How to securely instant message online using OTR – Windows

Communicating via instant messengers has been an increasingly important means of communication but how many of them are truly secure and protect your privacy especially when faced with widespread internet surveillance? In this guide we teach you how to use OTR messaging.

VPNs such as BolehVPN do provide a measure of security by securing your communications from interception by ISPs and governments but it doesn’t protect against IM messengers whose servers keep logs of usage nor does it protect the data from being intercepted on the recipient end.

The reason why regular IM messengers such as Google Hangouts, Facebook and Slack are not great for privacy are that while they are protected from interception by third parties, this does not prevent Google, Facebook or Slack themselves from having access to your messages which can be handed over to authorities or used by themselves for marketing purposes. We have also seen how hacks into these companies can leak out a lot of sensitive information such as experienced by Yahoo.

To be a truly secure and private instant messenger, it needs to be meet the following criteria as recommended by the EFF (Electronic Frontier Foundation):

  • Are the messages encrypted in transit?
  • Are the messages encrypted so that the IM provider can’t read it?
  • Can you verify contacts identities to prevent impersonation or man in the middle attacks?
  • Are past communications secure if your existing secret keys are stolen?
  • Is the software for the instant messenger open source and open for review?
  • Are the encryption methods and security protocols properly documented for review?
  • Has there been a recent independent security audit of the instant messenger?

This is why for secure instant messaging communication on your Windows desktop computer, we recommend Pidgin with OTR (off-the-record) messaging which meets all of these requirements. OTR is a way communications are secured end to end on existing messaging platforms so that the only people who can read your conversation is you and your intended recipient. For Mac users, we recommend Adium which will be dealt with in a separate guide.

But why use OTR when there are other instant messaging clients like Whatsapp that also have have end to end encryption? The problem with many of these instant messaging clients is that they require a mobile phone number to tie your account so although they may not know what you’re talking, they do know when you’re talking and who you’re talking to.

This why OTR messaging was used by Laura Poitras who produced the excellent documentary CitizenFour to communicate with Edward Snowden and her collaborators given the sensitive nature of the film.

Step 1: Downloading and installing Pidgin

Pidgin is the Instant Messaging client that supports a wide range of protocols. Download Pidgin from their official website here but instead of clicking on the green Download Now button, click on the offline installer link.


Run the installer and proceed through the default options as below:






Step 2: Install OTR plugin for Pidgin

Pidgin by default doesn’t support OTR (off the record) messaging so it is necessary to install an additional plugin to enable it. You can download it here and click on the Primary download link.


Run the installer and just select the default options as in the pictures below.

Step 3: Configure Pidgin and create a Calyx Institute account

Before continuing, if you wish to be more privacy conscious you may connect to BolehVPN now to hide your IP from the chat server especially for registration so that even if the chat server provider logs, they will not have your real IP address.


Start Pidgin and you will be prompted with thie screen below. Click Add.

You will then be prompted with this window to select a service and enter in some details. Although there are many XMPP servers, we recommend using Calyx Institute’s XMPP server which does not log who you communicate with or your usage. Calyx Institute is a not for profit privacy and cybersecurity foundation and also its server forces the use of OTR making sure you are always communicating through an encrypted channel.

If you prefer using other servers, you may consider these XMPP servers that are also privacy conscious: Dukgo and Swissjabber.

Fill the details as below replacing the Username with your own desired username and your Local alias is your nickname how you wish to appear to youreslf. Make sure “Create this new account on the server” is ticked.

If you have done it correctly, it will prompt you a new window asking you to choose your username and password that you wish to register:

If your username is available, you will be shown a window that informs you which means you are now succesfully registered

Step 4: Creating your OTR keys and getting your Fingerprint

Now it is time to enable your OTR plugin and create your private keys that will be used to secure your communications and also to identify you uniquely.

In Pidgin, click on  Tools > Plugins.


Scroll down to Off-the-Record messaging and tick it to Enable the plugin. Then click on Configure Plugin.


Click on Generate to generate your OTR keys.



Once this is done you will see your Key has a fingerprint. in this example the fingerprint is: 87EDCFA7 2DD3E742 09926C94 082559AC 75606924 which can be shared to people so that they can identify that they’re talking with the right person and not someone impersonating you. Note that Pidgin saves your keys here UsersusernameAppDataRoaming.purpleotr.private_key which you can export to other devices as well.


You are now ready to begin an encrypted OTR conversation with someone!

Step 5: Starting an OTR conversation

You will first need to add the person you want to talk with to your Buddy list so that you can talk to him. Make sure he is registered on the same server as you (in this example it’s the Calyx Institute server).

In Pidgin, click on Buddies and Add Buddy.

Enter in your friend’s full username.


Once you click add, he will receive an authorization for you to add him. Once he approves it, he adds your account and you will get a request as well to be added. Click the “Authorize” button to allow him to add you.

Once that is done click on the Not Private button and click Start Private Conversation.

The following window will appear.


You now have an encrypted conversation with your friend and can start conversing with him but now you need to make sure it’s him and not someone impersonating to be him! You do this by authenticating him either by his fingerprint or through a question and answer method. The easiest way is to do it via the question and answer method by asking him a question that only he would know the answer to. Once this is done, his fingerprint will be saved on your computer so future authentication is no longer necessary.

Click on the Unverified button and click Authenticate Buddy.


Select Question and Answer. Enter in a question that only your friend would know the answer to and remember to tell him that the answer is case sensitive so you may wish to tell him to answer him in all small caps or otherwise.


If the answer is done correctly, you will get a message that Authentication is successful and your icon will change to show that your conversation is now Private.


Remember, instead of a question and answer method, you can also share each other’s fingerprint manually to each other via other channels you can also choose to do manual fingerprint verification. This is a bit more complex to do and not necessarily safer unless you give the fingerprints through a secure channel or in person.


Once you have completed your conversation, remember to end your private conversation by clicking on the Private button and clicking on End Private Conversation.


The importance of Secure Instant Messaging

Although there are a few more steps required in getting a secure instant messaging up if you don’t want to trust Google, Facebook, Whatsapp or any other third parties with your communications, OTR messaging, especially when paired up with privacy tools like a VPN or TOR can provide excellent privacy and security that will ensure only you and your receipient can view your conversations without any registration process that requires you to tie it with your real life identity.

If this interests you, do subscribe to our BolehVPN mailing list by filling up the form below which we will provide updates on best practices in internet security, tutorials and tips and tricks in staying safe on the internet or securing your privacy.



Leave a Reply

Your email address will not be published. Required fields are marked *