This post is made for Seattle’s Techno-Activism 3rd Mondays (#TA3M) event on December 16, 2013. For details about the event, stay tuned by this wiki page: https://wiki.openitp.org/events:techno-activism_3rd_mondays:seattle
In my presentation I’ll be demonstrating how to use The Guardian Project‘s mobile device application ChatSecure (Android) (iOS), which is a tool for people wanting to keep their text-based conversations private and secure. To demonstrate at #TA3M, I will be using my HTC cell phone and a Windows laptop. My phone will be pre-configured to use ChatSecure, but I’ll install and configure Pidgin and pidgin-otr on my laptop since I’ll have access to a projector. I’ll start the presentation by running through this blog post and its screenshots, but will integrate the Pidgin demonstration once I get to the contact management and OTR initialization screenshots.
Please comment on this post or Tweet at me if you have any feedback.
This blog post (ChatSecure Tutorial for #TA3M by Christopher Sheats) is licensed under a Creative Commons Attribution 3.0 Unported License. You are free to copy and remix it without restriction.
Install ChatSecure. I installed it from the Google Play Store.
Open the ChatSecure application.
Set a strong password that you can remember. This password is set to protect access to ChatSecure, in case your phone is stolen or compromised. This is an added layer of protection so that adversaries cannot access your past communications or pretend to be you and have conversations with your contacts.
Add an account. For demonstration purposes and ease-of-use, I’ve opted to use my Gmail address. Using a Google account will likely be the lease private means of private conversation. Keep in mind that Google and the NSA will own the metadata of your chats, including:
- The fact that you are using the internet (time stamp)
- The fact that you are signing in and out of Google (time stamp)
- The fact that you are conversing with a specific person (contact and time stamps)
Also keep in mind that when using Off The Record (OTR) messaging, Google and the NSA will not be able to have the information contained in your conversation, since it will be encrypted.
XMPP and ZeroConf are alternative messaging architectures that may allow you greater privacy if used correctly. Be sure to research what chat protocol is best for you and the risks that you face.
Connecting to Google via the Tor anonymity network is recommended to protect your physical location’s metadata and for ensuring private transit. However, be aware that if you’re using a cell phone, your cell service provider knows where you are, and if the NSA needed to find out where you were during an OTR conversation, could compare the time stamps that Google and your cell service provider have.
Select your language.
Read and click through the dialogue.
If you have not rooted your Android, you will not be able to use Orbot’s advanced functionality. But for the purpose of using ChatSecure and other applications designed to work with Orbot, you are going to be able to utilize the Tor network.
It looks like Orbot hasn’t been updated to advertise ChatSecure by its new name–formerly Gibberbot.
Press and hold the ‘power’ icon in the center to start your Tor connection.
Orbot will begin connecting to the Tor network automatically.
Now you’re connected to Tor and your ChatSecure application will route its communication through Tor.
Sign into your Google account (similar to Google Hangouts).
Select the three-vertical-box icon to access Settings.
Select Chat Encryption.
Require encryption for your ChatSecure/OTR conversations.
You may need to add a contact.
Enter the email or account address of the person whom you wish to converse with.
Select the person whom you wish to converse with.
Say hello! Keep in mind that the padlock at the top of the screen is not locked. This “hello” will be in cleartext.
Select the padlock to start the encryption (OTR) initialization process. The person with whom you are chatting with must have an OTR-compatible client, ideally the same version of the same software, or at least up-to-date OTR-compatible application, like Pidgin for PC, Mac, and Linux.
Your ChatSecure conversation is now encrypted using OTR; however, because the question mark in the padlock is yellow, it is indicating that the person with whom you are chatting with is not verified.
Select the padlock again to Verify the person (ID) whom you are chatting with.
Ideally you will select Question in order to answer a question for which you and the person whom you are privately conversing with know the answer to. This helps verify that you’re talking to the right person. You should also verify the ‘public key fingerprint‘. For the purpose and ease-of-use for this presentation, I manually approved the identity.
Verify the prints!!! and inform the person with whom you’re speaking of yours!!!
Now that you have verified the identity of the person with whom you are conversing, ChatSecure changed the padlock icon from a yellow question mark to a purple check.
Notice that because OTR (end-to-end encryption) is functioning and the person on the other end is verified, the text that is sent and received from now on also uses the purple padlock.
By default, ChatSecure will not store your conversation on your mobile device. So when you close a chat window and start a new session, you will have no chat history.
This is an example of what “information” Google and the NSA see from your OTR conversation. Privacy rules!
DISCLAIMER: The above public key finger prints are not my actual prints. These screenshots are only for the purposes of my demonstration.