Off-the-Record Messaging


You've probably received email from people pretending to be banks, credit agencies, even wealthy Nigerian expatriates. People lie about who they are all the time on the Internet. Authentication is a way to make sure that nobody can lie to you about who they are when they use OTR.

When to authenticate

You should authenticate a buddy the very first time that you talk to them using OTR. If you don't, then you can't really be sure that someone else isn't impersonating them or trying to listen in on your conversation. However, once you've authenticated your buddy, you don't have to do it again. OTR will automatically do the authentication for all of your future conversations with that buddy.

The only exceptions occur when your buddy switches between multiple computers or multiple IM accounts. In this case, you will need to authenticate once for each computer and account. Once you've done this, your buddy can freely use any of the computers you've authenticated them on, and OTR will recognize them automatically. If your buddy uses a new computer or account that OTR does not recognize, a message will pop up in your conversation window telling you about it:

How to authenticate

OTR provides three ways to authenticate your buddy:

  1. Question and answer
  2. Shared secret
  3. Manual fingerprint verification

To start the authentication process, you need to first be communicating with your buddy in the "Unverified" or "Private" states. [Note that the "Private" state indicates that you have already successfully authenticated your buddy, and it is not necessary to do it again.] Choose "Authenticate buddy" from the OTR menu.

The Authenticate Buddy dialog will pop up. Use the combo box to select which of the three authentication methods you would like to use.

Question and answer

To authenticate using a question, pick a question whose answer is known only to you and your buddy. Enter this question and this answer, then wait for your buddy to enter the answer too. If the answers don't match, then either your buddy made a mistake typing in the answer, or you may be talking to an imposter.

If your buddy answers correctly, then you have successfully authenticated him or her, and the OTR status of this conversation will change to "Private".

Your buddy will probably also want to ask you a question as well in order for him or her to authenticate you back.

Note that this method first appeared in pidgin-otr 3.2.0; if your buddy is using an older version, this will not work.

Shared secret

To authenticate someone with the shared secret method, you and your buddy should decide on a secret word or phrase in advance. This can be done however you like, but you shouldn't type the phrase directly into your conversation.

Enter the shared secret into the field provided in the Authenticate Buddy dialog box. Once you enter the secret and hit OK, your buddy will be asked to do exactly the same thing. If you both enter the same text, then OTR will accept that you are really talking to your buddy. Otherwise, OTR reports that authentication has failed. This either means that your buddy made a mistake typing in the text, or it may mean that someone is intercepting your communication.

Note that this method first appeared in pidgin-otr 3.1.0; if your buddy is using an older version, this will not work.

Manual fingerprint verification

If your buddy is using a version of pidgin-otr before 3.1.0, or a different OTR client that does not support the other authentication methods, you will need to use manual fingerprint verification.

You will need some other authenticated communication channel (such as speaking to your buddy on the telephone, or sending gpg-signed messages). You should tell each other your own fingerprints. If the fingerprint your buddy tells you matches the one listed as his or her "purported fingerprint", pull down the selection that says "I have not" (verified that this is in fact the correct fingerprint), and change it to "I have".

Once you do this, the OTR status will change to "Private". Note that you only need to do this once per buddy (or once per fingerprint, if your buddy has more than one fingerprint). pidgin-otr will remember which fingerprints you have marked as verified.

What the results mean

When you have entered your secret and hit OK, a progress bar pops up. This bar should fill up to 100% and then display one of the following messages:

This means that authentication has been a complete success. The OTR button will automatically change to "Private", showing that conversations with this buddy are safe.

This means that although there were no errors, your buddy did not enter the same text as you. You should try again, making sure that you are clear about what to type (for example, "the restaurant name in lower case"). If you repeatedly get this result, you should not trust that your buddy is who you think he or she is.

This means that something has gone wrong and the process could not complete normally. This will happen if your buddy hits "cancel" or fails to receive one of your messages. In this case, you should simply try again. If you try several times and keep getting an error, you should not trust that your buddy is who you think he or she is.

This means that you answered your buddy's authentication question successfully, so you have authenticated yourself to your buddy. However, your buddy has not yet authenticated to you. You may want to ask your buddy an authentication question by selecting "Authenticate buddy" from the OTR menu yourself.