Encrypted chats through Adium

09. July 2013 Security 13

AdiumI discovered Adium many years ago and loved it instantly. Instead of having MSN Messenger, Yahoo Messenger, iChat and Facebook windows all over the place, it allowed me to combine all of it in one single app. That’s the main reason I used it and could care less about skins, sounds, icons and plugins. This was also long before I became concerned with privacy and security, I didn’t think about the fact that the MSN, Yahoo, Facebook and iChat servers were all located abroad and did not know about governments and agencies spying on us. Now I know better. I’ve spent a long time looking for good ways to secure my communications and never thought to look at the tools I already had. Then I accidentally stumbled onto Adium’s OTR encryption feature and have been using it ever since.

OTR stands for Off-the-Record and is a cryptographic protocol that provides strong encryption for instant messaging (IM) conversations. OTR uses a combination of different encryption algorithms, perfect forward secrecy (PFS) and deniable encryption. Sounds good right? It is. And thanks to Adium you have this encryption right at your fingertips. OTR is not limited to Adium, other clients use it too but for OS X I’ve found Adium to be the best (and almost only) available option. There is a lot of material out there that allows you to learn more about OTR and it’s really interesting.

If you have a buddy list of some kind and chat using the following services, then you may want to consider Adium to encrypt those chats. Of course the person you are chatting with needs a chat client that supports OTR as well so it is able to decrypt your messages and send encrypted messages of it’s own. The currently supported messaging services are:
– Google Talk
– Facebook Chat
– LiveJournal
– AIM
– ICQ
– MobileMe / iChat (even though MobileMe no longer exists, your account still works)
– MSN / .Net / Live
– Yahoo Messenger
– Twitter
– Bonjour
– IRC
– MySpace IM
– Skype
– QQ
and plenty more.

Worried about or warned to stay away from certain companies because of PRISM or other spy programs, don’t worry. If you encrypt your chats then you can use Facebook, Apple or Google servers for the service and still have confidential conversations. Use their servers and services for your benefits without giving them any of your data ๐Ÿ™‚

Getting started
First, do some research to find out if Adium is right for you. As I’ve mentioned before, always do your own research. Don’t just take my word for it or anyone else’s, see if you agree with the privacy policies etc. and then make up your own mind. You can find Adium’s website here, some info about Adium hereย and their privacy policy can be found… well, nowhere. It appears there isn’t one. I did hear it mentioned that no conversations or other traffic (other than updates and anonymous stats) go through Adium’s server (disable the collection of anonymous system profile in Preferences > General if you want). After monitoring Adium’s traffic for a while I found that this is indeed the case, as far as I can see. Once you feel you have done your homework and trust Adium to handle your private information, download and install it.

Setting up Adium
Start by setting up one or more of your IM accounts in Adium. When that is done go to the Preferences > General. Disable the logging of messages or at least disable the logging of OTR-secured chats. Thanks to the way OTR works there is deniability that can be used in case logs are ever compromised but it’s better to take away this piece of the puzzle in case someone does ever get a hold of your computer/data/logs. Personally I do not keep logs of any kind. I find it respects the other party’s privacy and/or security whether they asked for it or not. And if my Mac is ever compromised and somehow my data is accessible, there won’t be any transcripts or logs to go through that can be used against me or anyone I’ve spoken with. (using a strong password and encryption to secure your hard drive(s) further help in securing any type of logging the system does etc.)

Next, while still in Preferences, click on Advanced and find ‘Encryption’. Here you can see the private keys that are generated for each account you have set up, your fingerprint for that account and saved fingerprints for buddies you have previously verified and had encrypted chats with. If you feel at any time that your account, computer, internet connection or the identity of the other party was compromised, use the ‘Regenerate’ button to create a brand new key/fingerprint. Or even if everything is OK you can create a new key just for piece of mind. Keep in mind that every time a new key is generated you have to somehow get this key to the receiver so they can verify your identity and that increases the risk of the key being intercepted. I was told that while opinions on regenerating the key differ, to just keep one key for a long time is best for now.

Make your way back to the Accounts tab and double-click on each account. One of the tabs in the window that opens is ‘Privacy’ and in there you can set OTR preferences. You can set one or more of your accounts to “Encrypt chats automatically”. What this will do is add an invisible string to your unencrypted messages which other OTR capable clients will respond to so if you are messaging to another OTR capable client, encryption will be enabled and if the other party is not OTR capable the string will be ignored and the chat session will proceed unencrypted.

The OTR preferences can be set for every individual account.
The OTR preferences can be set for every individual account.


Your first encrypted chat

Open a chat window and you’ll see the lock icon at the top. Click this and select “Initiate Encrypted OTR Chat”.

Initiate an OTR Chat
Initiate an OTR Chat

Both you and the receiver will now see a pop-up message asking to verify each others fingerprints. Instead of just clicking “Accept”, contact the other party to verify this fingerprint!

Verify the fingerprint with the other party before clicking 'verify'
Verify the fingerprint with the other party before clicking ‘Accept’

Be smart when contacting the other party to verify their fingerprint. For example phone conversations are monitored by every government around the planet so this is not considered secure. Best is to write fingerprints down and exchange them in person. If that is not an option be creative but careful, you do not want your key intercepted. As mentioned, your key and the keys of users you have already verified are stored in Adium’s preferences so it is important to keep anyone other than yourself away from those preferences. Use a login password, full disk encryption like FileVault and a screensaver password so that these keys can not be compromised while you are away from your keyboard.

If your key/fingerprint is compromised at some point then future messages could be at risk but messages sent and received in the past can not be decrypted using this key. This is, in my opinion, one of the biggest advantages over PGP encryption or applications such as Cryptocat where years of messages can be decrypted if the key falls into the wrong hands or a flaw is discovered.

Anyway, that’s all there is to it! A quick setup and one button. All it takes to have some privacy and, if need be, deniability for your chat and messaging sessions.
Some things to note about Adium:
– It uses OS X’s File Quarantine feature so any files transferred through Adium will be flagged for extra security.
– Resource usage is very low, some of the lowest i’ve seen in any chat or messaging application.
– Adium is completely free.
– OTR in Adium will be improving with the addition of the Socialist Millionaire protocol allowing for authentication via a shared secret rather than a fingerprint. I’ll write a follow-up post about that once the feature has been released.

Give Adium a try and check out the many other features it has to offer. Thanks to the guys I spoke with for providing me with a lot of the information ๐Ÿ™‚

Feedback and comments welcome.


13 thoughts on “Encrypted chats through Adium”

  • 1
    John on July 21, 2013 Reply

    Used this tonight and found it excellent ๐Ÿ™‚

  • 2
    Bob on August 23, 2013 Reply

    Thanks for sharing the guide!

  • 3
    Sheldon Moorman on September 5, 2013 Reply

    This is the right webpage for anyone who would like to understand
    this topic. You know so much its almost tough to argue with you (not that I personally would
    want toโ€ฆHaHa). You certainly put a new spin on a topic that has been discussed for many years.
    Great stuff, just excellent!

  • 4
    Don Droga on February 12, 2014 Reply

    Why does Adium want to access my contacts? (osx)

    • 5
      Jay on February 12, 2014 Reply

      So it can fill your buddy list with actual names instead of email addresses. You are not obligated to allow the access, it is just a lot more convenient for you.

  • 6
    Don Droga on February 12, 2014 Reply

    No OTR preferences on Facebook, just Account, Personal and Proxy?

    • 7
      Jay on February 12, 2014 Reply

      I have deleted my Facebook a while ago so I can not test this but if I remember correctly you have to set up the Facebook account as a XMPP instead of Facebook, then OTR becomes available.

  • 8
    Dr. D on December 17, 2014 Reply

    As a genuine novice, I enjoyed your article…actually understood much of what you said. I went to the Socialist Millionaire link and I’m sure those guys really understand all those formulas but they sure do not know how to bring all that down to the novice level. You mentioned you planned a followup article. Was that done? If so, how can I reach it?

    • 9
      Jay on December 18, 2014 Reply

      The follow up has not been written (yet). The feature that I was told would be making it’s way to Adium has still not been introduced. I check out their beta’s and nightly builds regularly but so far nothing yet. I use Adium every day so once the Socialist Millionaire protocol is present I’ll write about it right away.

      • 10
        Dr. D on December 18, 2014 Reply

        Thanks Jay. I’m sorry that I failed to say in my email just how informative and thorough your article was. I want to learn all I can about how to intelligently shield myself from any kind of intrusions. It’s a slow process for me at my age (75) but I’m hopeful. I’ll be looking for your update. Merry Christmas to you!

        • 11
          Jay on December 18, 2014 Reply

          And you too! ๐Ÿ™‚ If there’s ever a certain topic you want to know more about just let me know. If I haven’t covered it yet and if it’s relevant to other readers I’d be happy to write about it.

Leave a Reply

Your email address will not be published. Required fields are marked *

*