Trust in Communication Tools

For email, chat and secure phone calls, it is a bit more ‘direct.’ The ideal situation is that you meet someone in person to exchange the fingerprint information. There is no risk of someone ‘intercepting’ and changing this in a face-to-face meeting! Obviously that’s not always possible. Different tools have different ways around this problem. Security in a Box has an entire chapter devoted to private communications.

Chat: ‘OTR’

In chat or instant messaging, the current standard for trust is called OTR, or Off The Record. This is not the same as ‘off the record’ messaging in GChat, which only means that Google does not store a permanent log of the conversation. OTR provides the basic benefits above (secured end-to-end and proof against tampering), but notably also provides an additional layer of security – each conversation session is protected separately. This means that if someone is able to store all of your private chat conversations, breaking the encryption of one chat provides no ability to read any of the other chats. This also allows a degree of ‘deniability,’ i.e while your conversation is protected and authenticated, there is no way to prove that any of the messages came from you as opposed to someone else. OTR works in

Adium, Jitsi and Pidgin

To benefit from all of this, however, you must find a way to ‘authenticate’ the person you are chatting with. You only have to do this once per device for each secure contact (and you can use apps like KeySync to help). The key to linking this digital trust with a person you know is through a shared secret – you can call each other and directly compare a code unique to your accounts, or use a question-and-answer method where you know only this specific person would know a secret word you’ve agreed on or a specific piece of private information.

Resources