Stanto.com

[Stanto]

Both people must be using this plugin with generated keys for it to work!

After using some packet monitoring tools I've noticed that typically communications on instant message applications are open for anyone to look at. (See post below).

So someone else is on your network? They could be monitoring your conversations if they're viewing the traffic in 'promiscuous mode' or they've intercepted your particular communications to the recipient.

Solution? If you use ICQ, Windows Messenger, AIM, etc. You could use Pidgin.

• Download pidgin for your OS (Windows, Linux, etc).
• Set it up for your instant messaging accounts (go ahead, do all at once!)
• Quit pidgin
• Download the encryption plugin:
  • Linux Users (Note: Linux users should check their distribution's repository first!)
  • Windows Users
• Run Pidgin from its icon, or manually
• Old version:
  • Select the "Preferences" menu item from the Tools menu.
    The last tab is the "Plugins" tab: select it, and check the box next to "Pidgin-Encryption"
• New version:
  • Click 'Tools' then "Plugins" and select "Pidgin Encryption"
• Encryption keys should now be installed for all of your accounts set up - any accounts added later will need to be generated by configuring the plugin in future
• Start a conversation with a friend and click the 'padlock' on the instant message window and select 'enable encryption'
• Accept / transfer the key with your friend
• Talk without anyone being able to read it! Woo!

[Stanto]

To further explain, here's an example in images.

Between myself and a friend I sent a message (well, a few) but one in particular. Using software to analyse the data traffic it is possible to see the message that was sent. This would be possible if someone had compromised your computer or was in 'promiscuous mode' monitoring your unencrypted WiFi network traffic or they had compromised the network (found out the key).

You can see the chat window and the packet with the framework and the message block. Here it is in plain text. Image Link.

With the Pidgin Encryption plugin we can see the message block uses a framework of 512 bytes to send the message 'jumbled up' or encrypted which will be decrypted at the other side by the key generated using the plugin and sent over when we tried to send the message. Image Link

The software used to view network traffic in this way, and the 802.3 ethernet frames was Wireshark. Available for Windows and Linux. If you do so you can open up the packet captures for yourself, here's the encrypted and the unencrypted. This was over the AOL instant messenger service via Pidgin.

[Stanto]

If you want to backup or keep your Pidgin keys there are a few files you should backup.

By default on Windows you will find them in:

• Windows XP
  
  • C:\Documents and Settings\<YourLog-onName>\Application Data\.purple
• Windows Vista
  
  • C:\Users\<YourLog-onName>\AppData\Roaming\.purple
• PortableApps Pidgin
  
  • .\PidginPortable\Data\settings\.purple

Presumably:

• known_keys - are ones you've saved from other people
• id.priv / id - these are ones you've generated

It's best to back-up all three files then you have a record of keys you trust and your own. You will have to re-back-up the files if you add accounts and generate new keys for them. Then you can restore them back into the .purple folder for either a Portable Apps version of pidgin, a linux version or windows version. Provided you're using the same encryption plug-in as above.

[Stanto]

It's possible to have this software so that you can take it with you, on a laptop, netbook, your desktop PC.

• PortableApps Pidgin
• PidginEncryption Portable

Safe keeping of the sensitive data then stored on the USB pen itself is entirely your own responsibility, as is use of this software within restricted environments.

[Stanto]

It's come to my attention that perhaps not everyone uses pidgin, but uses software built from the same libpurple engine (Adium, Miranda, Trillian, etc).

Apple Macintosh users may be familiar with Adium, similar to Pidgin. Rather than have trouble trying to find the same plugin for Adium that Pidgin has for encrypting; it can work the other way.

'Off The Record' is an encryption plugin that can (I think) hash encrypt conversations. This works between Microsoft Windows and MacOS, it could also work communicating with linux. It also works alongside the existing Pidgin Encryption plugin you may already have installed from above.

I have no idea what would happen if you used both at once.

Here're the two versions for windows:

• Portable
• Standard (with linux tar)

I think with this, you have to generate your keys manually via the 'plugins' section of Pidgin, within the options of the plugin.

[Stanto]

Lifehacker has placed a good article on storing your usernames and passwords for accounts within your operating system. See it here.

Here's what it says about Pidgin:

Pidgin Stores Passwords in Plain Text
That's right, your favorite open-source, multi-protocol instant messenger client stores your passwords in plain text. If you don't believe me, just open up your %appdata%\.purple\accounts.xml file in your favorite text editor, and you'll see your passwords right there for anybody to read.

The decision to store the passwords in plain text is a deliberate one that's been thoughtfully considered, and while you might initially think it's a terribly insecure way to handle security, keep in mind that you can simply download any number of utilities like Nirsoft's MessenPass and recover the passwords from AIM, Windows Live Messenger, Trillian, Miranda, Google Talk, Digsby, etc. The Pidgin developers point out that their option is actually the preferred method for security:

Might want to revise how you use it.

[Stanto]

The latest version of Pidgin (2.7.0) has broken/ignores the current Windows binary version of Pidgin-Encryption (3.0) - this applies (or will) both standard and portable versions.

Pidgin-Encryption 3.1 is available from source; I have compiled a windows (win32) dll binary of the plugin.

Installer available here.

Use the installer to locate your Pidgin folder and 'install' to there, it will choose one by default which may or may not be correct. If you have an older version of the plugin it will upgrade it. Remember to quit Pidgin first

Default locations for Windows installed versions:
C:\Program Files\Pidgin\

Or on 64bit Systems:
C:\Program Files (x86)\Pidgin\

Enjoy.

[Stanto]

Pidgin 2.7.1 broke my Pidgin-Encryption padlock icons. So I re-built the plugin against the latest source.

Download: Pidgin-Encryption 3.1 for 2.7.1