The OTR protocol not only encrypts your messages, it provides ways to verify the identity of the person you are talking to, plausible deniability and perfect forward secrecy by generating new encryption keys for each conversation.
How this works is actually fascinating. The encryption keys are generated via a Diffie-Helman exchange. On youtube there is a video with a very simple and intuitive explanation on how the Diffie-Helman key exchange works. For more details, you can also read the OTR version 3 protocol spec.
Many thanks go out to him for this.
Arlo cautions that the otr.js library has not yet been properly vetted by security researchers and shouldn’t be used in life or death situations.
This word of caution applies doubly so to its integration into converse.js!
I’m not a professional cryptographer and this should be seen as an experimental feature.
Note: For detailed fullscreen, make sure that video quality is set to HD, by clicking the gear icon on the video player.
I read that article before I started working on OTR support for converse.js and I’d like to go through some of its criticisms step by step to explain how they might apply to converse.js and what I’ve done to mitigate them.
If you’re going to read on, it would make sense to go read that article first.
The OTR crypto is not trying to compete with or replace SSL/TLS.
Sending data in the clear with normal HTTP is not secure and should be avoided. Therefore, if you are going to use OTR with converse.js, always make sure that the site users HTTPS (i.e. SSL/TLS).
On xmpp.net they let you test the security of servers on the Jabber/XMPP network.
The prevalence of content-controlled code.
The solution is to not use such a site for secure communications. Clear your cache regularly, Use hosts you trust, or as I’ve mentioned above, bypass the webserver entirely by using converse.js from your own filesystem.
Any variables, objects or functions defined locally inside another
(parent) function (with the
var) keyword, are not accessible outside
of that parent function.
If the parent functions is anonoymous (is not referenced anywhere) or the child function’s runtime outlives the parent’s, you have a private, enclosed scope with data that cannot be accessed from outside that scope.
All the data in converse.js is encapsulated inside such closure.
The lack of systems programming primitives needed to implement crypto.
Without having authoritative knowledge on whether their claim is valid, I’ll refer you to this blog post by Nadim Kobeissi (author of Cryptocat), where he claims:
This is in fact not the case.
His blog post is well worth reading, and he also addresses some other criticisms for which I didn’t have anything to add.
OTR encryption in converse.js provides increased security and privacy for your chats. Messages are encrypted and not logged or cached
Any Jabber/XMPP services that snoop on your communications by logging your messages (like for example Facebook does) will only have access to the encrypted ciphertext, making it useless for surveillance or exploitation.
Features coming future releases
The current implementation of OTR doesn’t have any encryption policy support. With that, I mean the ability to set a policy such as Always encrypt messages.
Currently you need to always manually enable encryption.
Distributed services and self-hosting
There are more and more Free and Open Source (FOSS) self-hosted web-applications becoming available as alternatives to so-called centralized ”cloud” solutions.
Feedback, patches, donations
All of the work I did on OTR integration was in my free time and free of charge. A gift and my personal contribution towards the movement for providing free communication solutions that are not founded upon surveillance and commercial exploitation of personal data.
All the code is open source and contributions are always welcome, be it in audits, features, bugfixes, documentation, words of encouragement or tips.
Hello, I'm JC Brand, software developer and consultant.
I created and maintain Converse, a popular web-based XMPP chat client,
I can help you integrate chat and instant messaging features into your website or intranet.
You can follow me on the Fediverse or on Twitter.