Why use Google Chat at all when there're a lot of 3rd party community-run jabber servers available? Then you can use any client you want and get a level of protection you desire (including OTR).
As long as they keep XMPP support around for ordinary google talk accounts, you have the power to use clients that support OTR-encrypted IMs. That way, Google only stores useless messages.
Pidgin and bitlbee make this super simple to set up. In fact, by default, my client performs auto-detection of someone else's OTR plugin, which means that after I send my first message to someone, my conversation is automatically "lifted" to an encrypted (albeit untrusted) channel. When set up properly, it's so seamless that I don't even notice it happened.
How about Chatsecure with Jabber and OTP? Isn't that a viable alternative too?
Doesn't require you to use a phone number, so it works nicely on tablets or desktops (pidgin+otr), etc.
Personally i find all OTR 'apps' inconvenient.
Keys always change. Clients aren't compatible across platforms.
You end up just clicking "ok" all the time to untrusted conversations because else you just can't talk to the other party.
I like gpg based chats better for that reason, people tend to keep the same key.. it works more or less everywhere (except phones somehow) AND.. if you trust their keys you don't have anything to do it just works, regardless of being IM, email, or whatever else. One trust db. Not 100.
And that is exactly why open IM protocols and 3rd party clients are so important.
If both you and your correspondents do use 3rd party IM client ([1], [2], etc), then just run OTR2 or OMEMO on top of the protocol, and let google store whatever it pleases - it's not going to be much use for them.
Sure there is. Of course people want to use third party email or chat clients. In fact, this is in many ways the bete noir of Hacker News whenever a related subject comes up, just today Slack blocking Iranian user. People point out that Slack, and Google Talk, used to have to speak Jabber. So I type my password into a Jabber WebClient, and I have just shared all the messages you sent me with a third party. It is literally this thing.
People who used the Nylas N1 client, or now, any app that uses the Nylas APIs are sharing all their email messages, contacts and calendars with a third party - this includes your messages and your telephone number.
It is, I believe, still used, but the lack of development is certainly a concern. I believe it's every bit as common to create disposable accounts on other chat clients and just enable OTR[0] for whatever protocol you use. Traffic is typically still routed through Tor, and since the account is disposable, you shouldn't need to worry about it being linked to you. Only true concern is that the protocol you pick might not be running on a hidden server, so the records of that server could be subpoenaed. However, for example, you can pick hidden xmpp services, which means you only have to trust that the service itself is being run by entities who have no reason to compromise your endpoint or manipulate your chat experience. It means you have to be on the same server as the person you're looking to contact, and it means that you need a way of establishing the identity of the person you're trying to talk to. OTR does this by having secret questions and answers, which have to match at least the first time you talk to someone. I would personally combine this with PGP key verification, if the person has a known public key. It's easy to see someone type in the answer to the secret question, or even guess it if the person doesn't think far enough ahead to make that unlikely, but (hopefully) much more difficult to grab the person's private key and passphrase.
I'm using OTR, but only for conversations that are worth protecting. IMHO securing typical chat with friends (mostly consisting of funny/interesting link exchanges) is almost pointless.
But having the history is still useful ("remember that article I've sent you yesterday").
For me not relying on a centralized solution ran by a company funded largely by the US government is good enough reason. Especially that as I've demonstrated you can have the same level of security or even more (XMPP doesn't require phone numbers and can run over Tor) not losing any modern features.
> ChatSecure is a free and open source messaging app that features OMEMO encryption and OTR encryption over XMPP. You can connect to your existing Google accounts or create new accounts on public XMPP servers (including via Tor), or even connect to your own server for extra security.
> Unlike other apps that keep you stuck in their walled garden, ChatSecure is fully interoperable with other clients that support OMEMO or OTR and XMPP, such as Conversations (Android), CoyIM (Desktop), and more.
There are alternatives with comparable or better security, but they tend to have other flaws. Most of the alternatives including Wire and Riot ALSO depend on GCM, otherwise they either lack push or force ridiculously bad battery life. They also have bad UX since they don't ask the user for a battery optimization exception permission, so the user would have to somehow know it's required or they'll break after a while in the background.
Conversations / OMEMO is a great Android messaging client, but it's ONLY available for Android and a desktop client (Gajim OMEMO plugin). It can use OTR (which it marks as less secure) but there isn't even a decent iOS OTR client anyway. ChatSecure iOS will probably get OMEMO and push support along with becoming a more decent client but it's going slowly. Until that happens, Conversations is problematic because there isn't a decent way to talk to iOS users.
Yeah the OTR plugin is really nice. I think it has suffered from some serious not-invented-here syndrome in terms of not being baked into Pidgin as a core feature (which it should be).
It has been included in Mac OS X's Adium client for many years, which probably means that it has the largest installed base of any end-to-end encrypted chat client, other than Skype. (Although I don't know if Adium automatically enables it, but at least it doesn't require another download and a clunky plugin enablement.)
Pidgin and Adium are discussed in the guide specifically because they can do OTR. The trouble is that both clients are probably quite vulnerable to remote code execution bugs arising from things like memory corruption. Hence using them might protect you quite a bit from someone recording your IMs, but also expose you to someone who knows about a specific unpatched vulnerability and can send you messages taking over your computer.
The authors of the guide are very aware of this concern and will definitely be considering it further.
It uses Otr for encrypted chat, so you can use any otr client for the other side of the chat. I personally use pidgin on my laptop and ChatSecure on my cell. It currently supports at least iOS and Android, which encompasses most people that I know.
reply