vtllf mailrss

OTR everywhere

Feb 2016

Off-the-Record Messaging is a protocol for encrypted conversations. From the user’s perspective participating in an OTR conversation is just like using any other chat program, with the addition that ever important lock icon in the corner.

Occasionally something goes wrong and instead of chat messages, raw blobs of OTR are barfed into the chat window:

This unfortunate glitch offers a glimpse into how OTR messages are transmitted. Specifically, they are encoded as base-64 plain text and sent as if they were regular chat messages. There is no special channel to keep OTR messages separate; instead clients look for the ?OTR: prefix to distinguish them.

The original OTR paper explains that it was designed this way to integrate more easily with chat clients, and also to allow you to communicate with your OTR friends and non-OTR friends without needing separate instant messaging networks.

Another more fun property is that it allows OTR conversations to take place over any medium that can transmit text. And wow, there sure are a lot of mediums that can transmit text: email, SMS, tweets, fax, UDP, Gopher, pagers, QR codes, postcards and microfilm to name a few.

Standalone client

Most clients come in the form of chat plug-ins, but I wanted a standalone program that exposed the raw OTR messages. So I whipped together OTR Everywhere. It is based off golang’s OTR implementation but hacked up a lot to make it work in this bizarre use-case, so don’t rely on it to protect the privacy or integrity of your conversations. Sorry about that, but hey, let’s experiment.

To start a conversation simply choose a name for your contact. In return you get an OTR message which you must send to your partner. This is the first of four (!) handshake messages that must be exchanged before a conversation can begin. Here is what a handshake between two people looks like:

[green ~]$ otr-everywhere new purple

New conversation. Send them this message to begin:

?OTR:AAICAAAAxJwJ1EmOsSRSvGgmfI3nsy5WKXP5k10Cgb/d6ndNP/XpdGSP5/nwpy4jAQE
yYTKEnNdpNPywLgvxKskAIAyv3K84edVYRVLDB1mujjygqaVcefTKTt6ZqUrCdmqaU3TMN4M
buA3PC2Drpo1bgdxRfTaDuBOrUBf89HiOFQ8eu9Fs9q/O9P14T4OfR3LVtCENo6h7TNYBRQL
HNACNw2WioeMpzkvk7e43SRWZmufcyUeChfaM4WaBofBmDZ4TL7zoGF5slQUAAAAgDYntRN+
uKb/+gUcXRhIKS9VmWZnKz6QOtnPQcO9zFFs=.
[purple ~]$ pbpaste | otr-everywhere recv green

Received request for a new conversation. Send this message back:

?OTR:AAIKAAAAwL14Z2yFWloBZxqGxC1WOGKlBopK99Eh7k7iPQ9+q+KGYUPXjB2kETaqfsV
tiN0ypDt0aoKg0zCmGQ8pkCoEMUWswXFySNPP+X45lbdiA3YzPNucniyplTWRBaKksEXhIOJ
03bpJNPVjRm2KnWz5nm9H/yNj4P1CKhUUnfhqCqWCUanVm5ddxggxMqggCumHxnJIFpTCZH4
VvwyCOYWYw3TMrEDfIGyHEog8agCw15cGF669yx5A/mE9m5Rs0b0k8A==.
[green ~]$ pbpaste | otr-everywhere recv purple

Conversation is being set up. Almost there. Send this message back:

?OTR:AAIRAAAAEKNleSSuJ3d2ocNAsz3s3goAAAHSc+Xnp546LdyW33qI5g3X5/FlrZUhLA3
Fb9C+EXQECUwxQESaOscrwjJI3YhWSbZrXEduW/GgVOvn33P6fL3AEpvrWp2BgKzF7X6mKoO
QGzXzs1TIRjZP/kFmxf89GEIapn2JEcSb87OLfV4VE21tkvFub7EttrHsXwDt7LYiZR3efwY
cf+7HENI1HypTie5Fq8hT+40mEq714HqnphAULqcrgLLOUn+qN0NlZq/c6FhetXQWK73jJBM
zT+rxMYJmJckGtpmtrJ6ac7chfwxrCLFrMIRu6KVswdMfSat0omtetwztnimmAQRtbNAI1+6
uejCOx6uBhbSn/JLIBY1fOi0FIwllqWpMuy4gh2bDTfKM/wL/wQ0AkU9qG7gwmrLst1SXUMo
0W1yEMRjGo257+qy4lgk+1CyDRC6wwA+ch1QISHWLhFgOkcl7rOWvGQ39bA9vW/+WbjtoKl2
7W3fA3xajO1+a90ZTPUNWjsa5jNLIvWoo45rqzs1a4eaAZ+C7Mi8BUCjmK0+OI37UxpmvQDk
Hiq4glZptUkyRX0xc87w/SXP3LGLomR5GjyqbxXbrLL2nasMfM9uQ5hTgOA4MxBQy7OhARnH
M3Pk40W/CW85iQuHcSaUwvk8ktem7JsiNI/vHldg/.
[purple ~]$ pbpaste | otr-everywhere recv green

Conversation ready on our end.

Their fingerprint: 3565B4DC D524278C D8545595 3A1C78DC 98C9E416
   My fingerprint: A1D28446 12E82C8A CF873061 B89087F3 0F8E52F0

This is a new contact, so we are trusting the above fingerprint belongs
to the correct person and not an eavesdropper. Compare fingerprints
in-person for increased confidence in your privacy.

Send them the final handshake:

?OTR:AAISAAAB0testvxzsBGurojycLi4zzuNC5s/hfkHLONMWbp/RtdhDBDqrTK7Yvt8efL
DX5+sjmOcLTdh1ZrMlCoR1ztpuj9/nXGrIKWDYqi5VKfFbhrFGZnMa8UfD96J7pV9yVn5jv2
S8wCloS70J36R7VX6tQBymcqsvi+oQI5OUnaOwG451pAJ8qqW98934dgr0mxiac2nEAhVDgS
bDN+iX668tCc/ngXKGty6dKboq+NcvhPL1nJaZ0y+xl0cwJSuClHj3MR8H2igxh0FeTEGR2q
2JnHXKiMlSjqtcDxUbXauSz/2jlDUh+FFUHvNNJcbKTrX/BDa96DHJoNUb7nUp2j0CkfW0PD
GhWcdE+OFUny9c9qgGvCvaDxq6KBW1yfG6ifk/sFKeUtdhKeBuUKyOFpyxjYvAZMsnktz5O4
NF2eOAiFp82jfT7YVgUkTvmSDsP+B0tjUnTpfw/swCZTlFUYmKHREwvkVy3qMihsdSCWNcl8
ssJ3dHTaPN8fC9nYp08gQVrfD6+KX+FFQfySPyDYcAgwzlm9RBnRrrX382Nx2h2m3fSx8J3M
UWWDU45K86GGmXMEuMvUaZu9+HvhsUY7IgfrTEnQBiHeritQCwqpNty1c/b6kun2qvdOAAQU
aeR29MyseDtBfcxbvZQ==.

After that, you can chat using:

otr-everywhere send green
[green ~]$ pbpaste | otr-everywhere recv purple

Conversation ready.

Their fingerprint: A1D28446 12E82C8A CF873061 B89087F3 0F8E52F0
   My fingerprint: 3565B4DC D524278C D8545595 3A1C78DC 98C9E416

This is a new contact, so we are trusting the above fingerprint belongs
to the correct person and not an eavesdropper. Compare fingerprints
in-person for increased confidence in your privacy.

You can now chat using:

otr-everywhere send purple

Phew. After that ordeal here is how you finally send and receive messages:

[green ~]$ echo "wow that was a nightmare" | otr-everywhere send purple

?OTR:AAIDAAAAAAEAAAABAAAAwNbK4fmJ7ZsoFrusb5Y+3Rj7w1maVu6UtIPjSi/fKhutYit
u6OG2UqhDZeNlar8LYKwVFNf7J3WcqVSR211p314wqZOSlvgYUUxbVUu44ER6Zo7Kq2nBcBu
Sk3jvq5D2y9MEva0l5krpO84vJ/4bTQK4k/OslOb3r+A5VAKDKwm8iBzSQs0gxOFUXWa3G8x
3gB/B0yfYe3I6ZV7XsTaB6KgrP5R4bXJYk56YQiJrlhMU0WmMV8b7qIO40VRpFbaj4AAAAAA
AAAABAAAAIDPRdfWYCHVFrFtqdZgMM0WNnEwih+jvPgrS70x58d089ikU58w2jH7LR5lEJlw
1FzeX5kQAAAAA.
[purple ~]$ pbpaste | otr-everywhere recv green

wow that was a nightmare
[purple ~]$ echo "yeah let's just use signal in the future" \
    | otr-everywhere send green

?OTR:AAIDAAAAAAEAAAACAAAAwI9621JPUww7/fnFKD1RO7Pw6w5+rzAyPpQBoMfSfqwZ0xd
EOG3XTyV2GzA42YWFMdco+7/QmuLG0HYRTNiw/dqoctzYpjtZjeuR4xj34KsvoIcDrq5ox+Y
9eIN88Oc7SzkYS5qnAYjPsuCskuGfGdsG3Fvi5nup10Cm05YVEmFj6KB9Ge7fQxNqhdqXdZw
Y+Jz4pyevUIdksO9y1y+aBPOMz6etuV6f4gCElYjeAS0nOQJmw8Hj6NVVYrI3Fsg7vgAAAAA
AAAABAAAAQIfgQ/MiTqMnsxvuOjO8KeotZu6XuCRwPSCFRrpCNOhYQIF9eS2ivcdUpeC1B+u
KqlUAiSHa1BWC7HHoZy2ugAJbSbNcNCmUSD1F70XYzXbx28nz9AAAAAA=.
[green ~]$ pbpaste | otr-everywhere recv purple

yeah let's just use signal in the future

Hooray, it appears to work. Of course it is an outlandish way to communicate, but it does demonstrate some properties of OTR. Such as how the four step handshake becomes impractical over an asynchronous medium, and how OTR doesn’t protect the metadata of who is communicating or the frequency/timing/approximate size of their messages.

Try it yourself

If you already have friends that use OTR you can try this out by manually sending them a handshake message. Their chat client should respond (very quickly) with the next step of the handshake and you can go from there. Some fun things to test include how out-of-order messages are handled and what happens when you complete a second handshake with a different fingerprint during an existing conversation.

Note that if you try this with an OTR-enabled chat client on your end, unexpected things can happen if it wraps your pasted OTR messages inside other OTR messages of its own. Either use the XML console for sending your messages or temporarily disable your OTR plugin to work around this.

Off the deep end

With a standalone OTR client it is possible to switch mediums during a conversation while the session remains intact. Really there is nothing stopping you from switching mediums after every single message. Well, nothing stopping you but common sense…