vltf mailrss

OTR everywhere

Feb 2016

Off-the-Record Messaging is a protocol for encrypted conversations. From the user’s perspective participating in an OTR conversation is just like using any other chat program, with the addition that ever important lock icon in the corner.

Occasionally something goes wrong and instead of chat messages, raw blobs of OTR are barfed into the chat window:

This unfortunate glitch offers a glimpse into how OTR messages are transmitted. Specifically, they are encoded as base-64 plain text and sent as if they were regular chat messages. There is no special channel to keep OTR messages separate; instead clients look for the ?OTR: prefix to distinguish them.

The original OTR paper explains that it was designed this way to integrate more easily with chat clients, and also to allow you to communicate with your OTR friends and non-OTR friends without needing separate instant messaging networks.

Another more fun property is that it allows OTR conversations to take place over any medium that can transmit text. And wow, there sure are a lot of mediums that can transmit text: email, SMS, tweets, fax, UDP, Gopher, pagers, QR codes, postcards and microfilm to name a few.

Standalone client

Most clients come in the form of chat plug-ins, but I wanted a standalone program that exposed the raw OTR messages. So I whipped together OTR Everywhere. It is based off golang’s OTR implementation but hacked up a lot to make it work in this bizarre use-case, so don’t rely on it to protect the privacy or integrity of your conversations. Sorry about that, but hey, let’s experiment.

To start a conversation simply choose a name for your contact. In return you get an OTR message which you must send to your partner. This is the first of four (!) handshake messages that must be exchanged before a conversation can begin. Here is what a handshake between two people looks like:

[green ~]$ otr-everywhere new purple

New conversation. Send them this message to begin:

[purple ~]$ pbpaste | otr-everywhere recv green

Received request for a new conversation. Send this message back:

[green ~]$ pbpaste | otr-everywhere recv purple

Conversation is being set up. Almost there. Send this message back:

[purple ~]$ pbpaste | otr-everywhere recv green

Conversation ready on our end.

Their fingerprint: 3565B4DC D524278C D8545595 3A1C78DC 98C9E416
   My fingerprint: A1D28446 12E82C8A CF873061 B89087F3 0F8E52F0

This is a new contact, so we are trusting the above fingerprint belongs
to the correct person and not an eavesdropper. Compare fingerprints
in-person for increased confidence in your privacy.

Send them the final handshake:


After that, you can chat using:

otr-everywhere send green
[green ~]$ pbpaste | otr-everywhere recv purple

Conversation ready.

Their fingerprint: A1D28446 12E82C8A CF873061 B89087F3 0F8E52F0
   My fingerprint: 3565B4DC D524278C D8545595 3A1C78DC 98C9E416

This is a new contact, so we are trusting the above fingerprint belongs
to the correct person and not an eavesdropper. Compare fingerprints
in-person for increased confidence in your privacy.

You can now chat using:

otr-everywhere send purple

Phew. After that ordeal here is how you finally send and receive messages:

[green ~]$ echo "wow that was a nightmare" | otr-everywhere send purple

[purple ~]$ pbpaste | otr-everywhere recv green

wow that was a nightmare
[purple ~]$ echo "yeah let's just use signal in the future" \
    | otr-everywhere send green

[green ~]$ pbpaste | otr-everywhere recv purple

yeah let's just use signal in the future

Hooray, it appears to work. Of course it is an outlandish way to communicate, but it does demonstrate some properties of OTR. Such as how the four step handshake becomes impractical over an asynchronous medium, and how OTR doesn’t protect the metadata of who is communicating or the frequency/timing/approximate size of their messages.

Try it yourself

If you already have friends that use OTR you can try this out by manually sending them a handshake message. Their chat client should respond (very quickly) with the next step of the handshake and you can go from there. Some fun things to test include how out-of-order messages are handled and what happens when you complete a second handshake with a different fingerprint during an existing conversation.

Note that if you try this with an OTR-enabled chat client on your end, unexpected things can happen if it wraps your pasted OTR messages inside other OTR messages of its own. Either use the XML console for sending your messages or temporarily disable your OTR plugin to work around this.

Off the deep end

With a standalone OTR client it is possible to switch mediums during a conversation while the session remains intact. Really there is nothing stopping you from switching mediums after every single message. Well, nothing stopping you but common sense…