Off-the-Record Messaging is a protocol for encrypted conversations. From the user’s perspective participating in an OTR conversation is just like using any other chat program, with the addition that ever important lock icon in the corner.
Occasionally something goes wrong and instead of chat messages, raw blobs of OTR are barfed into the chat window:
This unfortunate glitch offers a glimpse into how OTR messages are transmitted. Specifically, they are encoded as base-64 plain text and sent as if they were regular chat messages. There is no special channel to keep OTR messages separate; instead clients look for the
?OTR: prefix to distinguish them.
The original OTR paper explains that it was designed this way to integrate more easily with chat clients, and also to allow you to communicate with your OTR friends and non-OTR friends without needing separate instant messaging networks.
Another more fun property is that it allows OTR conversations to take place over any medium that can transmit text. And wow, there sure are a lot of mediums that can transmit text: email, SMS, tweets, fax, UDP, Gopher, pagers, QR codes, postcards and microfilm to name a few.
Most clients come in the form of chat plug-ins, but I wanted a standalone program that exposed the raw OTR messages. So I whipped together OTR Everywhere. It is based off golang’s OTR implementation but hacked up a lot to make it work in this bizarre use-case, so don’t rely on it to protect the privacy or integrity of your conversations. Sorry about that, but hey, let’s experiment.
To start a conversation simply choose a name for your contact. In return you get an OTR message which you must send to your partner. This is the first of four (!) handshake messages that must be exchanged before a conversation can begin. Here is what a handshake between two people looks like:
[green ~]$ otr-everywhere new purple New conversation. Send them this message to begin: ?OTR:AAICAAAAxJwJ1EmOsSRSvGgmfI3nsy5WKXP5k10Cgb/d6ndNP/XpdGSP5/nwpy4jAQE yYTKEnNdpNPywLgvxKskAIAyv3K84edVYRVLDB1mujjygqaVcefTKTt6ZqUrCdmqaU3TMN4M buA3PC2Drpo1bgdxRfTaDuBOrUBf89HiOFQ8eu9Fs9q/O9P14T4OfR3LVtCENo6h7TNYBRQL HNACNw2WioeMpzkvk7e43SRWZmufcyUeChfaM4WaBofBmDZ4TL7zoGF5slQUAAAAgDYntRN+ uKb/+gUcXRhIKS9VmWZnKz6QOtnPQcO9zFFs=.
[purple ~]$ pbpaste | otr-everywhere recv green Received request for a new conversation. Send this message back: ?OTR:AAIKAAAAwL14Z2yFWloBZxqGxC1WOGKlBopK99Eh7k7iPQ9+q+KGYUPXjB2kETaqfsV tiN0ypDt0aoKg0zCmGQ8pkCoEMUWswXFySNPP+X45lbdiA3YzPNucniyplTWRBaKksEXhIOJ 03bpJNPVjRm2KnWz5nm9H/yNj4P1CKhUUnfhqCqWCUanVm5ddxggxMqggCumHxnJIFpTCZH4 VvwyCOYWYw3TMrEDfIGyHEog8agCw15cGF669yx5A/mE9m5Rs0b0k8A==.
[green ~]$ pbpaste | otr-everywhere recv purple Conversation is being set up. Almost there. Send this message back: ?OTR:AAIRAAAAEKNleSSuJ3d2ocNAsz3s3goAAAHSc+Xnp546LdyW33qI5g3X5/FlrZUhLA3 Fb9C+EXQECUwxQESaOscrwjJI3YhWSbZrXEduW/GgVOvn33P6fL3AEpvrWp2BgKzF7X6mKoO QGzXzs1TIRjZP/kFmxf89GEIapn2JEcSb87OLfV4VE21tkvFub7EttrHsXwDt7LYiZR3efwY cf+7HENI1HypTie5Fq8hT+40mEq714HqnphAULqcrgLLOUn+qN0NlZq/c6FhetXQWK73jJBM zT+rxMYJmJckGtpmtrJ6ac7chfwxrCLFrMIRu6KVswdMfSat0omtetwztnimmAQRtbNAI1+6 uejCOx6uBhbSn/JLIBY1fOi0FIwllqWpMuy4gh2bDTfKM/wL/wQ0AkU9qG7gwmrLst1SXUMo 0W1yEMRjGo257+qy4lgk+1CyDRC6wwA+ch1QISHWLhFgOkcl7rOWvGQ39bA9vW/+WbjtoKl2 7W3fA3xajO1+a90ZTPUNWjsa5jNLIvWoo45rqzs1a4eaAZ+C7Mi8BUCjmK0+OI37UxpmvQDk Hiq4glZptUkyRX0xc87w/SXP3LGLomR5GjyqbxXbrLL2nasMfM9uQ5hTgOA4MxBQy7OhARnH M3Pk40W/CW85iQuHcSaUwvk8ktem7JsiNI/vHldg/.
[purple ~]$ pbpaste | otr-everywhere recv green Conversation ready on our end. Their fingerprint: 3565B4DC D524278C D8545595 3A1C78DC 98C9E416 My fingerprint: A1D28446 12E82C8A CF873061 B89087F3 0F8E52F0 This is a new contact, so we are trusting the above fingerprint belongs to the correct person and not an eavesdropper. Compare fingerprints in-person for increased confidence in your privacy. Send them the final handshake: ?OTR:AAISAAAB0testvxzsBGurojycLi4zzuNC5s/hfkHLONMWbp/RtdhDBDqrTK7Yvt8efL DX5+sjmOcLTdh1ZrMlCoR1ztpuj9/nXGrIKWDYqi5VKfFbhrFGZnMa8UfD96J7pV9yVn5jv2 S8wCloS70J36R7VX6tQBymcqsvi+oQI5OUnaOwG451pAJ8qqW98934dgr0mxiac2nEAhVDgS bDN+iX668tCc/ngXKGty6dKboq+NcvhPL1nJaZ0y+xl0cwJSuClHj3MR8H2igxh0FeTEGR2q 2JnHXKiMlSjqtcDxUbXauSz/2jlDUh+FFUHvNNJcbKTrX/BDa96DHJoNUb7nUp2j0CkfW0PD GhWcdE+OFUny9c9qgGvCvaDxq6KBW1yfG6ifk/sFKeUtdhKeBuUKyOFpyxjYvAZMsnktz5O4 NF2eOAiFp82jfT7YVgUkTvmSDsP+B0tjUnTpfw/swCZTlFUYmKHREwvkVy3qMihsdSCWNcl8 ssJ3dHTaPN8fC9nYp08gQVrfD6+KX+FFQfySPyDYcAgwzlm9RBnRrrX382Nx2h2m3fSx8J3M UWWDU45K86GGmXMEuMvUaZu9+HvhsUY7IgfrTEnQBiHeritQCwqpNty1c/b6kun2qvdOAAQU aeR29MyseDtBfcxbvZQ==. After that, you can chat using: otr-everywhere send green
[green ~]$ pbpaste | otr-everywhere recv purple Conversation ready. Their fingerprint: A1D28446 12E82C8A CF873061 B89087F3 0F8E52F0 My fingerprint: 3565B4DC D524278C D8545595 3A1C78DC 98C9E416 This is a new contact, so we are trusting the above fingerprint belongs to the correct person and not an eavesdropper. Compare fingerprints in-person for increased confidence in your privacy. You can now chat using: otr-everywhere send purple
Phew. After that ordeal here is how you finally send and receive messages:
[green ~]$ echo "wow that was a nightmare" | otr-everywhere send purple ?OTR:AAIDAAAAAAEAAAABAAAAwNbK4fmJ7ZsoFrusb5Y+3Rj7w1maVu6UtIPjSi/fKhutYit u6OG2UqhDZeNlar8LYKwVFNf7J3WcqVSR211p314wqZOSlvgYUUxbVUu44ER6Zo7Kq2nBcBu Sk3jvq5D2y9MEva0l5krpO84vJ/4bTQK4k/OslOb3r+A5VAKDKwm8iBzSQs0gxOFUXWa3G8x 3gB/B0yfYe3I6ZV7XsTaB6KgrP5R4bXJYk56YQiJrlhMU0WmMV8b7qIO40VRpFbaj4AAAAAA AAAABAAAAIDPRdfWYCHVFrFtqdZgMM0WNnEwih+jvPgrS70x58d089ikU58w2jH7LR5lEJlw 1FzeX5kQAAAAA.
[purple ~]$ pbpaste | otr-everywhere recv green wow that was a nightmare
[purple ~]$ echo "yeah let's just use signal in the future" \ | otr-everywhere send green ?OTR:AAIDAAAAAAEAAAACAAAAwI9621JPUww7/fnFKD1RO7Pw6w5+rzAyPpQBoMfSfqwZ0xd EOG3XTyV2GzA42YWFMdco+7/QmuLG0HYRTNiw/dqoctzYpjtZjeuR4xj34KsvoIcDrq5ox+Y 9eIN88Oc7SzkYS5qnAYjPsuCskuGfGdsG3Fvi5nup10Cm05YVEmFj6KB9Ge7fQxNqhdqXdZw Y+Jz4pyevUIdksO9y1y+aBPOMz6etuV6f4gCElYjeAS0nOQJmw8Hj6NVVYrI3Fsg7vgAAAAA AAAABAAAAQIfgQ/MiTqMnsxvuOjO8KeotZu6XuCRwPSCFRrpCNOhYQIF9eS2ivcdUpeC1B+u KqlUAiSHa1BWC7HHoZy2ugAJbSbNcNCmUSD1F70XYzXbx28nz9AAAAAA=.
[green ~]$ pbpaste | otr-everywhere recv purple yeah let's just use signal in the future
Hooray, it appears to work. Of course it is an outlandish way to communicate, but it does demonstrate some properties of OTR. Such as how the four step handshake becomes impractical over an asynchronous medium, and how OTR doesn’t protect the metadata of who is communicating or the frequency/timing/approximate size of their messages.
Try it yourself
If you already have friends that use OTR you can try this out by manually sending them a handshake message. Their chat client should respond (very quickly) with the next step of the handshake and you can go from there. Some fun things to test include how out-of-order messages are handled and what happens when you complete a second handshake with a different fingerprint during an existing conversation.
Note that if you try this with an OTR-enabled chat client on your end, unexpected things can happen if it wraps your pasted OTR messages inside other OTR messages of its own. Either use the XML console for sending your messages or temporarily disable your OTR plugin to work around this.
Off the deep end
With a standalone OTR client it is possible to switch mediums during a conversation while the session remains intact. Really there is nothing stopping you from switching mediums after every single message. Well, nothing stopping you but common sense…