Prevent Communications Spying with O.T.R. Encryption and TOR in XMPP

September 23, 2015 | Views: 4123

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

With the growing concern of online privacy, this is by far the best way I’ve found to keep your communications private using a combination of O.T.R., TOR, Linux and a trustworthy VPN service.

Note – This guide can be used by the following communities of people and others:

  • Activists: Operating around the wold, all governments spying on their citizens.
  • Hackers: Those who push the limits of technology, who need secure ways of communicating.
  • Hacktivists: While hacktivists around the world primary hack for Justice, the hacktivist communities are heavily spied upon by agencies and governments.
  • Social Engineers: As an SE, keeping your communications private is essential to your work. While it’s keeping the confidentiality of a client, staying hidden from a target or communicating with sensitive contacts, privacy is key.


First, I’ll start by listing every service we’ll be using to achieve this certain level of anonymity and privacy. I’ll also assume you’re using a Linux Distribution for your sensitive work.

Software Needed:


Once you have all the software and services Downloaded/Installed, we’ll want to begin by starting our TOR service. We can do this by opening a Terminal and typing:

sudo service tor start

Continue by starting up your VPN Service in conjunction with TOR.

After TOR and a VPN are both running, continue by opening the Pidgin Chat Client and clicking Add Account.

The add dialog box should appear, the configuration options should be as follows:

Protocol: XMPP

Username: Yourusername

Domain: (or any other off-shore provider that does NOT store logs)

Resource: Blank

Password: YourPassword

Local Alias: Optional


After all of that is filled out, we want to hover to the Proxy tab. Once there, click Proxy Type and set it to SOCKS5. The configuration should be as follows:


Port: 9050

Username: Blank

Password: Blank

Once that is filled in, make sure you check the option “Create This New Account On Server” and click Add.


Next, go to Tools > Plugins find O.T.R and enable it. Then, Enable the Account and enjoy your secure Off-The-Record communications.

To help better understand what makes this solution so secure, I’ll share a bit of information about the protocols and tools used in this guide.


“Extensible Messaging and Presence Protocol is a communications protocol for message-oriented middleware based on XML. It enables the near-real-time exchange of structured yet extensible data between any two or more network entities. Originally named Jabber, the protocol was developed by the Jabber open-source community in 1999 for near real-time instant messaging, presence information, and contact list maintenance. Designed to be extensible, the protocol has also been used for publish-subscribe systems, signalling for VoIP, video, file transfer, gaming, Internet of Things applications such as the smart grid, and social networking services.”


“TOR is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.”

An Off-Shore VPN:

All your traffic is securely routed through your provider before it’s decrypted and sent on to the open internet.

  • Thwart Network Surveillance’s Bitmask VPN is very effective at bypassing most censorship and network surveillance by your ISP or country.
  • Anonymize your address: Your IP address will also be hidden, keeping your physical location safe from nefarious websites or network eavesdroppers.
  • Extra Security: We take extra security measures to prevent problems common to other personal VPNs, such as DNS leakage and IPv6 leakage.

Off-the-Record Messaging (OTR)

“…is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of AES symmetric-key algorithm with 128 bits key length, the Diffie–Hellman key exchange with 1536 bits group size, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides forward secrecy and malleable encryption.

The primary motivation behind the protocol was providing deniable authentication for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with cryptography tools that produce output which can be later used as a verifiable record of the communication event and the identities of the participants. The initial introductory paper was named “Off-the-Record Communication, or, Why Not To Use PGP”.

The OTR protocol was designed by cryptographers Ian Goldberg and Nikita Borisov and released on 26 October 2004. They provide a client library to facilitate support for instant messaging client developers who want to implement the protocol. A Pidgin and Kopete plugin exists that allows OTR to be used over any IM protocol supported by Pidgin or Kopete, offering an auto-detection feature that starts the OTR session with the buddies that have it enabled, without interfering with regular, unencrypted conversations.”

By combining these services , you get a much better solution for encrypted Anonymous communications than, let’s say, with IRC.

I hope this information is useful to some of you. Thank you 🙂

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. It’s been known for some time now, and more recently publicized that even in TOR, the exit node will always ID you.

    Granted, it takes 2 to isolate a node, but if an entity was moto enough to do so, they will.

    Great article though.

  2. well i would suggest instead of using tor as a service..better to go with i2p tunnel +set up IRC with it(xfire etc)..nice article .

    • Pr0m3th3us,
      I agree. I believe TOR is only a somewhat safe way to go but is only a little safer than a public server now. It is no longer the anonymous powerhouse it once was. It’s better to use a private VPN service behind TOR. Although this isn’t necessarily foolproof either, it adds one layer of protection on top of the other and makes your public ip harder to get to. Again, nothing is really foolproof and the more relays, proxies, and VPNs you add, the slower the network becomes but in this day of ssl stripping, proxy bypassing, and node spoofing, privacy is much better than speed.

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?