OTR with bitlbee

Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function. In addition to authentication and encryption, OTR provides perfect forward secrecy and malleable encryption.

BitlBee supports OTR natively since 3.0, but it's an optional component.

Note that this requires running your own BitlBee. OTR functionality should not ever be offered on any public server as it only gives a false sense of security! It is important to note that if you have logging turned on for BitlBee then your OTR messages are in vain. Also they could trace your connections via your network connection.

For more information on how to use OTR, see help otr and other existing documentation.

Enabling OTR support

When using distro packages, there is hopefully a bitlbee-plugin-otr package you can install.

When compiling your own BitlBee, pass --otr=1 or --otr=plugin to the configure script.

You'll need the right version of the OTR library installed, with its development headers. See the following table for details.

Version reference

Since the OTR versions seem to be a bit confusing, here's a nice table explaining absolutely everything.

Protocol

Library

.so name (ABI version)

Debian package

Supported bitlbee releases

Supported bitlbee bzr

Stability

v2

libotr 3.2.1

libotr.so.2.2.1

libotr2(-dev)

3.0 ... 3.2.1

<=1000

Stable

v3

libotr 4.0.0

libotr.so.5.0.0

libotr5(-dev)

3.2.2

>=1011

Stable

Note that some debian/ubuntu versions include a release called "3.2.1+otr4-1" which is actually based on bzr 1004, and uses libotr 4.0.0 (libotr5). This version is included in: debian unstable (sid), debian testing (jessie) and ubuntu 14.04 (trusty). It is unstable. Do not use. See Packages

Debian wheezy?

Enable backports repo to get libotr5!

OTR policies

The "magic whitespace pattern" that opportunistic OTR uses consists of 16-40 bytes of either space or tab characters (See the "Tagged plaintext messages" section of the OTR spec for more details). This might cause minor visual issues in some IM clients.

Simple Question and Answer Response

You can authenticate a user's fingerprint by asking a question using the otr smpq

   1 <@alice> otr connect bob
   2 <@alice> otr smpq bob "question question question" answer
   3 <@root> smp: initiating with bob...

On the other side:

   1 <@root> smp: initiated by alice with question: "question question question"
   2 <@root> smp: respond with otr smp alice <answer>
   3 <@bob> otr smp alice answer
   4 <@root> smp: responding to alice...
   5 <@root> smp alice: secrets proved equal, fingerprint trusted

Issues

OTR does NOT work (well) with offline messages.

Without previous or future chat-session, offline messages from either party will not be passed on and no notification will be sent. OTR messages are only being delivered in these scenarios:

  1. User "A" and "B" are in an OTR session, when "B" is disconnecting. Messages from "A" are being delivered after "B" reconnects.
  2. User "A" is attempting an OTR session with the offline-user "B", when "B" is connecting while "A" is still online.