Monday, April 25, 2011

Secure Communications

Hi John,
I would prefer that you copy and paste this into a main article, instead of making it only a comment.
You may give credit: thanks to E.
======================================

Secure Telecommunications

People should learn quickly to abandon email in general and switch over as fast as possible to Jabber, which is also called XMPP. With Jabber each party must agree to accept telecommunication from the opposite party, therefore there is no spam. The messages are transferred instantly, or if the other party is not online, the message is stored on the Jabber server. Group chat is also possible.

The Jabber client (program) can be set to only connect to the Jabber server via a secure SSL connection.

You will of course avoid all commercial implementations of Jabber like the black plague and use only open-source servers. Do NOT use Microsoft, MSN Messenger, AOL, Yahoo, ICQ, etc. implementations, only open-source pure Jabber servers.

For increased security, use the Jabber client called Pidgin and install the encryption add-on called OTR. Once you generate and exchange OTR security certificates, you will have a VERY secure way to text chat. Unfortunately, Pidgin only has voice in the Linux version, not yet in the Windows version.

For Windows, I advise to always use so-called "portable" versions of programs, if available, that do not install into Windows registry. A portable version of Pidgin and OTR, as well as many other programs, can be found at www.portableapps.com, specifically at http://portableapps.com/apps/internet/pidgin_portable
and
http://downloads.sourceforge.net/portableapps/Pidgin-OTR_Portable_3.2_Rev_2.paf.exe?download

Do NOT use Pidgin encryption, use only OTR encryption; these two are not the same.

Another cross-platform Jabber program that is interesting is called Jitsi. This is still in beta stage, but has an extremely active development with the program changing almost every day. Jitsi has both OTR for secure text chat and ZRTP for secure voice calls included already - no need to install any add-ons. ZTRP (Zphone) was conceived and written by Phil Zimmermann of PGP fame (http://zfoneproject.com/).

Using the ZRTP protocol is the *ONLY* way to have a secure voice chat. Skype and others are NOT secure.

Jitsi has a user forum where beginners can get help. See http://www.jitsi.org/ .
Once again, use only pure Jabber server, NOT commercial offerings like AIM/ICQ, Windows Live, MSN Messanger, Yahoo!, etc.
You can subscribe to the Jitsi users forum by sending an email to
users-subscribe@jitsi.java.net


Q. How do I find a pure Jabber open-source server?
A. Tell your Jabber client (program) to register to, for example
jabber.org
or if you are behind a company firewall, you can use the server at
jabber80.com which sneaks through port 80 that Web browsers use. Of course, you can use this server anywhere, even at home.
Most Jabber servers allow automatic, unattended registration of new users.

If you want to use your, own private Jabber/XMPP server, and you know hardware and software, you can find a list at
http://xmpp.org/xmpp-software/servers/
ejabberd is good server


Another interesting program and concept is the Retroshare program. This uses no server at all, but does not yet have voice.
It may be a bit challenging for someone not familiar with computers and routers.
http://retroshare.sourceforge.net/

Conclusion

For best secure test chat, use Pidgin Portable in combination with OTR portable.

For best secure voice conversations, use ZRTP protocol in Jitsi or use the Zphone add-on.
Attention: when using ZRTP both partners should verbally exchange the SASL code on their very first voice conversation and the verbally read code should agree with that displayed in the program.

1 comment:

Gavin said...

I am finding that many of the legitimate emails we send to AOL, MSN, Gmail and Yahoo clients never get to them. CAn we use Jabber to improve our customer communications or do they have to set up Jabber on their PC's to be able to receive emails from us?