Last active
September 24, 2024 14:40
Revisions
-
cmahns revised this gist
Sep 3, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -88,7 +88,7 @@ Okay, now what? Find a friend that has followed these instructions, and DM away! "Easy" right? Okay it's a little finicky to deal with and set up I admit, but this is the best options we have at the moment. If you want OTR (or a better protocol like TextSecure) to be supported and widely adopted, lobbying Twitter and developers of third party clients is necessary. This work is licensed under a Creative Commons Attribution 4.0 International License. -
Sep 1, 2015 . 1 changed file with 38 additions and 28 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,10 +6,13 @@ Sadly, DM's are still sent in plaintext between users and Twitter has [no plans Since these are stored in plaintext at rest, an [adversary](https://web.archive.org/web/20110112061516/http:/www.salon.com/news/opinion/glenn_greenwald/2011/01/07/twitter/subpoena.pdf) can see the content of the message you are sending, which the two parties might not wish to happen. Fortunately as a few applications with basic Twitter support which also have excellent support for OTR, all hope isn't lost and it is possible to have the dream of end-to-end encrypted DMs, without the headache that [copying and pasting PGP messages](https://twitter.com/runasand/status/632225743880237056) might bring. In a previous version of these instructions I wrote on how to set up Adium and Pidgin as standalone clients for Twitter+OTR. Sadly due to problems with the Twitter libraries in each of these respective clients, this is near impossible as of 2015-08-31, but can be fixed in future versions. Below are guides for setting up your Twitter account in Bitlbee, which will allow you to connect to it with a client of your choosing. I've tested out sending messages between two twitter accounts I control in each of these clients following these steps. Important Threat Model Note --------------------------- @@ -27,6 +30,25 @@ Unless the two parties are taking clear steps to anonymize these (like using thr Also, I would like to note that the below clients can only currently handle a two-way conversation as mpOTR isn't implemented in these applications yet. So for the time being, your group chats will still be sent in plaintext. Bitlbee (Cross-platform) ------------------------ Difficulty: Advanced Note: Bitlbee isn't a stand-alone client like the Adium and Pidgin, but an IRC<->IM gateway. You will need an IRC client which has OTR support to connect to the Bitlbee gateway to send encrypted DMs. Pidgin, Adium, Weechat with the otr.py script, and irssi-otr all have OTR support for IRC, and have decent communities that can help if you run into any snags 1. Install Bitlbee -- should be in your package manager on Linux, for other platforms (like Cygwin or OS X), you will need to compile from source. 2. Once Bitlbee is installed and configured to your liking, connect your IRC client to it -- Instructions for how to do this in Pidgin and Adium are below. Scroll down to set up your clients if not already set up! 3. Type `register $password` where $password is a unique password that only you know. This is used for persistance between connections to Bitlbee 4. Type `account add twitter $username` where $username is the username of your twitter account 5. Type `account list` to list all the accounts you have set up in Bitlbee. This will give you a list of numbers, take the number that is next to your twitter username. If you haven't configured any accounts, the number will be 0 6. Type `account $number on` where $number is the number from Step 5. 6. Bitlbee will now try to connect to your twitter account, which will send the URL to authorize this as a Twitter client in a PM buffer. Click that URL to proceed. If a connection to bitlbee is lost, you can always reconnect with your client and type `identify $password` where $password is the value you set during Step 3 of the Bitlbee instructions. Pidgin (Windows and Linux) -------------------------- @@ -35,50 +57,38 @@ Difficulty: Easy 1. Download and install the following: * Pidgin from https://pidgin.im * If on Windows, download the [OTR library for Pidgin](https://otr.cypherpunks.ca/). Linux should include the library by default. 2. After all of these are installed, start Pidgin 3. Click `Accounts` -> `Manage Accounts` -- this will bring up the **Accounts** window 4. In the **Accounts** window, click the `Add` button 5. In the **Add Account** window, change the `Protocol` dropdown to `IRC` 6. Enter in the `Username` you set up with your Bitlbee instance. This will likely be your username. 7. Under the `Server` field, enter in `localhost` -- this is assuming that you are running bitlbee on the same box as your chat client 8. In the **Advanced** tab, change `Port` to the value you specified in your bitlbee configuration file (default is 6667) 9. Click `Add` From here proceed with step 3 in the Bitlbee instructions Adium (OS X) ------------ Difficulty: Easy 1. Download the latest version of Adium from https://adium.im -- Adium includes OTR support out of the box 2. Click `Adium` in the Menu Bar, then click `Preferences`. This will open the **Preferences** window 3. Click on `Accounts`, then click on the `+` Menu at the bottom, then select `IRC` 4. Enter in your username into the `Nickname` field 5. Enter in `localhost` into the `Hostname` field 6. Under **Options**, change `Port` to the right number (6667 is the default) 7. Click `OK` From here proceed with step 3 in the Bitlbee instructions Okay, now what? --------------- Find a friend that has followed these instructions, and DM away! "Easy" right? Okay it's a little finiky to deal with and set up I admit, but this is the best options we have at the moment. If you want OTR (or a better protocol like TextSecure) to be supported and widely adopted, lobbying Twitter and developers of third party clients is necessary. This work is licensed under a Creative Commons Attribution 4.0 International License. -
Aug 31, 2015 . 1 changed file with 7 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,7 +6,10 @@ Sadly, DM's are still sent in plaintext between users and Twitter has [no plans Since these are stored in plaintext at rest, an [adversary](https://web.archive.org/web/20110112061516/http:/www.salon.com/news/opinion/glenn_greenwald/2011/01/07/twitter/subpoena.pdf) can see the content of the message you are sending, which the two parties might not wish to happen. Fortunately as a few applications with basic Twitter support which also have excellent support for OTR, all hope isn't lost and it is possible to have the dream of end-to-end encrypted DMs, without the headache that [copying and pasting PGP messages](https://twitter.com/runasand/status/632225743880237056) might bring. Below are guides for setting up your Twitter account in Pidgin, Adium, and Bitlbee. I've tested out sending messages between two twitter accounts I control in each of these clients following these steps. EDIT: As of 2015-08-30 I've been unable to make Pidgin's OTR plugin cooperate with Twitter. I plan on investigating it a bit more when I have time. Important Threat Model Note --------------------------- @@ -76,4 +79,6 @@ Okay, now what? Find a friend that has followed these instructions, and DM away! "Easy" right? Okay it's a little finiky to deal with and set up I admit, but this is the best options we have at the moment. If you want OTR (or a better protocol like TextSecure) to be supported, lobbying Twitter and developers of third party clients might be necessary. This work is licensed under a Creative Commons Attribution 4.0 International License. -
Aug 30, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,79 @@ Twitter DM + OTR: A quick and dirty tutorial ============================================ With the recent [removal of the 140-character limit in Direct Messages](https://blog.twitter.com/2015/removing-the-140-character-limit-from-direct-messages) by Twitter, DM's have now become a much more useful platform for communicating between individuals and groups. Sadly, DM's are still sent in plaintext between users and Twitter has [no plans currently](https://www.theverge.com/2014/3/19/5523656/twitter-gives-up-on-encrypting-direct-messages-at-least-for-now) on encrypting these messages, at least as of August 2015. Since these are stored in plaintext at rest, an [adversary](https://web.archive.org/web/20110112061516/http:/www.salon.com/news/opinion/glenn_greenwald/2011/01/07/twitter/subpoena.pdf) can see the content of the message you are sending, which the two parties might not wish to happen. Fortunately as a few applications with basic Twitter support which also have excellent support for OTR, all hope isn't lost and it is possible to have the dream of end-to-end encrypted DMs, without the headache that [copying and pasting PGP messages](https://twitter.com/runasand/status/632225743880237056) might bring. Below are guides for setting up your Twitter account in Pidgin, Adium, and Bitlbee. I've tested out sending messages between two twitter accounts I control in each of these clients following these steps. Important Threat Model Note --------------------------- Before we get to the instructions, I want to make it absolutely clear that doing this protects the **content** that is being sent in each DM. The following is still possible to view by Twitter: * Whom you are exchanging messages with * What times the messages are being sent * The overall length of the conversation * What IP addresses were accessing each Twitter account Unless the two parties are taking clear steps to anonymize these (like using throwaway Twitter accounts, tied to a throwaway email address, connected to only using Tor), an adversary can still figure out that Akiko is talking to Boris. Also, I would like to note that the below clients can only currently handle a two-way conversation as mpOTR isn't implemented in these applications yet. So for the time being, your group chats will still be sent in plaintext. Pidgin (Windows and Linux) -------------------------- Difficulty: Easy 1. Download and install the following: * Pidgin from https://pidgin.im * If on Windows, download the [OTR library for Pidgin](https://otr.cypherpunks.ca/). Linux should include the library by default. * Download the latest copy of [prpltwtr](https://github.com/mikeage/prpltwtr/releases), this is needed to add support for Twitter 2. After all of these are installed, start Pidgin 3. Click `Accounts` -> `Manage Accounts` -- this will bring up the **Accounts** window 4. In the **Accounts** window, click the `Add` button 5. In the **Add Account** window, change the `Protocol` dropdown to `Twitter Protocol` 6. Enter in the Twitter Username you wish to connect 7. Click `Add` A pop-up window will appear asking you to authorize Pidgin as an approved Twitter client. Follow the steps in your web browser and you will be good to go. Adium (OS X) ------------ Difficulty: Easy 1. Download the latest version of Adium from https://adium.im -- Adium includes OTR and Twitter support out of the box 2. Click `Adium` in the Menu Bar, then click `Preferences`. This will open the **Preferences** window 3. Click on `Accounts`, then click on the `+` Menu at the bottom, then select `Twitter` 4. Enter in your account information. You will receive a popup similar to Pidgin to authorize your account. Bitlbee (Cross-platform) ------------------------ Difficulty: Advanced Note: Bitlbee isn't a stand-alone client like the Adium and Pidgin, but an IRC<->IM gateway. You will need an IRC client which has OTR support to connect to the Bitlbee gateway to send encrypted DMs. Pidgin, Adium, Weechat with the otr.py script, and irssi-otr all have OTR support for IRC 1. Install Bitlbee -- should be in your package manager on Linux, for other platforms (like Cygwin or OS X), you will need to compile from source. 2. Once Bitlbee is installed and configured to your liking, connect your IRC client to it 3. Type `account add twitter $username` where $username is the username of your twitter account 4. Type `account list` to list all the accounts you have set up in Bitlbee. This will give you a list of numbers, take the number that is next to your twitter username. If you haven't configured any accounts, the number will be 0 5. Type `account $number on` where $number is the number from Step 4. 6. Bitlbee will now try to connect to your twitter account, which will send the URL to authorize this as a Twitter client in a PM buffer. Click that URL to proceed. Okay, now what? --------------- Find a friend that has followed these instructions, and DM away! "Easy" right? Okay it's a little finiky to deal with and set up I admit, but this is the best options we have at the moment. If you want OTR (or a better protocol like TextSecure) to be supported, lobbying Twitter and developers of third party clients might be necessary.