otr.cypherpunks.ca Open in urlscan Pro
198.96.155.5  Public Scan

Submitted URL: http://www.cypherpunks.ca/otr/
Effective URL: https://otr.cypherpunks.ca/
Submission: On July 23 via manual from AU — Scanned from CA

Form analysis 0 forms found in the DOM

Text Content

OFF-THE-RECORD MESSAGING

 * News
 * Downloads
 * Source Code and Bugtracker
 * Mailing Lists
 * Documentation
 * FAQ
 * Press
 * Software
 * People
 * Donate

Off-the-Record (OTR) Messaging allows you to have private conversations over
instant messaging by providing:

Encryption No one else can read your instant messages. Authentication You are
assured the correspondent is who you think it is. Deniability The messages you
send do not have digital signatures that are checkable by a third party. Anyone
can forge messages after a conversation to make them look like they came from
you. However, during a conversation, your correspondent is assured the messages
he sees are authentic and unmodified. Perfect forward secrecy If you lose
control of your private keys, no previous conversation is compromised.


PRIMARY DOWNLOAD: WIN32 INSTALLER FOR PIDGIN-OTR 4.0.2 (SIG) [OTHER DOWNLOADS]


NEWS

9 Mar 2016

Security update: libotr version 4.1.1

Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer
overflow security flaw. This flaw could potentially be exploited by a remote
attacker to cause a heap buffer overflow and subsequently for arbitrary code to
be executed on the user's machine.

CVE-2016-2851 has been assigned to this issue.

Please upgrade to libotr version 4.1.1 immediately.

Users of libotr packages in Linux and *BSD distributions should see updated
packages shortly.

This security release includes the following updates:

 * Fix an integer overflow bug that can cause a heap buffer overflow (and from
   there remote code execution) on 64-bit platforms
 * Fix possible free() of an uninitialized pointer
 * Be stricter about parsing v3 fragments
 * Add a testsuite ("make check" to run it), but only on Linux for now, since it
   uses Linux-specific features such as epoll
 * Fix a memory leak when reading a malformed instance tag file
 * Protocol documentation clarifications



pidgin-otr version 4.0.2 released

This point release includes the following updates:

 * Fix use-after-free issue during SMP
 * Updated Spanish, German, Norwegian Bokmål translations
 * New Danish translation
 * The Windows binary has been linked with updated versions of libotr,
   libgcrypt, libgpg-error, and other supporting libraries




More News...


DOWNLOADS


OTR LIBRARY AND TOOLKIT

This is the portable OTR Messaging Library, as well as the toolkit to help you
forge messages. You need this library in order to use the other OTR software on
this page. [Note that some binary packages, particularly Windows, do not have a
separate library package, but just include the library and toolkit in the
packages below.] The current version is 4.1.1.

README

UPGRADING from version 3.2.x

Source code (4.1.1) Compressed tarball (sig)


JAVA OTR LIBRARY

This is the Java version of the OTR library. This is for developers of Java
applications that want to add support for OTR. End users do not require this
package. It's still early days, but you can download java-otr version 0.1.0
(sig).


OTR PLUGIN FOR PIDGIN

This is a plugin for Pidgin 2.x which implements Off-the-Record Messaging over
any IM network Pidgin supports. The current version is 4.0.2.

README

Source code (4.0.2) Compressed tarball (sig) Windows (4.0.2) Win32 installer for
pidgin 2.x (sig)
Win32 zipfile (manual installation) for pidgin 2.x (sig)


OTR LOCALHOST AIM PROXY

This software is no longer supported. Please use an IM client with native
support for OTR.

This is a localhost proxy you can use with almost any AIM client in order to
participate in Off-the-Record conversations. The current version is 0.3.1, which
means it's still a long way from done. Read the README file carefully. Some
things it's still missing:

 * Username/password authentication to the proxy
 * Having the proxy be able to use outgoing proxies itself
 * Support for protocols other than AIM/ICQ
 * Configurability of the proxy types and ports it uses

But it should work for most people. Please send feedback to the otr-users
mailing list, or to the dev team. You may need the above library packages.

README

Source code (0.3.1) Compressed tarball (sig) Windows (0.3.1) Win32 installer
(sig) OS X (0.3.1) OS X package



SOURCE CODE REPOSITORY AND BUGTRACKER

You can find a git repository of the OTR source code, as well as the bugtracker,
on the otr.im community development site:

 * libotr git repo: https://bugs.otr.im/git/libotr.git ;
   git://git.otr.im/libotr.git
 * pidgin-otr git repo: https://bugs.otr.im/git/pidgin_otr.git ;
   git://git.otr.im/pidgin_otr.git
 * Bugtracker: https://bugs.otr.im


MAILING LISTS

If you use OTR software, you should join at least the otr-announce mailing list,
and possibly otr-users (for users of OTR software) or otr-dev (for developers of
OTR software) as well.


DOCUMENTATION

INSTALLATION AND SETUP GUIDES

pidgin-otr tutorial from the Security-in-a-Box project
Video OTR tutorial (by Niels)
Adium, Pidgin & OTR (auf Deutsch, by Christian Franke)
Miranda, Pidgin, Kopete & OTR (auf Deutsch, by Missi)
Adium X with OTR
OTR proxy on Mac OS X
pidgin-otr on gentoo (from "X")
gaim-otr on Debian unstable (from Adam Zimmerman)
gaim-otr on Windows (from Adam Zimmerman)
gaim-otr 3.0.0 on Ubuntu (from Adam Zimmerman). Note that Ubuntu breezy has
gaim-otr 2.0.2 in it, and all you should have to do is "apt-get install
gaim-otr".


We would greatly appreciate instructions and screenshots for other platforms!

ABOUT OTR

Here are some documents and papers describing OTR. The CodeCon presentation is
quite useful to get started.

 * Protocol description (version 3)
 * Protocol description (version 2)
 * Our SOUPS 2008 paper
 * Our WPES 2007 paper
 * Our WPES 2004 paper
 * Our WPES presentation (Powerpoint)
 * Our WPES presentation (PDF)
 * Our CodeCon presentation (PDF)


FREQUENTLY ASKED QUESTIONS

What implementations of Off-the-Record Messaging are there? Please see our
OTR-enabled software page. The OTR functionality is separated into the
Off-the-Record Messaging Library (libotr), which is an LGPL-licensed library
that can be used to (hopefully) easily produce OTR plugins for other IM
software, or for other applications entirely. What is the license for the OTR
software? The Off-the-Record Messaging Library is licensed under version 2.1 of
the GNU Lesser General Public License. The Off-the-Record Toolkit, the
pidgin-otr plugin, and the OTR proxy are licensed under version 2 of the GNU
General Public License. How is this different from the pidgin-encryption plugin?
The pidgin-encryption plugin provides encryption and authentication, but not
deniability or perfect forward secrecy. If an attacker or a virus gets access to
your machine, all of your past pidgin-encryption conversations are retroactively
compromised. Further, since all of the messages are digitally signed, there is
difficult-to-deny proof that you said what you did: not what we want for a
supposedly private conversation! How is this different from Trillian's SecureIM?
SecureIM doesn't provide any kind of authentication at all! You really have no
idea (in any kind of secure way) to whom you're speaking, or if there is a "man
in the middle" reading all of your messages. How is this different from SILC?
SILC uses a completely separate network of servers and underlying network
protocol. In some environments, such as firewalled or corporate setups, where a
local proprietary IM protocol may be in use, SILC may not be available. Further,
in its normal mode of operation, all SILC messages are shared with the SILC
servers; if you want to send messages that can only be read by the person with
whom you're communicating, you need to either (1) arrange a pre-shared secret in
advance (which hampers perfect forward secrecy), or (2) be able to do a direct
peer-to-peer connection to the other person's client, in order to do a key
agreement (which may not be possible in a NAT or firewall situation).

Is your question not here? Ask on the otr-users mailing list!


Website design by Ekrem Erdem
Ian Goldberg and the OTR Development Team [GPG release signing key]