HOWTO use Tor Messenger, the new, super-secure/private chat app

It's still in beta, but Tor Messenger from the Tor Project has security and privacy baked in by design, and it's the easiest method yet devised to use OTR (Off the Record), the gold standard in secure communications.

On Ars Technica, Cyrus Farivar presents a five-minute tutorial in getting up to speed on Tor Messenger, which will interoperate with your existing chat contacts and accounts for Google (GChat), Yahoo, Facebook, and any XMPP account.

When you start a new conversation, the chat window will prompt you to verify your contact's OTR fingerprint.

This is crucial to making sure that someone isn't impersonating you. An OTR fingerprint, which can and should be public (I've tweeted mine and posted them in multiple places online), is a way to make 100 percent sure that the right account matches the right person on the right machine. In other words, it mitigates man-in-the-middle attacks. (When Washington Post reporter Barton Gellman was chatting with Ed Snowden in Hong Kong, he almost missed him after initially sending the wrong fingerprint—Snowden briefly thought Gellman was an impostor.)

In other chat apps (like Adium), key verification is usually done manually, simply by comparing the purported fingerprint to one that you know is authentic. For example, if you're chatting with me, my chat app will broadcast my fingerprint, which should match my known one. If they match, then you're almost certainly talking to me. If not, then someone is impersonating me.

Key verification is tedious, and requires examining each purported number and letter "4311D38B…" to the known authentic one. Humans are not good at comparing random long strings of numbers and letters, so Tor Messenger has come up with a good way of solving this problem. In addition to the manual key verification option, Tor Messenger has added a new "shared secret" option.

Tor Messenger Beta: Chat over Tor, Easily [Tor Project]

Take 5 minutes and up your opsec game with Tor Messenger
[Cyrus Farivar/Ars Technica]