Confirm
563
edits
Changes
add section "using the feature"
== Low level troubleshooting ==
If you'd like to follow the actions of the OTR implementation at a technical level, you can enable a hidden preference. Use config editor, right click, add a new pref, type bool, name chat.otr.trace and set it to true. This will enable additional OTR related output on the error console.
== Using the feature ==
If you're interested what this is all about, you might want to read the [https://en.wikipedia.org/wiki/Off-the-Record_Messaging wikipedia article on OTR].
In short, the feature makes it possible to use end-to-end encryption for messages exchanged with your conversation partner. This can only work in one-to-one chats, it doesn't work in chat rooms that allow more than one user. The feature might be usable regardless of the transport protocol you're using (IRC, XMPP/Jabber, etc.).
It's helpful to know about a few properties of OTR. Thunderbird doesn't know if your conversation partner supports OTR, or not. Whenever OTR might be theoretically possible (because it's a one-to-one chat), the user interface will display the Encryption Status button, in the upper right area, next to the buddy icon and name of the contact. That button has a dropdown menu.
If you send a standard (unencrypted) message to someone, and the other side also supports OTR, it will be probably be detected, and both clients might
automatically initiate a handshake to start an encrypted conversation.
Note, this is using opportunistic encryption by default. You don't know if there's a Monster-In-The-Middle attack active. You should verify the identity of your conversation partner to be certain there's no MITM. To perform the verification, you have multiple options. Thunderbird supports three mechanisms, see the dropdown choice in the verification dialog. Other clients might not support all of them.
Note that a verification usually requires that you exchange information with your contact. Don't exchange it using the same chat, because you could in fact be talking to the MITM. If you exchange the verification information over the the internet, that channel might be controlled by a MITM, too. So a reliable verification requires that you use a different channel for verification, such as meeting in person, or calling on the phone, or using encrypted/signed email, with known correct keys.
