Thunderbird:OTR

Tunderbird nightly builds as of 2019-05-18 and later, including recent Betas and version 68.x release candidates, contain experimental supported for Off-The-Record messaging (OTR).

However, the OTR feature is disabled by default.

Contents

Installing the external OTR library

Using the feature requires the OTR library, which isn't yet included in the Thunderbird distribution. (We hope to fix that in the near future.) For the time being, if you'd like to test the OTR feature, you must install the required base libraries yourself. The installation steps depend on the platform you're using, please use them on your own risk, you should verify that you trust the origin of your downloads.

On Linux, your distribution probably offers the libOTR library.

  • On systems like Debian or Ubuntu, use: sudo apt-get install libotr5
  • On systems like Fedora or CentOS, use: sudo dnf install libotr

On Mac OSX, you could obtain the packages from the homebrew project. After you completed their general setup instructions, open a terminal and execute this command: brew install libotr

For Windows, one of the Thunderbird developers provides a download on their private server. A README can be found on the site. After you downloaded the respective file for your platform, and have verified the correctness of the download, you need to extract the archive file, and move the contained files to your Thunderbird application directory. That's the same directory that contains other shared libraries and the Thunderbird executable.

Enabling the OTR feature

After you have installed the required base libraries, you can try to enable the OTR feature:

Use preferences/advanced/config editor, search for chat.otr.enable and change it to true. Then restart Thunderbird.

To test, find a chat partner that is also using the latest Thunderbird nightly with OTR enabled, or who uses a different chat client that supports OTR. Alternatively, use two different computers, or users accounts, or run a second chat application on your own computer.

OTR works using with chat protocols that provide a one-to-one conversation. It doesn't work in multi user rooms.

Troubleshooting the installation

After you have installed, enabled and restarted, during an active one-to-one chat, the right hand side of the user interface should display an additional element with the label "Encryption Status".

If you cannot see it, loading the library might have failed. You could try to open the error console (menu: tools/developer tools/error console), and enter the word "otr" as a filter in the top level line. You should see lines like "trying to load ....otr...", it will tell you from which directory it's trying to load the external library.

Low level troubleshooting

If you'd like to follow the actions of the OTR implementation at a technical level, you can enable a hidden preference. Use config editor, right click, add a new pref, type bool, name chat.otr.trace and set it to true. This will enable additional OTR related output on the error console.

Using the feature

If you're interested what this is all about, you might want to read the wikipedia article on OTR.

In short, the feature makes it possible to use end-to-end encryption for messages exchanged with your conversation partner. This can only work in one-to-one chats, it doesn't work in chat rooms that allow more than one user. The feature might be usable regardless of the transport protocol you're using (IRC, XMPP/Jabber, etc.).

It's helpful to know about a few properties of OTR. Thunderbird doesn't know if your conversation partner supports OTR, or not. Whenever OTR might be theoretically possible (because it's a one-to-one chat), the user interface will display the Encryption Status button, in the upper right area, next to the buddy icon and name of the contact. That button has a dropdown menu.

If you send a standard (unencrypted) message to someone, and the other side also supports OTR, it will be probably be detected, and both clients might automatically initiate a handshake to start an encrypted conversation.

Note, this is using opportunistic encryption by default. You don't know if there's a Monster-In-The-Middle attack active. You should verify the identity of your conversation partner to be certain there's no MITM. To perform the verification, you have multiple options. Thunderbird supports three mechanisms, see the dropdown choice in the verification dialog. Other clients might not support all of them.

Note that a verification usually requires that you exchange information with your contact. Don't exchange it using the same chat, because you could in fact be talking to the MITM. If you exchange the verification information over the the internet, that channel might be controlled by a MITM, too. So a reliable verification requires that you use a different channel for verification, such as meeting in person, or calling on the phone, or using encrypted/signed email, with known correct keys.