Keeping your chats private can be an arduous and tiring task. And trying to keep them anonymous can be very daunting. Yet our chats contain some of our most sensitive pieces of information – we often make inappropriate jokes or comments that can easily be taken out of context. In our private chats we behave as if nobody is watching; we swear, we admit guilt and we don’t tend to put too much thought into our words. There are probably things in your chat history that could get you arrested if you said them in public!
Fortunately, chat apps are increasingly adopting better encryption methods. Signal has become the darling of tech journalists and activists worldwide because of its strong encryption policy. And Telegram has gained a gigantic following due to their “Secret Message” feature, which allows verified end-to-end encrypted chats on open-source apps.
Apple’s iMessage platform also encrypts messages by default, but users have no way of verifying that the connection really is properly encrypted. Similarly, it is reported that Whatsapp encrypts some messages, but it remains unclear which ones, or whether the connection is properly protected.
Most Chat Apps Are NOT Private
Other popular messaging platforms such as WeChat, Google Hangouts, Skype or Facebook Chat do not encrypt any messages at all, nor do they offer the option to do so.
Even encrypted messenger services like Signal and Telegram still require your phone number to sign up, though. It’s also quite difficult to hide your IP through anonymity services like VPN or Tor when using them. Still, encrypted chat apps do provide their users with a high level of privacy, and the companies providing them cannot read the contents of your messages.
However, the providers do still have access to information such as your identity, the identity of your contacts, and your IP addresses. It is also difficult to create and discard accounts and often impossible to run accounts simultaneously, or switch between them.
Don’t despair though, there is a chat network that allows you to uphold your privacy and use it anonymously. This chat service is called XMPP – also referred to by its original name, Jabber.
XMPP is not a company or an app, it is more like email. And just like email you can choose from a variety of software to use it. Apps such as Pidgin, Adium, Tor Messenger, or even your Browser can all be used to connect to the XMPP chat network.
There are many XMPP providers where you can sign up for an account. Though XMPP itself does not encrypt chats, you can use it with the Off-The-Record Messaging (OTR) protocol to ensure your chats are private. OTR comes with many popular XMPP chat apps by default. For others, it is a simple plugin.
How To Get Private Messaging In Four Easy Steps
You can follow our simple guide to get ready to send and receive anonymous chats:
Install Tor Messenger
The Tor Messenger is chat software that routes all your traffic through the Tor network by default. It is still in beta, and the developers advise at-risk users to wait until the official release before they use it for secure chat. If you consider yourself to be such an at-risk user, we recommend you use Pidgin on the operating system Tails.
Open a XMPP account
It is important that you open your XMPP account with the Tor Browser, which you can download here. If you sign up with your normal browser it is quite likely that any activity on your XMPP account can be traced back to you.
Also, don’t forget your password! We recommend using a long and complex password, generated and saved with a password manager. If you forget your password or username, you can never get it back. There are many places to get an XMPP account, here are just a few popular ones:
Open the Tor browser and go to https://duck.co/my/register
Choose a username and a password. Don’t forget the password!
Your domain will be dukgo.com
Your server will be wlcpmruglhxp6quz.onion
Open the Tor browser and go to https://jabber.cryptoparty.is:5288/register/new
Choose a username and password, solve the captcha.
Your domain will be jabber.cryptoparty.is
Your server will be cryjabkbdljzohnp.onion
Connect your XMPP account and Chat securely with OTR
When you launch Tor Messenger, select XMPP. Once connected, you can add multiple accounts by clicking on Tools > Accounts > New Account
Enter the username and the domain you created in Step 2. *Note the missing c in duck is intentional*. On some services you might be able to create a new account directly from here, but this is not always supported.
Enter your password. You can also leave this field empty, if you prefer to enter the password yourself each time you connect. This is recommended on shared computers.
Click on ‘XMPP Options’ to enter the onion server address. What you enter under Alias or Resource does not matter, but your Resource will be visible to whoever you are connecting with. You can also leave this field blank.
The default port is 5222. All the services we recommended use this port. Other services may operate on a different port.
Before you connect, you will get a summary of your connection. This gives you the opportunity to double-check everything.
You can now add new accounts, change your options or connect for the first time.
If you entered an onion address under ‘Server’ earlier, you will likely see this error. This is because the domain name of your XMPP account is different from the name of the server (eg dukgo.com has the onion address wlcpmruglhxp6quz.onion).
You need to manually verify the server that you want to connect to.
To do that, click on “Add Exception.”
“Legitimate banks, stores, and other public sites will not ask you to do this.”
This warning is very confusing. While it is generally true that you will normally not be asked to enter exceptions to certificates, this works differently with onion sites.
TLS certificates aren’t easily issued to .onion site names and as a result most providers use the TLS certificate of their ordinary website for their onion site. This requires us to manually verify the identity of the server. Luckily we only have to do that once.
Be very careful when adding an exception. We hope that the companies issuing the certificates used to encrypt the traffic across the internet find a better process of issuing certificates for onion sites, but for now we still have to do this manually.
Click on ‘View…’ to proceed.
This is the connection certificate. Make sure the “Common Name (CN)” refers to a domain used by the organization you signed up with. In this case duck.co, which is where we got our account.
If it’s all in order, click on ‘Close’ and ‘Confirm Security Exception’ to proceed.
You are now ready to connect!
In Tor Messenger, your contacts are called ‘Buddies’. To add a Buddy, go to File > Add Contact. Enter the contact in the format email@example.com
You will need to authorize the other party as soon as they have added you back.
Click Allow to chat.
With Tor Messenger you can start chatting straight away. The program will warn you if a conversation is not encrypted.
You can also verify the integrity of the encrypted conversation. To do that, click on ‘Verify’, or the orange padlock in the upper right corner.
The ideal way to verify each other is via Manual Fingerprint Verification.
You will need to obtain your contact’s fingerprint through a channel where no one else can alter the key. You could ask them to tweet it, or perhaps put it on their website. You could even just ask them to write it on a bit of paper and hand it to you.