Twitter DM + OTR: A quick and dirty tutorial

With the recent removal of the 140-character limit in Direct Messages by Twitter, DM's have now become a much more useful platform for communicating between individuals and groups. Sadly, DM's are still sent in plaintext between users and Twitter has no plans currently on encrypting these messages, at least as of August 2015. Since these are stored in plaintext at rest, an adversary can see the content of the message you are sending, which the two parties might not wish to happen. Fortunately as a few applications with basic Twitter support which also have excellent support for OTR, all hope isn't lost and it is possible to have the dream of end-to-end encrypted DMs, without the headache that copying and pasting PGP messages might bring.

In a previous version of these instructions I wrote on how to set up Adium and Pidgin as standalone clients for Twitter+OTR. Sadly due to problems with the Twitter libraries in each of these respective clients, this is near impossible as of 2015-08-31, but can be fixed in future versions.

Below are guides for setting up your Twitter account in Bitlbee, which will allow you to connect to it with a client of your choosing. I've tested out sending messages between two twitter accounts I control in each of these clients following these steps.

Important Threat Model Note

Before we get to the instructions, I want to make it absolutely clear that doing this protects the content that is being sent in each DM. The following is still possible to view by Twitter:

• Whom you are exchanging messages with
• What times the messages are being sent
• The overall length of the conversation
• What IP addresses were accessing each Twitter account

Unless the two parties are taking clear steps to anonymize these (like using throwaway Twitter accounts, tied to a throwaway email address, connected to only using Tor), an adversary can still figure out that Akiko is talking to Boris.

Also, I would like to note that the below clients can only currently handle a two-way conversation as mpOTR isn't implemented in these applications yet. So for the time being, your group chats will still be sent in plaintext.

Bitlbee (Cross-platform)

Difficulty: Advanced

Note: Bitlbee isn't a stand-alone client like the Adium and Pidgin, but an IRC<->IM gateway. You will need an IRC client which has OTR support to connect to the Bitlbee gateway to send encrypted DMs. Pidgin, Adium, Weechat with the otr.py script, and irssi-otr all have OTR support for IRC, and have decent communities that can help if you run into any snags

1. Install Bitlbee -- should be in your package manager on Linux, for other platforms (like Cygwin or OS X), you will need to compile from source.
2. Once Bitlbee is installed and configured to your liking, connect your IRC client to it -- Instructions for how to do this in Pidgin and Adium are below. Scroll down to set up your clients if not already set up!
3. Type register $password where $password is a unique password that only you know. This is used for persistance between connections to Bitlbee
4. Type account add twitter $username where $username is the username of your twitter account
5. Type account list to list all the accounts you have set up in Bitlbee. This will give you a list of numbers, take the number that is next to your twitter username. If you haven't configured any accounts, the number will be 0
6. Type account $number on where $number is the number from Step 5.
7. Bitlbee will now try to connect to your twitter account, which will send the URL to authorize this as a Twitter client in a PM buffer. Click that URL to proceed.

If a connection to bitlbee is lost, you can always reconnect with your client and type identify $password where $password is the value you set during Step 3 of the Bitlbee instructions.

Pidgin (Windows and Linux)

Difficulty: Easy

1. Download and install the following:

• Pidgin from https://pidgin.im
• If on Windows, download the OTR library for Pidgin. Linux should include the library by default.

1. After all of these are installed, start Pidgin
2. Click Accounts -> Manage Accounts -- this will bring up the Accounts window
3. In the Accounts window, click the Add button
4. In the Add Account window, change the Protocol dropdown to IRC
5. Enter in the Username you set up with your Bitlbee instance. This will likely be your username.
6. Under the Server field, enter in localhost -- this is assuming that you are running bitlbee on the same box as your chat client
7. In the Advanced tab, change Port to the value you specified in your bitlbee configuration file (default is 6667)
8. Click Add

From here proceed with step 3 in the Bitlbee instructions

Adium (OS X)

Difficulty: Easy

1. Download the latest version of Adium from https://adium.im -- Adium includes OTR support out of the box
2. Click Adium in the Menu Bar, then click Preferences. This will open the Preferences window
3. Click on Accounts, then click on the + Menu at the bottom, then select IRC
4. Enter in your username into the Nickname field
5. Enter in localhost into the Hostname field
6. Under Options, change Port to the right number (6667 is the default)
7. Click OK

From here proceed with step 3 in the Bitlbee instructions

Okay, now what?

Find a friend that has followed these instructions, and DM away! "Easy" right?

Okay it's a little finicky to deal with and set up I admit, but this is the best options we have at the moment. If you want OTR (or a better protocol like TextSecure) to be supported and widely adopted, lobbying Twitter and developers of third party clients is necessary.

This work is licensed under a Creative Commons Attribution 4.0 International License.