Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HOWTO: Twitter DM with OTR

Twitter DM + OTR: A quick and dirty tutorial

With the recent removal of the 140-character limit in Direct Messages by Twitter, DM's have now become a much more useful platform for communicating between individuals and groups. Sadly, DM's are still sent in plaintext between users and Twitter has no plans currently on encrypting these messages, at least as of August 2015. Since these are stored in plaintext at rest, an adversary can see the content of the message you are sending, which the two parties might not wish to happen. Fortunately as a few applications with basic Twitter support which also have excellent support for OTR, all hope isn't lost and it is possible to have the dream of end-to-end encrypted DMs, without the headache that copying and pasting PGP messages might bring.

In a previous version of these instructions I wrote on how to set up Adium and Pidgin as standalone clients for Twitter+OTR. Sadly due to problems with the Twitter libraries in each of these respective clients, this is near impossible as of 2015-08-31, but can be fixed in future versions.

Below are guides for setting up your Twitter account in Bitlbee, which will allow you to connect to it with a client of your choosing. I've tested out sending messages between two twitter accounts I control in each of these clients following these steps.

Important Threat Model Note

Before we get to the instructions, I want to make it absolutely clear that doing this protects the content that is being sent in each DM. The following is still possible to view by Twitter:

  • Whom you are exchanging messages with
  • What times the messages are being sent
  • The overall length of the conversation
  • What IP addresses were accessing each Twitter account

Unless the two parties are taking clear steps to anonymize these (like using throwaway Twitter accounts, tied to a throwaway email address, connected to only using Tor), an adversary can still figure out that Akiko is talking to Boris.

Also, I would like to note that the below clients can only currently handle a two-way conversation as mpOTR isn't implemented in these applications yet. So for the time being, your group chats will still be sent in plaintext.

Bitlbee (Cross-platform)

Difficulty: Advanced

Note: Bitlbee isn't a stand-alone client like the Adium and Pidgin, but an IRC<->IM gateway. You will need an IRC client which has OTR support to connect to the Bitlbee gateway to send encrypted DMs. Pidgin, Adium, Weechat with the otr.py script, and irssi-otr all have OTR support for IRC, and have decent communities that can help if you run into any snags

  1. Install Bitlbee -- should be in your package manager on Linux, for other platforms (like Cygwin or OS X), you will need to compile from source.
  2. Once Bitlbee is installed and configured to your liking, connect your IRC client to it -- Instructions for how to do this in Pidgin and Adium are below. Scroll down to set up your clients if not already set up!
  3. Type register $password where $password is a unique password that only you know. This is used for persistance between connections to Bitlbee
  4. Type account add twitter $username where $username is the username of your twitter account
  5. Type account list to list all the accounts you have set up in Bitlbee. This will give you a list of numbers, take the number that is next to your twitter username. If you haven't configured any accounts, the number will be 0
  6. Type account $number on where $number is the number from Step 5.
  7. Bitlbee will now try to connect to your twitter account, which will send the URL to authorize this as a Twitter client in a PM buffer. Click that URL to proceed.

If a connection to bitlbee is lost, you can always reconnect with your client and type identify $password where $password is the value you set during Step 3 of the Bitlbee instructions.

Pidgin (Windows and Linux)

Difficulty: Easy

  1. Download and install the following:
  1. After all of these are installed, start Pidgin
  2. Click Accounts -> Manage Accounts -- this will bring up the Accounts window
  3. In the Accounts window, click the Add button
  4. In the Add Account window, change the Protocol dropdown to IRC
  5. Enter in the Username you set up with your Bitlbee instance. This will likely be your username.
  6. Under the Server field, enter in localhost -- this is assuming that you are running bitlbee on the same box as your chat client
  7. In the Advanced tab, change Port to the value you specified in your bitlbee configuration file (default is 6667)
  8. Click Add

From here proceed with step 3 in the Bitlbee instructions

Adium (OS X)

Difficulty: Easy

  1. Download the latest version of Adium from https://adium.im -- Adium includes OTR support out of the box
  2. Click Adium in the Menu Bar, then click Preferences. This will open the Preferences window
  3. Click on Accounts, then click on the + Menu at the bottom, then select IRC
  4. Enter in your username into the Nickname field
  5. Enter in localhost into the Hostname field
  6. Under Options, change Port to the right number (6667 is the default)
  7. Click OK

From here proceed with step 3 in the Bitlbee instructions

Okay, now what?

Find a friend that has followed these instructions, and DM away! "Easy" right?

Okay it's a little finicky to deal with and set up I admit, but this is the best options we have at the moment. If you want OTR (or a better protocol like TextSecure) to be supported and widely adopted, lobbying Twitter and developers of third party clients is necessary.

This work is licensed under a Creative Commons Attribution 4.0 International License.

@NSAKEY

This comment has been minimized.

Copy link

@NSAKEY NSAKEY commented Sep 3, 2015

Bitlbee actually has OTR support, so using something like irssi-otr isn't needed.

@dequis

This comment has been minimized.

Copy link

@dequis dequis commented Sep 3, 2015

Pidgin (Windows and Linux)

...

  1. Under the Server field, enter in localhost -- this is assuming that you are running bitlbee on the same box as your chat client

Uhhh... Fairly sure that making bitlbee run in windows bumps the difficulty to "advanced". You should just suggest people to use im.bitlbee.org, and adjust threat model accordingly (the server will hold a twitter oauth token with read/write/direct message access). Or maybe check if any of the libpurple twitter plugins are decent enough.

Bitlbee actually has OTR support, so using something like irssi-otr isn't needed.

Actually bitlbee's built-in otr is disabled in twitter for historical reasons (yeah, i'm talking about the character length limit). So ignore bitlbee's built-in otr, just use irssi-otr or weechat's thing or pidgin.

@colinmahns

This comment has been minimized.

Copy link
Owner Author

@colinmahns colinmahns commented Sep 8, 2015

Just saw these comments, had no idea they were here.

@NSAKEY -- I had issues with getting bitlbee's otr to work with twitter for some reason, so I fell back to using weechat, pidgin, and adium's implementations which worked fairly well. If you got it to work please let me know :)

@dequis -- I agree that this is not a tutorial for an end-user, at the current moment this really is more of a geek toy. Good tip on im.bitlbee.org though! I had no idea Bitlbee ran a public instance, this speeds up deployment for new users provided they wish to trust this server.

As for using a libpurple twitter plugin, I had nothing but problems with them, thus falling back to bitlbee. Below is what I wrote Joseph Cox when he asked the same question of me in a DM:

If you are curious, the problems I had with each respective library are as follows:

* prpltwtr in Pidgin would end up stripping most of the initial OTR query during the initial handshake, causing each client to get confused. Funnily enough since the handshake would fail, Pidgin would keep inserting a link to otr.cypherpunks.ca with no context into the conversation.

* STTwitter, which is the Twitter library in Adium is woefully out of date and still believes that there is a 140 character restriction in DMs. My attempts to force OTR to work over this proved to be a large source of frustration

I have "submitting a bug report in each twitter library" on my TODO, but that requires me to have some time to write them, which I sadly lack at the moment.

@dequis

This comment has been minimized.

Copy link

@dequis dequis commented Nov 20, 2015

I recently played with bitlbee and otr, and found that twitter strips the opportunistic OTR whitespace tag from the end of direct messages (it's a series of space and tab characters, so likely to be part of their input sanitization), so only explicit connection attempts worked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment