We are still actively working on the spam issue.
Off The Record Encryption, (or OTR) for short, is a somewhat new version of Private Message encryption using a temporary key exchange system. It prevents Man-in-the-Middle Attacks, and allows for strong encryption end-to-end. This encryption utility is not specific to one service, and can be used for a wide variety of chat methods, such as IRC, or even Facebook (though there are other reasons you shouldn't use it). Much like how Tox was made by channers, OTR was made by cy(b||ph)erpunks. However, unlike Tox, OTR is known even by Normies, and it is much more accepted and adapted.
Do not confuse OTR Encryption for the feature known as OTR on Facebok and Google Plus. Actually, you're a retard for using these things so you probably should confuse them. It won't make a difference.
Off the Air encryption was formerly popular, but is slowly being replaced with OMEMO encryption.
How it works
Essentially, a key is generated for you. This key is static, unless you choose to make a new one. Your key fingerprint is then printed to you. The person on the other end also uses this. You do not share your private key, but instead share your fingerprint. This is how it prevents Man in the Middle Attacks. Then, one or the other party starts an OTR session. This OTR session prompts both users to confirm their fingerprints. Then, once you give the command to trust the fingerprint, and the other user does likewise, the encrypted chat has started. If you do not choose to trust the fingerprint, messages from you will not be encrypted, but messages to you will.
Another method is by loading the auth module, in which the other user can authenticate with a shared password with a password hint/question that the other person would know. This method is rarely used and should only be used if the validity of the other user is in question.
During the conversation, a temporary key is generated for the length of the conversation (by the person who started the conversation), and is then transmitted to the other user once the other user executes the trust or auth module. This exchange is automatic and no further verification is needed. This key is also needless to be viewed. It is transmitted via the Raw, Unprocessed Data that most clients read then process to human-readable data (especially IRC).
Once the OTR session is finished, the temporary keys are deleted. It is highly recommended that if you have a scrollback or log that you delete it securely almost immediately. This can be achieved by executing the wipe utility which you can get through your distro's package manager. An example command to give you an idea on what you can do:
wipe -rfc "/home/user/.config/Hexchat/Scrollback"/*
- It doesn't support Group Chat
- You can't make one key that covers all things
- You have little say in the key-generation