WARNING: OTR is opt-in E2EE for every session, and that uses old cryptographic primitives (DH-1536 etc.). OTRv4 is in the works but that's going to take years before you have an upgrade: https://github.com/otrv4/otrv4 (Note that Pidgin-OTR v.4.0.2 IS THE E2EE PLUGIN VERSION, NOT THE PROTOCOL VERSION. The protocol version is still 3: https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html)
In the meantime, use https://signal.org/ that uses modern primitives like Curve25519, and that you can't f up as it's not possible to use it without end-to-end encryption.
PROTECT METADATA by proxying your Pidgin connection via Tor from registration to use. Preferably register your XMPP account to an XMPP Onion Service server. This prevents you from accidentally conneting to the server without Tor which would deanonymize you. List of XMPP Onion Services can be found at
Note, since this is something that requires manual configuration, it's easy to mess up.
A better solution is to ditch Pidgin and use https://briarproject.org/ that you can't accidentally f up as you can't use it without Tor (unless they live in the flat above you, then you can use BT/WiFI), and you can't forget to use E2EE.
We'd love to hear about these zero days over at security@pidgin.im so we can fix them or you can just keep spouting about stuff that afaict doesn't actual exist.
If you're going to use it,
PROTECT CONTENT by using the OTR end-to-end encryption plugin https://otr.cypherpunks.ca/
WARNING: OTR is opt-in E2EE for every session, and that uses old cryptographic primitives (DH-1536 etc.). OTRv4 is in the works but that's going to take years before you have an upgrade: https://github.com/otrv4/otrv4 (Note that Pidgin-OTR v.4.0.2 IS THE E2EE PLUGIN VERSION, NOT THE PROTOCOL VERSION. The protocol version is still 3: https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html)
In the meantime, use https://signal.org/ that uses modern primitives like Curve25519, and that you can't f up as it's not possible to use it without end-to-end encryption.
PROTECT METADATA by proxying your Pidgin connection via Tor from registration to use. Preferably register your XMPP account to an XMPP Onion Service server. This prevents you from accidentally conneting to the server without Tor which would deanonymize you. List of XMPP Onion Services can be found at
https://gist.github.com/dllud/a46d4a555e31dfeff6ad41dcf20729...
Ask your peers to do so too.
Note, since this is something that requires manual configuration, it's easy to mess up.
A better solution is to ditch Pidgin and use https://briarproject.org/ that you can't accidentally f up as you can't use it without Tor (unless they live in the flat above you, then you can use BT/WiFI), and you can't forget to use E2EE.