#1 thing you could do to protect yourself is use Linux, not windows.
Windows at least double checks with the admin whether you want to run unsigned code. It's really down to the user which OS they have a preference for and knowledge of. Linux has its quirks, Windows has its quirks, you could be leaving a gaping security hole open if you're not aware of those quirks regardless of which you're using.
Don't use Pidgn with OTR. I really could care less what you say about this statement, but I have spoken with people who have been to jail because their messages were being read.
I use Pidgin with OTR, and half my contact list now uses OTR with whatever client they use. After the handshake, all the messages are wrapped up in ECC TLS, providing forward secrecy so that if a message is intercepted and decrypted, it's not relevant because all the other messages are using unique keys. How OTR plays with Pidgin and Adium, well, it's not perfect, but the crypto itself is solid and I am satisfied with what shows in the audited traffic logs.
There are plenty of other, far more viable ways to get at encrypted messages. For example, if one party is an informant. Another possibility is one party has a keylogger active, sending all to-be-encrypted messages via plaintext through another connection. These alternative methods are significantly easier than cracking OTR, hence the ongoing preference of hackers to rely on malware and wetware hacks (social engineering) to circumvent the labourious process of busting through crypto; especially ECC.
It's funny, your concerned about secure chat, but I would bet your using windows which has an NSA backdoor on all versions.
I'm pretty certain it's been confirmed the suspicious library in question contained crypto for NSA's internal use, not a backdoor. Microsoft would never risk tanking their credibility doing something as stupid as giving third parties backdoors, especially considering how hard the company is working to secure a good position in the server market, where security counts for so so much. Cisco, for example, has already taken a huge loss in the Asian markets over
suspicions of NSA backdooring. It doesn't pay to even be suspected of playing with the TLAs (three-letter agencies).
Sadly SSL and HTTPS are broken so web traffic can be seen, but they won't know to whom. RSA and AES will fall within the next 10 years, so there who know what's next. If you doubt this do a little research on Shor's algorithm and quantum computing.
this is a complicated topic, and security holes does not mean a software or protocol is immediately broken. there
are routers that examine HTTPS traffic going through them, and that provides the networks of businesses and educational institutions with basically the same capability that the NSA has been doing with their access to internet exchanges. The bottom line is, there's a lot to infosec and it does no good on its own without good opsec to ensure the unreliable (human) components don't compromise the secure components. For the
average user just looking to have a private conversation, OTR is still the best idiotproof solution. If you're breaking major federal laws and are attracting the attention of TLAs, then you've got bigger problems than minor insecurities in certain network protocols.