Slashdot Mirror
New AIM Offering "end to end" Encryption
MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"
Now I can feel secure when I talk on AIM.. Because I didn't before...?
Paint.NET, a Free Image Editor, with Source Code Available!
Gaim already has such a project. Anyone use it? I've tried it in the past, but couldn't get it to work.
--
http://nemilar.net - Not your grandmother's soup kitchen
Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..
Trillian offers secure instant messagin, given that both sides have it enabled, which is rare.
with W.A.S.T.E.?
Trillian has had this feature for as long as I can remember using it.
Trillian already supports 128 bit encryption over AIM and ICQ between Trillian users.
Hopefully they will offer secure-level keys for their services.
Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?
I shall go and tell the indestructible man that someone plans to murder him.
Trillian has had SecureIM over the ICQ protocol for AGES.
:)
I never realized that would make it an illegal product to use in some states
SimpLite for AIM.
Acts as a proxy for your AIM client and allows encryption of your messages. Course the person you're talking to has to have this installed as well in order to have the convo encrypted.
It already is encrypted, isn't it?
foxy28uk192323342 says: h1 asl lol
:/
brandon343jfdh says: lol brb fs
Maybe I'm just cynical
I don't know about other people, but my conversations on AIM usually go like this: Me: Hey Other guy: Hey Me: Anything interesting happening? Other guy: Not much. You? Me: Not much. Hey, wanna play Starcraft? Other guy: Sure. See you on in a few minutes. Usual channel. Me: Okay. See you there. Frankly, I couldn't care less whether or not anyone else was reading that, and I bet a lot of people feel the same way. It's a nice feature, sure, but it's not the most needed...
I find gaim-encryption to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk
While I genuinely applaud the efforts to bring secure communications to the masses I am left wondering what kind of person requires a digitally encrypted AIM session...
Get a free Ipod!
I think AOL is putting this out way too late. Other messanger servieces such as Gaim and Trillian have had encryption in for a while now. These services also have a lot of other features that make them superiour to the aim client. Why get AIM?
Nullsoft, a subsidiary releases WASTE, a p2p files and chat client with encryption AOL pulls WASTE AIM, made by AOL, gets encryption Coincidense...?
Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.
--
the strongest word is still the word "free"
...is to for someone somewhere to actually write something in AIM that is worthwhile to encrypt.
Personally, I think the original security of instant messaging was sufficient...that is, there is so much white noise, that the data stream just isn't worth tapping into.
Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.
Tarsnap: Online backups for the truly paranoid
You've got !$$%!#13%$f#%^djh23r#R*ds*W@#HN
-- Having a Creationist Museum is like having an Atheist place of worship
If AOL has any ties to Verisign, et al.? If it's using PKI (which it says it is), and the "About AIM Personal Certificates" page (Link Here) says it is (which really doesn't go into how they're implemented, or how you can get a certificate), who's to say that they're not going to charge you for getting a certificate? Yahoo integrated encryption in their Yahoo Messenger Enterprise, and other companies have done this in the past (I believe that even ICQ had a version of their server up so that companies could set their own ICQ servers up).
I honestly think it's all about the Money for AOL, and it's going to be prohibitive for Joe Sixpack to get this to work.
I disable sigs...do you?
This beta goes a long way to explaining the WASTE posting/unposting that went on last week. Clearly AOL wants to encourage the message encryption through AIM and not another program, and certainly not one under the GPL. Note that AIM is MORE than willing to provide you with a public key (at a nominal fee of course).
would this be why W.A.S.T.E. was killed? I would guess so. Or...is this AOL's co-opting of WASTE itself? have they just taken the GPL code that was posted for that one day and slapped AIM on it?
FreeBSD for the impatient.
You insensitive clod!
If it isn't completely open source then they are running a man in the middle scam and recording the entire encrypted session in the clear.
All for our own protection, of course....
It's Christmas everyday with BitTorrent.
Judging from the previous posts here, not many see this as a necessary feature.
Who do you think'll use this? Drug dealers will. Terrorists will. Is your privacy so important as to accomodate these groups?
Maybe the government ain't so far off anyway.
How small a thought it takes to fill a whole life
Freaky to think that AOL is actually, you know, aiding freedom of speech, rather than restricting it through their idiotic TOS.
:)
(I left AOL a looong long time ago when they started censoring their joke sites, bleck!)
Hmm, next thing you know, Time Warner will be offering streaming movies up online with a pay-per-view system in place!
Actually not all that unbelievable, with the cost of computers being so low, maybe the "net convergence" of TV and the Internet COULD come true, daring technology for once being created AND pushed by a big media corporation.
Hmm, video on demand would be nice as well, I know that there have been times that I would be willing to pay a few extra dollars to watch a TV show when ever and not have to wait for it to come on TV at its normally scheduled time.
I mean sure there is TV, but then there is "oh yah here is that one really good episode of The Simpsons that you wanted, a $1.50 has been deducted from your account."
But, ah, until then, I'll just enjoy encryption my IMs for, err, whatever reason. And using third party tools to encrypt my AIM logs as well, heh.
Need help treating your acne? Come here!
Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.
Combined with PDAs/laptops and WLAN access, terrorists could savely use this to coordinate terroristic attacks, especially Al-Kadia's evergreen of equitemporal suidice attacks on free people.
The mighty PATRIOT act should prohibit such devices, won't it ?
I'm not sure if this would be really a bad thing. Dangerous tools are restricted very often to protect people, even if the are many good/peaceful uses.
Take e.g. guns which are restricted in many countries of the world due to their bad possibilities.
Owner of a Mensa membership card.
Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:
"AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."
This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.
Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.
It's easy to install but since both parties need to have it running can be tricky trying to get non-geeks to understand why they should install it.
I used it for a while with the few(2) friends I could convince to run it but then kind of forgot about it...
What I REALLY want is AIM to automatically log all conversations. Like ICQ and IRC. Having to save to a chat file and come up with a name for the file every time is a step backwards.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
I started to try and work on it, but it was too tricky. Anyone interested in helping out?
Get your own free personal location tracker
They claim to use SSL (in TFA), does that mean it will be relatively trivial to write a compatibility layer for GAIM, Trillian et all?
It would be really nice to be able to securely IM with people who I really don't want to explain how to setup the programs and security settings, while I can stay in my favorite messenger myself...
(posted anonymous because I'm lazy)
For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.
I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.
That's how *my* messages usually go! HAVE YOU BEEN SPYING ON ME?
I guess I do need that encryption thing...
-
Security credentials that enable these capabilities â" Personal Digital Certificates â" are an optional service available to enterprises as part of the Enterprise AIM Services offering.
That is so Bush Administration.So now I have even less incentive to switch back to AIM seeing as that I use one program that allows SecureIM already and connects to multiple services.
-illumina+us "I put on my robe and wizard hat..."
Can a program use the the TOC protocol to retrieve away messages? Or buddy icons? Or warn levels? Can it send or retrieve files?
And why doesn't AOL staff seem to care about availability (i.e. non-downtime) of the TOC gateway?
Will I retire or break 10K?
Here is how I see it, there is a lot of push from AOL-TW executives to turn this product, with a large user base, into a real cashcow. The only way that it is doable is by pushing the product into the corporate areana. The AOL-TW execs would like to push all of the infrastructure and software completely into a corporation, same as a mail system (like exchange server, and outlook on the desk). Many businesses were reluctant because it didn't offer the very basics of security. While general users don't care about this, try selling this to a CIO who has had security pounded into their head over the last two years. What question is he/she going to ask, "Would you mind telling me about security for your product?" So when they give this out to you, the public... it's just a mass test, so they can start doing corporate sales. Just my thoughts....
Victory is gained, not in knowing your opponents next move, but in preempting them.
Licq offers secure channels using OpenSSL for a long time. And somehow I trust that a lot more than some strange AOL encryption solution :).
Its nice to see though that this will be supported natively by the protocol. Right now I can only securely IM other Licq users. Also, Licq encryption only works with direct client-to-client connections.
Jabber can use GPG. The only downside is that a two-character message like "no" gets blown up to quite a big chunk. The thing AIM is doing reads like something similar (encrypted message body with world-readable routing information) according to the section "Advantages of Digital Certificates over SSL for encryption" (see the "details" link). Only they won't be using an open scheme for this.
Fight hunger. Filet a politician and send him to a 3rd world country of your choice.
Well, it seems that AOL has finally realized that it's losing too many of its "customers" to other AIM network clients like Trillian, Miranda, GAIM, et.al., which already have encryption capabilities and are ACTUALLY FREE - no ads, and often even open source. . :P
As for those of you who don't care about encrypting your IMs... just leave the option turned off XD
I guess you just don't care that your dorm-mates can effortlessly read every word you say to
If that wasn't enough for me, I have friends who, for the lack of a better description, "know too much". Thus, I never know which way a conversation can turn... better have it encrypted or else
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
Get over yourself. Nobody's going to read your AIM conversations. Nobody cares. You're not that interesting.
Hell, the person you're AIMing probably doesn't want to read your messages either.
What about the DMCA? This project would be must better served if it used open source p2p with bayesian filters running with AMD optimizations on GNU/Linux.
DeadAIM does it. It's like AIM+ in that it latches on to the regular aim client. There's other nice features, tabbed messenger windows, cloning so you can run more then one s/n at once. Stuff like that
This probably sounds a lot more inflammatory than I intend for it to sound, but would you like to delineate any of those "good/peaceful" uses for guns?
Cuz I'm comin' up blank on that one...
BTW - GAIM and Trillian might have it as well, but they illegally draft off the big 3 networks (they have no license to tap in), so expect them to be under some serious pressure now that money is starting to flow to the big 3 for enterprise-class IM.
Now that the source is closed (and that they've definitely modified it to scale for so many users) we can be told that there's encryption at both ends, but can you trust them not to go sniffing in the middle?
____________________________________
The Spiders are coming. Episode 4: June 10,2003
Jabber offers SSL.. and if you pick your clients well, JAJC for example, you can even use full PGP protection. Go for the OPEN standard. Go Jabber!
There's a product already out there called SafeMessage (safemessage.com) which has done this for some time. Even Bruce Schneier thought it was too paranoid for everyday use.
that you can't spell either?
The Jabber protocol has supported PGP for a while, and quite a few clients support it. It's used both for end-to-end encryption and for signing both your presence and messages. I'm running a development version of Psi with GPG currently.
I'm sure CuDdLES49128 and her 12 year-old friends were behind this 'innovative' feature.
I mean, honestly, most of AIM users don't even know what encryption is, much less think they need it.
I don't really want to enter into this debate, but, Good / Peaceful uses for guns:
Good & Peaceful:
- Sports / Marksmanship.
There are a multitude of Olympic sports based around marksmanship; you may never hear about them because they're boring as all hell to watch (Look how still that guy is being! and so forth) and are never covered, with the exception of the biathlon.
- Hunting.
Whether this fits your definition of 'peaceful' is up to you, but its still a legitimate form of recreation in the states.
Good but not necessarily peaceful:
- Enforcing the law.
Most police cars I've seen in the past five years has a shotgun or rifle mounted between the front seats, there's probably a reason for that.
- Self protection.
If Bad Guys can (and do) have firearms, I would like the option of being at least as well armed as the Bad Guys.
- Protection of property.
I like it that there are armed gaurds inside and out of nuclear power plants. The same goes for military basis, weapons depots, water supplies, and so forth.
There are more arguments and uses, but if you really wanted to find them, you'd be able to on Google in less than a minute.
Pna nalbar fnl ebg13?
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Ooh, a computer! How dangerous!
Ooh, a cell phone! How dangerous!
Ooh, a steak knife! How dangerous!
Ooh, a nail clipper! How dangerous!
You get the picture.
1 Sharp zaurus
+
1 copy of kismet
==
1 transcription of the entire chat session
Any decent packet sniffer will reveal all that is said. I suspect that they are offering this not to make it safer or get more subscribers, but rather to cover up certain activity.
AOL's servers record chat sessions of members, I'm not certain as to whether or not they do it for non-members. The point is that anyone over there with the requisite access rights can spy on these things. End-to-end encryption will not be default, might require a subscription charge, and might mean end-to-end(AOL)-to-end.
Forgive my pessimism, but I don't trust AOL in any situation. They screw over their members, they screw over those of us with smaller servers, they screw over friends of members. I think they are realizing that they cannot mainttain their current empire in the face of broadband, this may just be a feeble attempt to profit from their other markets. Subscription Netscape anyone?
You can't judge a book by the way it wears its hair.
I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.
The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.
No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.
I guess if more open source IM clients will support it, it could become de-facto IM encryption
standard...
I use IM a lot for work and some information I exchange there could considered business secrets.
Soon, "pleading the DMCA" will be as common as "pleading the 5th"
I've found that business groups could really use instant messaging, but don't want to broadcast their IP over the net without some sort of protection. I think it's a better idea to run the IM server locally, but AIM requires no setup and has very nice clients. I can see, for instance, a sales team talking with the engineers using encrypted AIM.
Citizens Against Plate Tectonics
ummm.. It wasn't a troll, I was serious.
Try using Fire then, it has built in support for GPG to provide end to end encryption - works a treat, supports all the major IM protocols, and is developed under the GPL for those of you that care about such things.
I used to have a better sig than this, but I got tired of it
Actually, the last I heard was that the Sept 11 terrorists used unencrypted email from internet cafes. I do not believe that there is a terrorist incident in human history that would have been prevented by banning legitimate privacy technologies such as encryption.
I can use a hammer and chisel to crack open people's skulls - should we ban carpentry tools as well? Don't believe the government's propaganda, banning legitimate technologies "to prevent terrorism" is nonsense, it is just an attempt to gain more power for the various government departments and the corporations that bribe^H^H^H^H^Hcontribute to them.
Remember: "those who would trade freedom for security deserve neither freedom nor security".
K
The problem with this kinds of things is that it makes people feel secure without actually being secure. God knows what backdoors AOL might have included in the code. A good rule of thumb is to not trust anything you can't see the sourcecode of. If you want something said, either GPG encrypt it (not recommended as it is breachable) or deliver the information physically.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Ars they then using Waste as the basis of the implementation?
Don't Tread on OpenSource
Many of these replies are misleading or totally incorrect.
.. This AOL beta, in addition to encryption using a certificate, is signing based on the certificate. Trillian does not have an option (as far as I can tell from the free version) to use certificates and/or sign messages.
Trillian does *NOT* do the "same thing"
Also, you do not need "Enterprise" services to use this functionality. I just tested it, and it works fine with the free client. Just get a free Thawte certificate, import it, and begin IM'ing with a friend who has done the same.
Hope this helps clears things up somewhat.
The PATRIOT Act, as far as I know, does not ban any sort of encrypted communication; the Supreme Court has ruled, if I'm not mistaken, that private and anonymous speech is a fundamental component of the First Amendment right to free speech.
Furthermore, this is truly not different from encrypted e-mail or anything else, which, as a prior poster pointed out, was not used by any of the September 11 terrorists.
Guns are restricted, sure. An irresponsible person with a gun is quite dangerous. Even a responsible person with a gun can be dangerous. But the right to encryption technology is not about the right to bear arms in order to prevent a dictatorship (a necessity which is a bit outdated at this point). The right to private speech is not only still necessary, perhaps even more so, with groups like the NSA who intend to be able to intercept any communication worldwide (and have historically given little regard to constitutional restrictions). The right to private, free speech is a fundamental intellectual right which is always crucial no matter what the need or consequence.
---
Anyone who needs to join an organization for those with high IQ's has self-esteem problems, intelligence problems, or both.
How will this work? I mean, if AIM is just generating keys prior to each conversation, then it's not really a digital signature. If you use the same key pair for all your conversations, how will you use your screen name at other computers? One of the big advantages of AIM over other clients is that it is already installed everywhere. If I need advice, I can login and talk to my contacts. OTOH, if it's stored w/ AOL, and messages are passing through AOL.... how is this better than generated per-conversation keys?
IM > See e-mail on the usual server. Password is "Fn68bX4" and the IP is 10.4+
E-mail> The IP to login to is +.10.120, and add "g6h0" to the password.
But really, often we just go to the office and tell them.
_______________________________________________
www.punkwalrus.com - Benny rated, Benny non-approved!
Actually, I did try Fire, and I was pretty impressed with the GUI, but it kept crashing, so I figure I'll check it out again in 6 months or so. ;)
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
when i first read the headline,
my brain filled in the starting g...
hence i was confused, thinking... this is news?!
-judging another only defines yourself
Today is the first time I've ever used the native AIM client, so I'm not sure if this option is supposed to have anything to do with the new certificate functionality .. but,
.. but if anyone knows, fill us in!
What does "Secure Chat" do when setting up a chat room? I don't see any docs on the website or in online help. Does this mean certificates are being used for encryption and signing between members of the chat room, in the same fashion as for the IM's?
I realize it's beta
This is an example of where free software is certainly ahead of the commercial equivalents. Both Kopete and Gaim have had options to encrypt using PGP for quite some time. (Gaim for significantly longer, iirc)
By delegating the authentication and validation to PGP, they are potentially as-secure-as PGP. By doing in-house certification, ala. Trillian & AIM, the identification and encryption is an internal mechanism, and I would argue (successfully) that it is more difficult to prove its potential to be secure.
Not only does open source appear to have the feature first, it seems to do it provably better.
If secure transmissions is really that important to you, go with what you know is secure. You can use it for small companies, the extremely paranoid, or just those who want to swap 'legal' files..... Ask me if you need the client (although I don't have it myself *wink wink*)
-jake
They should really just allow you to import your PGP key, and then all of you messages will be encrypted if the other user also has their PGP key imported. Plus, when using the direct connect aim feature, you could actually verify the authenticity of the remote person...
SIMP offers IM encryption for AIM, ICQ, MSN and Yahoo - either individually for free or SIMP Pro which supports all four IM systems and costs $25.
I was part of the beta program for SIMP Pro and I have to say it's an excellent little program, it even supports encrypted file transfers.
I find it pretty reliable. there are a few small glitches but it's not crashed on me in months.
I used to have a better sig than this, but I got tired of it
Currently you can use any certificate with Secure AIM, including one from Thawte, as was pointed out by a previous poster.
Does it, has several encryption plugins, fully open source, runs well on both windows and linux. There's absolutely no reason to use AIM whatsoever. Get Gaim here, and the gaim-encryption plugin here
Many other IM clients do this natively ( such as trillian, or LICQ ), but its great AOL is 'seeing the light', as they are perhaps the biggest client generator out there ( between ICQ and AIM ).
:)
These days everything must be encrypted or needs to be pretty much relegated to "how's the weather"..
I guess that means the other clients are already illegal in Michigan I suppose. I'm sure my ssh connection between work and home would be.. Good thing i dont live there
---- Booth was a patriot ----
I believe Gaim-Encryption comes stock with the 0.6x prereleases.
You assume it's made any major updates in the last 6 months. It hasn't. It's all little fixes, and some localisation.
I prefer Proteus now. At least its UI is decent. Single window messaging is like single window browsing; you can't go back to something without it.
What else do you have to do? Besides masturbate, I mean.
Uh... I don't get it, why do people post things like this? Oh well, at least it makes /. fun, in an absurd way. Absurdity is good.
Signature.
Try posting under a username. Saying that, it's unlikely to help. Scratch that.
Hmmm.
I hope there is a dialog or something to the effect of "User foo is sending you their identification credentials so that you can be certain messages in the future are really from this user. Accept Credentials?"
At least then you could be reasonably sure it is really them, if they are right beside you or on the phone when you do this. If it's automatic, then what is the point? There is no real way to trust that you have the real public key of that user then.
Of course, the private and public keys are all likely stored on AOL's servers, which again defeats the purpose. Unfortunately without it being automatic, people won't use it. But automatic just isn't the way to properly authenticate.
PGP delivers an icq plugin that uses your key-ring to cummunicate pgp-encrypted if your vis-a-vis has installed pgp/icq/that plugin, too.
I wouldn't trust this. I'm fairly certain that the PATRIOT Act requires the provider to be able to log all messages on a per user basis when requested by law enforcement agencies with the proper warrants and such. I would suspect that AOL built the system such that they can decrypt messages at the server. I know of at least one Jabber client which uses gpg for end-to-end encryption, that I would trust (because the encryption depends on data I control).
Karma Whores. That's what it's for. They post thinking "+5 Funny", you know like a cartoon, with one of those thought bubbles over their heads. Picture it. Now. See what I mean.
Just like what I'm doing right now. The thought bubble reads "+5 Insightful"...
-twb
But only if you use "Algorithm 8.0! So easy, anyone can encode!!"
Oh, and with the recent settlement with M$, all your encryption has to be Micrshaft approved. And Time-Warnder approved, so it will search for watermarked video/audio/image content the studio owns.
And they don't wan't to piss off the RIAA or MPAA and lose those keyword contracts, so you cna;t encrypt anyting that has binary content.
Oh, and thanks to the PATRIOT act, any key you generate is backdoored and given to the NSA.
2003? Feels like 1984 =P
Department of Homeland Security: Removing the rights real patriots fought and died for since 2001
That wouldn't explain why an Anonymous Coward would post that, but it at least explains why it seems that every other +5 Funny modded post in the SCO-related articles uses the same joke ("omg look, I found teh stolen code: 'for (i=0; icount; i++)'! hahaha, mod me +funny please!").
Signature.
> That wouldn't explain why an Anonymous Coward would post that
Actually, I use that post and others like it for one of two purposes:
1) Posting extremely lame comments, or
2) Being Karma whores.
In this case, the parent was extremely lame and thus deserved the post. I recommend you all punch yourselves in the balls for not realizing this.
Your reasoning is off-base. You're correct that if you choose a "co-Sophie Germain prime" (you want p=2q+1, not q), the discrete logs problem becomes much nastier, because you have a group of order q, instead of smaller groups for each factor to break.
But there are much faster ways to do discrete logs than by brute force. They use quite advanced math, but the current best attacks on factoring use methods which can be applied to discrete logs with very little modification. Google "index calculus."
For pretty much exactly the reason you mentioned, DH is harder to break than RSA at the same keysize, but not nearly as hard to break as RSA at twice the keysize. And remember how quickly RSA-129 (a 426-bit or so key) was factored by distributed.
You could break DH-128 on a PC if you had to, or in a lab more quickly with some clever programming. It might take them a while, but even if it took weeks running as their PC screensaver, they'd have your whole conversation if they needed it. It'd be enough to keep the jackass down the hall from listening in on your cybersex, but not enough to hide your plan/idea/whatever confidential data you might send over IM/? from a hacker.
I hereby place the above post in the public domain.
Most of my AIM friends fall into fairly large cliques. I mean, what's to stop them from using a PGP-like (non-)structure, where you just get introduced by your friends? Or are the masses too stupid to make this model practical (check fingerprints etc). Maybe those who actually need secure messaging will do this...
I hereby place the above post in the public domain.
Yes, gaim-encryption is nice, but it's licensce is not compatible with gaim's licensce.
Using gaim-encryption breaks gaim licensce (gaim uses Debian's interpretation of the GPL). It has been discussed by the gaim developers and, if asked about gaim-encryption, they will tell you to stop using it (or stop using gaim) until the author of gaim-encryption fixes the licensce issue (he is aware of it, and is working to resolve it).
Just my two cents worth
Honestly I don't really know what you are talking about, could you explain more? The gaim-encryption I have is under the GPL, although there is some cryptic note on the project page about licensing issues and the Windows build.
Has anyone actually tried using this? I get an error message when I try to import a pfx that disappears too fast for me to read it.
Follow this link for more information about the openssl/gpl problem.
Ive been using the encryption add-on at http://www.johnytech.com for quite some time and dont have any complaints.... It works fine and integrates with all the major IM clients, although im not sure about the All-in-one offerings, ie: trillian.
It has been discussed by the gaim developers and, if asked about gaim-encryption, they will tell you to stop using it
Whatever, the RIAA tells me to stop using Kazaa, too. Fuck copyright.
supports 128 bit encrypted messages between 2 trillian users, and it auto-establishes the session
it rocks in case you haven't heard of it
it is not a copyright issue....it is a license issue...two different things.
next time make sure your analogies are on topic.
What are you talking about? It most certainly is a copyright issue. It's also a license issue. But the only reason you need a license is because of the copyright. As for whether it's the license of openSSL or that of gaim which the gaim developers are concerned about, I really can't figure it out. Presumably using gaim-encryption violates both.
2) The message format is S/MIME, now defined in RFC 2630. It's been used for years to send secure email messages in Netscape and Microsoft mail programs. It's not some new encryption scheme that AOL dreamed up.
3) Judging from the binaries in use, the new AIM uses the NSS crypto library (used in Mozilla-based software). This code has been around for a long time, and has really stood the test of time.
terrorists use AYM.
I know you are psychotic, but please make an effort.
They pulled WASTE last week, now they are using it privately for AIM
It might be, but I'm not sure we can talk about it under the DMCA, since knowing it's encrypted is the first step towards circumvention... :)
What's to stop someone from caluclating the product for all possible combinations of primes in the aforementioned range and dumping this to a database? Wouldn't this eliminate the hassle of having to otherwise deduce the 2 primes used to generate said product?
Bleh, it should be painfully obvious to everyone reading this post that I Am Not A Crytpologist :-/
Need a Linux consultant in New Orleans?
Sorry, I guess I was not too clear on my point.
Gaim-encryption plugin violates gaim's license by DIRECTLY linking openSSL to gaim. The simplest way to solve this is to have the plugin call, not link, a helper program that is linked to openSSL (by making a system() call or something similar).
That is why this is not a copyright issue, gaim has not problems in you writing a plugin that uses openSSL, just how it interfaces with gaim (hence a license issue).
I have not read the license included in gaim-encryption, but I believe that it includes an exception clause (allowing it to be linked to openSLL) in the GPL. Gaim does not have that exception clause and it will be too difficult to add it in (the developers would have to contact ALL the source code contributors, past and present, to gaim and get their approval to include theexception clause).
Hope this helps clarify the confusion I created.
AIM uses the mozilla open source crypto libraries. You can see the same
crypto DLLs in AIM as in mozilla 1.3 or 1.4. You should be able to build
your own mozilla crypto DLLs from the open sources and substitute them for
the AIM ones. Then you know your AIM crypto is open source.
The encrypted messages are PKCS7/CMS messages, the same format used by
mozilla's S/MIME secure email (look for smime3.dll). The messages identify
each public key that was used to encrypt the message.
That's great! Thanks!
It's Christmas everyday with BitTorrent.
That is why this is not a copyright issue, gaim has not problems in you writing a plugin that uses openSSL, just how it interfaces with gaim (hence a license issue).
Why do they have a problem with it?
Regardless, it is both a license issue and a copyright issue. You don't need to follow the license, except for the fact that the program is copyrighted.