Slashdot Mirror

← Back to Stories (view on slashdot.org)

New AIM Offering "end to end" Encryption

Posted by CmdrTaco on from the step-in-the-right-direction dept.

MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"

24 of 329 comments (clear)

  1. Gaim-E by jonman_d · · Score: 4, Informative

    Gaim already has such a project. Anyone use it? I've tried it in the past, but couldn't get it to work.

    --

    --
    http://nemilar.net - Not your grandmother's soup kitchen
  2. trillian by Anonymous Coward · · Score: 3, Informative

    Trillian offers secure instant messagin, given that both sides have it enabled, which is rare.

    1. Re:Trillian by dunham · · Score: 5, Informative

      When I last checked Trillian negotiated its 128-bit blowfish encryption key via 128-bit DH key exchange, which is not very secure. (It's about as secure as using a 128-bit RSA key.)

    2. Re:Trillian by dunham · · Score: 2, Informative
      Yeah, I got the 128-bit blowfish part from their web page. This would be fairly secure encyption, but their protocol weakens it by using 128-bit diffie-hellman (DH). Currently, the discrete log problem is about the same complexity as the factoring problem, for which conservative people recommend 1024 bits or better. (And never less than 512 bits.)

      I determined that they used 128-bit DH from packet dumps. The DH negotiation is done in hex characters in the first few messages between the users. (Later, the actual encrypted data is sent in binary form.) It's also interesting to note that they appear to use the openssl code.

      I believe this could be broken in about a day or two on modern machines, but I don't have exact numbers. So you can decode monitored trillian traffic without too much effort.

      A second issue with their security is that the DH exchange is susceptible to man-in-the-middle attacks. So AOL wouldn't have to break anything, just intercept the communications. Without a certificate, you can't tell if you're exchanging keys with your AIM Buddy or AOL.

      Finally, as Bruce Schneier frequently points out, it is unwise to use any security protocol that hasn't been publicly disclosed.

  3. Trillian... by swtaarrs · · Score: 5, Informative

    Trillian has had this feature for as long as I can remember using it.

    1. Re:Trillian... by eddy · · Score: 4, Informative

      But Trillian is bloated flashy-ware, while Miranda (nightlies here) is slim and nice.

      Encryption supported via SecureIM (DH/KE + AES) or gnupg plugin

      --
      Belief is the currency of delusion.
  4. Trillian by sahrss · · Score: 5, Informative

    Trillian already supports 128 bit encryption over AIM and ICQ between Trillian users.

  5. Re:Gaim-E? gaim-encryption by kfort · · Score: 5, Informative

    I find gaim-encryption to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk

  6. Little late.... by jr87 · · Score: 2, Informative

    I think AOL is putting this out way too late. Other messanger servieces such as Gaim and Trillian have had encryption in for a while now. These services also have a lot of other features that make them superiour to the aim client. Why get AIM?

  7. Here's how to get a free key by Anonymous Coward · · Score: 5, Informative

    Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.

    1. Re:Here's how to get a free key by MrBlue+VT · · Score: 2, Informative

      Sure. I used the CA.pl script to do it. The man page is located at http://www.openssl.org/docs/apps/CA.pl.html. Here are the commands I used (make sure to have the openssl binary in your path):

      /usr/local/ssl/misc/CA.pl -newca
      /usr/local/ssl/misc/CA.pl -newreq
      /usr/local/ssl/misc/CA.pl -signreq
      /usr/local/ssl/misc/CA.pl -pkcs12

      Just follow the prompts and it should generate a .p12 certificate, which you can then import into AIM.

      Hope this helps.

  8. Well, it's a start by randombit · · Score: 5, Informative

    Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:

    "AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."

    This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.

    Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.

  9. SecureIM by ElOttoGrande · · Score: 4, Informative
    SecureIM has been around for a while now. It basically acts as a proxy and you set your Aim to connect through it. Inside the proxy it encrypts everything with 256bit blowfish, then on the receiver's end reverses the process. The result is transparent encryption with the standard Aim client.

    It's easy to install but since both parties need to have it running can be tricky trying to get non-geeks to understand why they should install it.

    I used it for a while with the few(2) friends I could convince to run it but then kind of forgot about it...

  10. Re:Hmm.. by abdulwahid · · Score: 2, Informative

    I have been using Gabber a Gnome Jabber client with its gpg support for sometime. I have quite a few people on my roaster who I can speak to with that extra level of privacy.

    I think that case for privacy is strong. I don't like thinking that my personal conversations go in plain text across peoples' coporate networks. I have nothing to hide. What I say though is still private.

    Many people don't see it as being an important issue but then would they send all their snail mail by postcard? I think the reason why they don't consider it important is that they are not fully aware of the possible implications.

    --
    perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10);'
  11. Only businesses can use this feature by Animats · · Score: 4, Informative
    From the press release:
    • Security credentials that enable these capabilities â" Personal Digital Certificates â" are an optional service available to enterprises as part of the Enterprise AIM Services offering.
    That is so Bush Administration.
  12. Re:feh. by generic-man · · Score: 3, Informative

    AIM+ piggybacks onto the official AIM client, offering features like ad removal, automatic logging, and cloning (run two AIM processes at the same time). I use it with AIM 4.x, and all the other features in the official client work just fine.

    --
    For more information, click here.
  13. Dead AIM by prestomation · · Score: 2, Informative

    DeadAIM does it. It's like AIM+ in that it latches on to the regular aim client. There's other nice features, tabbed messenger windows, cloning so you can run more then one s/n at once. Stuff like that

  14. It's For Business Use by Random+Truth · · Score: 2, Informative
    Companies are starting to buy IM not only for internal communications, but for fast and cheap communications with customers, such as for customer service or alerts. With encryption, a broker can comfortably talk to clients about stock trades over IM.

    BTW - GAIM and Trillian might have it as well, but they illegally draft off the big 3 networks (they have no license to tap in), so expect them to be under some serious pressure now that money is starting to flow to the big 3 for enterprise-class IM.

  15. GPG by krokodil · · Score: 5, Informative

    I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.

    The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.

    No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.

    I guess if more open source IM clients will support it, it could become de-facto IM encryption
    standard...

    I use IM a lot for work and some information I exchange there could considered business secrets.

  16. Setting the record straight .. by the_dreadnought · · Score: 2, Informative

    Many of these replies are misleading or totally incorrect.

    Trillian does *NOT* do the "same thing" .. This AOL beta, in addition to encryption using a certificate, is signing based on the certificate. Trillian does not have an option (as far as I can tell from the free version) to use certificates and/or sign messages.

    Also, you do not need "Enterprise" services to use this functionality. I just tested it, and it works fine with the free client. Just get a free Thawte certificate, import it, and begin IM'ing with a friend who has done the same.

    Hope this helps clears things up somewhat.

  17. Re:Key storage by slashkitty · · Score: 2, Informative

    it's out, download and look at the program. You need to have a personal certificate for this to work. It doesn't currently offer the creation of this cert within aim, I imagine this would be provided only by the enterprise version of aim. You can however go and create a personal cert. somewhere else and import it. It will ask for the cert password everytime you start up AIM. It puts a lock beside your screenname, then, automatically when two people with the capability talk to each other, it moves up to secure the conversation. Pretty slick. The only real problem is the generation of the certs. Looking back on previous /. article on PKI, there was a lot of problems. No one seems to be doing it right. (www.thwarte.com has a good 50 step process to get one) Does anyone know an easier way to get a personal cert to work w/ aim in fewer steps?

    --
    -- these are only opinions and they might not be mine.
  18. SIMP Already Does This by Spad · · Score: 2, Informative

    SIMP offers IM encryption for AIM, ICQ, MSN and Yahoo - either individually for free or SIMP Pro which supports all four IM systems and costs $25.

    I was part of the beta program for SIMP Pro and I have to say it's an excellent little program, it even supports encrypted file transfers.

  19. Gaim + Encryption by bleak+sky · · Score: 2, Informative
    There's a plugin called Gaim-Encryption for Gaim that uses OpenSSL (and yet another, gaim-e that uses GnuPG) for encryption.

    I believe Gaim-Encryption comes stock with the 0.6x prereleases.

  20. Trillian by waspleg · · Score: 2, Informative

    supports 128 bit encrypted messages between 2 trillian users, and it auto-establishes the session

    it rocks in case you haven't heard of it