Slashdot Mirror
New AIM Offering "end to end" Encryption
MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"
Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..
Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?
I shall go and tell the indestructible man that someone plans to murder him.
AIM is very insecure by nature. I downloaded Ethereal, a packet sniffer, and it has built in filters for extracting AIM messages out of the packets AIM sends. So anyone with a packet sniffer program and half a brain can easily eavesdrop on your conversation. And under the PATRIOT act, the US government can do this any time they want... ugh
Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.
--
the strongest word is still the word "free"
...is to for someone somewhere to actually write something in AIM that is worthwhile to encrypt.
Personally, I think the original security of instant messaging was sufficient...that is, there is so much white noise, that the data stream just isn't worth tapping into.
Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.
Tarsnap: Online backups for the truly paranoid
iChat, which connects to AOL instant messager service, uses SSL to encrypt my end to the server. You can't sniff what i'm sending, and if the receipent is using SSL also, you can't sniff what she's reveiving, unless you are on AOL's server, or somewhere inbetween AOL servers where the message might be routed in plain text,.
would this be why W.A.S.T.E. was killed? I would guess so. Or...is this AOL's co-opting of WASTE itself? have they just taken the GPL code that was posted for that one day and slapped AIM on it?
FreeBSD for the impatient.
I swear I can Format
Nullsoft, a subsidiary releases WASTE, a p2p files and chat client with encryption
AOL pulls WASTE
AIM, made by AOL, gets encryption
Coincidense...?
What I REALLY want is AIM to automatically log all conversations. Like ICQ and IRC. Having to save to a chat file and come up with a name for the file every time is a step backwards.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
I started to try and work on it, but it was too tricky. Anyone interested in helping out?
Get your own free personal location tracker
They claim to use SSL (in TFA), does that mean it will be relatively trivial to write a compatibility layer for GAIM, Trillian et all?
It would be really nice to be able to securely IM with people who I really don't want to explain how to setup the programs and security settings, while I can stay in my favorite messenger myself...
(posted anonymous because I'm lazy)
For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.
I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.
Are you kidding me? Haven't you ever sent passwords over AIM? Haven't you ever talked about last night's drug use?
Umm, neither have I. Drugs are bad, mmmkay?
The Jabber protocol has supported PGP for a while, and quite a few clients support it. It's used both for end-to-end encryption and for signing both your presence and messages. I'm running a development version of Psi with GPG currently.
Thawte originally promised to move the database outside of the US if the US ceased to have adequate privacy protections in law. After the Patriot Act, they should have done so, but they didn't. Thawte today is just a front for Verisign, which, among other things, operates a national wiretapping service for law enforcement and others.
... One company, VeriSign Inc., offers a one- stop, turnkey solution to help telecom carriers comply with CALEA.
VeriSign's nationwide signaling network infrastructure, digital certificate technology and secure data centers enable it to provide a scaleable service bureau solution that saves carriers significant capital expense and virtually eliminates administration costs involved in meeting the legal, technical and operational requirements of CALEA.
Using Verint Systems Inc.'s STAR-GATE, a solution that provides the means to access and deliver intercepted communications content and call data to law enforcement agencies, VeriSign offers a streamlined solution that meets the needs of wireline, wireless and cable telephony carriers. Puri explains that once contracted by the carrier, VeriSign becomes the primary point of contact for law enforcement. "Once we receive the order ... it's completely hands off for the carrier."
Among the orders NetDiscovery processes are historical call records, pen registers or trap and trace (real-time call data as it occurs), as well as wire taps from both law enforcement and national security agencies. The company's personnel are set up to handle classified orders, having attained the appropriate government security clearances, Puri says.
In addition to eliminating a carrier's need to maintain such personnel, NetDiscovery also eliminates the need to connect to the thousands of agencies with authority to request information.
The solution supports circuit switches and beginning this quarter it will support packet-based gear, such as soft switches. The company is working with Cisco Systems Inc. to support its soft switches, routers and gateways. ...
In addition to Cisco, VeriSign is working with four other "market-leading" vendors to ensure support for their packet-based offerings, it says. ...
"Almost every provider has some sort of packet-based hardware, so support for packet under CALEA is critical. It cuts across all types of carriers from wireline to wireless to cable MSOs," he says.
The company is looking also at solutions for ISPs and their gear (routers, gateways, etc.) although they are not included under CALEA, Puri adds.
Verisign just had a session on wiretapping for ISPs at Supercomm. Basically, Verisign runs the US's wiretapping infrastructure. They thus can't be trusted as a security provider.
1 Sharp zaurus
+
1 copy of kismet
==
1 transcription of the entire chat session
Any decent packet sniffer will reveal all that is said. I suspect that they are offering this not to make it safer or get more subscribers, but rather to cover up certain activity.
AOL's servers record chat sessions of members, I'm not certain as to whether or not they do it for non-members. The point is that anyone over there with the requisite access rights can spy on these things. End-to-end encryption will not be default, might require a subscription charge, and might mean end-to-end(AOL)-to-end.
Forgive my pessimism, but I don't trust AOL in any situation. They screw over their members, they screw over those of us with smaller servers, they screw over friends of members. I think they are realizing that they cannot mainttain their current empire in the face of broadband, this may just be a feeble attempt to profit from their other markets. Subscription Netscape anyone?
You can't judge a book by the way it wears its hair.
It would be nice if AIM made their encryption scheme usable by other clients...
Well, maybe not other AIM clients (eg trillian), but remember that the deal with MS will allow the IMs to interact? It's a reasonably safe bet that MSN messenger will be able to exchange secure messages with AIM.
No sig
I've found that business groups could really use instant messaging, but don't want to broadcast their IP over the net without some sort of protection. I think it's a better idea to run the IM server locally, but AIM requires no setup and has very nice clients. I can see, for instance, a sales team talking with the engineers using encrypted AIM.
Citizens Against Plate Tectonics
This is an example of where free software is certainly ahead of the commercial equivalents. Both Kopete and Gaim have had options to encrypt using PGP for quite some time. (Gaim for significantly longer, iirc)
By delegating the authentication and validation to PGP, they are potentially as-secure-as PGP. By doing in-house certification, ala. Trillian & AIM, the identification and encryption is an internal mechanism, and I would argue (successfully) that it is more difficult to prove its potential to be secure.
Not only does open source appear to have the feature first, it seems to do it provably better.
As a Fire developer myself, I thought that I could contribute a little more to this. We have started to participate in a discussion on the best way to do encryption over IM protocols. This discussion can be found here: http://www.chat.solidhouse.com/smsn/. The GAIM-E author has even contributed to this discussion.
Also, we have drastically improved the way that the GPG encryption is handled. It now works on more protocols and will be more consistent. My favorite is that we now correctly recognize a gpg installed by fink.
Here is how I invision this in the end. Assuming that AOL didn't use PGP (or GPG), then we (OS Client Authors) should try to support their protocol, along with PGP (or GPG) which would be considered more secure.
Glad to run across another satisfied Fire user.
You see? It's like I've always said. You can get more with a kind word and a 2x4 than you can with just a kind word.
Also, I believe Trillian was the first IM to provide end to end encryption. Its been a long while since my sessions with other trillian users have been plain-text.
Its nice to see a big company embrace encryption like this. Sure, they could just be slightly paranoid about various AIM sniffers out ther, including their own. I guess that idea didn't go too far.
Actually, I'm not too surprised. In an electronic world full of plain-text mail, plain-text passwords, plain-text just about everything short of SSL pages, VPN, PGP mail, and ssh tunnels theres going to be a breaking point. Are users going to force vendors into providing encryption? With the popularity of wireless networks and free "network administration" tools with GUI front-ends no less, then perhaps encryption will be the new industry buzzword in the near future.