Slashdot Mirror
New AIM Offering "end to end" Encryption
MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"
Gaim already has such a project. Anyone use it? I've tried it in the past, but couldn't get it to work.
--
http://nemilar.net - Not your grandmother's soup kitchen
Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..
Trillian offers secure instant messagin, given that both sides have it enabled, which is rare.
with W.A.S.T.E.?
Trillian has had this feature for as long as I can remember using it.
Trillian already supports 128 bit encryption over AIM and ICQ between Trillian users.
Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?
I shall go and tell the indestructible man that someone plans to murder him.
It already is encrypted, isn't it?
foxy28uk192323342 says: h1 asl lol
:/
brandon343jfdh says: lol brb fs
Maybe I'm just cynical
I don't know about other people, but my conversations on AIM usually go like this: Me: Hey Other guy: Hey Me: Anything interesting happening? Other guy: Not much. You? Me: Not much. Hey, wanna play Starcraft? Other guy: Sure. See you on in a few minutes. Usual channel. Me: Okay. See you there. Frankly, I couldn't care less whether or not anyone else was reading that, and I bet a lot of people feel the same way. It's a nice feature, sure, but it's not the most needed...
I find gaim-encryption to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk
AIM is very insecure by nature. I downloaded Ethereal, a packet sniffer, and it has built in filters for extracting AIM messages out of the packets AIM sends. So anyone with a packet sniffer program and half a brain can easily eavesdrop on your conversation. And under the PATRIOT act, the US government can do this any time they want... ugh
I think AOL is putting this out way too late. Other messanger servieces such as Gaim and Trillian have had encryption in for a while now. These services also have a lot of other features that make them superiour to the aim client. Why get AIM?
Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.
--
the strongest word is still the word "free"
Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.
Tarsnap: Online backups for the truly paranoid
If AOL has any ties to Verisign, et al.? If it's using PKI (which it says it is), and the "About AIM Personal Certificates" page (Link Here) says it is (which really doesn't go into how they're implemented, or how you can get a certificate), who's to say that they're not going to charge you for getting a certificate? Yahoo integrated encryption in their Yahoo Messenger Enterprise, and other companies have done this in the past (I believe that even ICQ had a version of their server up so that companies could set their own ICQ servers up).
I honestly think it's all about the Money for AOL, and it's going to be prohibitive for Joe Sixpack to get this to work.
I disable sigs...do you?
iChat, which connects to AOL instant messager service, uses SSL to encrypt my end to the server. You can't sniff what i'm sending, and if the receipent is using SSL also, you can't sniff what she's reveiving, unless you are on AOL's server, or somewhere inbetween AOL servers where the message might be routed in plain text,.
would this be why W.A.S.T.E. was killed? I would guess so. Or...is this AOL's co-opting of WASTE itself? have they just taken the GPL code that was posted for that one day and slapped AIM on it?
FreeBSD for the impatient.
If it isn't completely open source then they are running a man in the middle scam and recording the entire encrypted session in the clear.
All for our own protection, of course....
It's Christmas everyday with BitTorrent.
Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.
Combined with PDAs/laptops and WLAN access, terrorists could savely use this to coordinate terroristic attacks, especially Al-Kadia's evergreen of equitemporal suidice attacks on free people.
The mighty PATRIOT act should prohibit such devices, won't it ?
I'm not sure if this would be really a bad thing. Dangerous tools are restricted very often to protect people, even if the are many good/peaceful uses.
Take e.g. guns which are restricted in many countries of the world due to their bad possibilities.
Owner of a Mensa membership card.
Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:
"AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."
This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.
Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.
It's easy to install but since both parties need to have it running can be tricky trying to get non-geeks to understand why they should install it.
I used it for a while with the few(2) friends I could convince to run it but then kind of forgot about it...
What I REALLY want is AIM to automatically log all conversations. Like ICQ and IRC. Having to save to a chat file and come up with a name for the file every time is a step backwards.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
I have been using Gabber a Gnome Jabber client with its gpg support for sometime. I have quite a few people on my roaster who I can speak to with that extra level of privacy.
I think that case for privacy is strong. I don't like thinking that my personal conversations go in plain text across peoples' coporate networks. I have nothing to hide. What I say though is still private.
Many people don't see it as being an important issue but then would they send all their snail mail by postcard? I think the reason why they don't consider it important is that they are not fully aware of the possible implications.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10);'
Well IM is starting to become the most common form of electronic communication and it is generally taking the place of E-Mail for a lot of situations. Although most of the time now it is for personal communication. But IM can have more business application which needs encryption for Business to Business communication (to prevent corporate espionage) and also to do business over IM, such as customer support or placing an order over IM (say for some custom orders that normally have to be over the phone) so encryption is very important for IM. And it is worth it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
I started to try and work on it, but it was too tricky. Anyone interested in helping out?
Get your own free personal location tracker
For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.
I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.
-
Security credentials that enable these capabilities â" Personal Digital Certificates â" are an optional service available to enterprises as part of the Enterprise AIM Services offering.
That is so Bush Administration.Are you kidding me? Haven't you ever sent passwords over AIM? Haven't you ever talked about last night's drug use?
Umm, neither have I. Drugs are bad, mmmkay?
Here is how I see it, there is a lot of push from AOL-TW executives to turn this product, with a large user base, into a real cashcow. The only way that it is doable is by pushing the product into the corporate areana. The AOL-TW execs would like to push all of the infrastructure and software completely into a corporation, same as a mail system (like exchange server, and outlook on the desk). Many businesses were reluctant because it didn't offer the very basics of security. While general users don't care about this, try selling this to a CIO who has had security pounded into their head over the last two years. What question is he/she going to ask, "Would you mind telling me about security for your product?" So when they give this out to you, the public... it's just a mass test, so they can start doing corporate sales. Just my thoughts....
Victory is gained, not in knowing your opponents next move, but in preempting them.
Hell yes. My privacy is so important as to accomodate drug dealers and terrorists.
Why is that? Because when you exclude certain people from the basic privleges and rights afforded them by our Constitution, you open up a big 'ol can of worms.
Exclusion becomes a stepping stone on the road to complete disregard for those privileges and rights.
As Benjamin Franklin once said "Those who give away a little freedom for a little safety deserve neither freedom nor safety."
Get over yourself. Nobody's going to read your AIM conversations. Nobody cares. You're not that interesting.
Hell, the person you're AIMing probably doesn't want to read your messages either.
DeadAIM does it. It's like AIM+ in that it latches on to the regular aim client. There's other nice features, tabbed messenger windows, cloning so you can run more then one s/n at once. Stuff like that
BTW - GAIM and Trillian might have it as well, but they illegally draft off the big 3 networks (they have no license to tap in), so expect them to be under some serious pressure now that money is starting to flow to the big 3 for enterprise-class IM.
The Jabber protocol has supported PGP for a while, and quite a few clients support it. It's used both for end-to-end encryption and for signing both your presence and messages. I'm running a development version of Psi with GPG currently.
That's pretty cool. It's a shame that iChat looks like something my cat coughed up, or else I'd be tempted to use it on my Mac instead of gaim.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
I'm sure CuDdLES49128 and her 12 year-old friends were behind this 'innovative' feature.
I mean, honestly, most of AIM users don't even know what encryption is, much less think they need it.
1 Sharp zaurus
+
1 copy of kismet
==
1 transcription of the entire chat session
Any decent packet sniffer will reveal all that is said. I suspect that they are offering this not to make it safer or get more subscribers, but rather to cover up certain activity.
AOL's servers record chat sessions of members, I'm not certain as to whether or not they do it for non-members. The point is that anyone over there with the requisite access rights can spy on these things. End-to-end encryption will not be default, might require a subscription charge, and might mean end-to-end(AOL)-to-end.
Forgive my pessimism, but I don't trust AOL in any situation. They screw over their members, they screw over those of us with smaller servers, they screw over friends of members. I think they are realizing that they cannot mainttain their current empire in the face of broadband, this may just be a feeble attempt to profit from their other markets. Subscription Netscape anyone?
You can't judge a book by the way it wears its hair.
I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.
The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.
No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.
I guess if more open source IM clients will support it, it could become de-facto IM encryption
standard...
I use IM a lot for work and some information I exchange there could considered business secrets.
Soon, "pleading the DMCA" will be as common as "pleading the 5th"
I've found that business groups could really use instant messaging, but don't want to broadcast their IP over the net without some sort of protection. I think it's a better idea to run the IM server locally, but AIM requires no setup and has very nice clients. I can see, for instance, a sales team talking with the engineers using encrypted AIM.
Citizens Against Plate Tectonics
Many of these replies are misleading or totally incorrect.
.. This AOL beta, in addition to encryption using a certificate, is signing based on the certificate. Trillian does not have an option (as far as I can tell from the free version) to use certificates and/or sign messages.
Trillian does *NOT* do the "same thing"
Also, you do not need "Enterprise" services to use this functionality. I just tested it, and it works fine with the free client. Just get a free Thawte certificate, import it, and begin IM'ing with a friend who has done the same.
Hope this helps clears things up somewhat.
it's out, download and look at the program. You need to have a personal certificate for this to work. It doesn't currently offer the creation of this cert within aim, I imagine this would be provided only by the enterprise version of aim. You can however go and create a personal cert. somewhere else and import it. It will ask for the cert password everytime you start up AIM. It puts a lock beside your screenname, then, automatically when two people with the capability talk to each other, it moves up to secure the conversation. Pretty slick. The only real problem is the generation of the certs. Looking back on previous /. article on PKI, there was a lot of problems. No one seems to be doing it right. (www.thwarte.com has a good 50 step process to get one)
Does anyone know an easier way to get a personal cert to work w/ aim in fewer steps?
-- these are only opinions and they might not be mine.
This is an example of where free software is certainly ahead of the commercial equivalents. Both Kopete and Gaim have had options to encrypt using PGP for quite some time. (Gaim for significantly longer, iirc)
By delegating the authentication and validation to PGP, they are potentially as-secure-as PGP. By doing in-house certification, ala. Trillian & AIM, the identification and encryption is an internal mechanism, and I would argue (successfully) that it is more difficult to prove its potential to be secure.
Not only does open source appear to have the feature first, it seems to do it provably better.
SIMP offers IM encryption for AIM, ICQ, MSN and Yahoo - either individually for free or SIMP Pro which supports all four IM systems and costs $25.
I was part of the beta program for SIMP Pro and I have to say it's an excellent little program, it even supports encrypted file transfers.
I believe Gaim-Encryption comes stock with the 0.6x prereleases.
PotatoBob: Hey, can I place an order
AcmeCoSales: Of course. To where is this being shipped?
PotatoBob: 17 Applebrook Lane, Milwaukee
AcmeCoSales: What is your order?
PotatoBob: One Potato Gun, model XM-4201B
AcmeCoSales: Is that everything?
PotatoBob: Yes
AcmeCoSales: Your total is $134.99
PotatoBob: That can't be right.
AcmeCoSales: It is correct. That is the price in our catalog.
PotatoBob: No, it's not.
AcmeCoSales: Yes, it is.
*** You have warned user AcmeCoSales. His/her warning level is now 20%
*** You have warned user AcmeCoSales. His/her warning level is now 40%
*** You have warned user AcmeCoSales. His/her warning level is now 60%
*** You have warned user AcmeCoSales. His/her warning level is now 80%
*** You have warned user AcmeCoSales. His/her warning level is now 100%
*** User AcmeCoSales has Signed Off.
--TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
supports 128 bit encrypted messages between 2 trillian users, and it auto-establishes the session
it rocks in case you haven't heard of it