Slashdot Mirror

← Back to Stories (view on slashdot.org)

New AIM Offering "end to end" Encryption

Posted by CmdrTaco on from the step-in-the-right-direction dept.

MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"

37 of 329 comments (clear)

  1. Gaim-E by jonman_d · · Score: 4, Informative

    Gaim already has such a project. Anyone use it? I've tried it in the past, but couldn't get it to work.

    --

    --
    http://nemilar.net - Not your grandmother's soup kitchen
  2. Start of something bigger? by waytoomuchcoffee · · Score: 4, Interesting

    Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..

  3. trillian by Anonymous Coward · · Score: 3, Informative

    Trillian offers secure instant messagin, given that both sides have it enabled, which is rare.

    1. Re:Trillian by dunham · · Score: 5, Informative

      When I last checked Trillian negotiated its 128-bit blowfish encryption key via 128-bit DH key exchange, which is not very secure. (It's about as secure as using a 128-bit RSA key.)

  4. So that's what they did... by Albanach · · Score: 3, Insightful

    with W.A.S.T.E.?

  5. Trillian... by swtaarrs · · Score: 5, Informative

    Trillian has had this feature for as long as I can remember using it.

    1. Re:Trillian... by eddy · · Score: 4, Informative

      But Trillian is bloated flashy-ware, while Miranda (nightlies here) is slim and nice.

      Encryption supported via SecureIM (DH/KE + AES) or gnupg plugin

      --
      Belief is the currency of delusion.
    2. Re:Trillian... by ptbarnett · · Score: 4, Insightful
      Trillian has had this feature for as long as I can remember using it.

      But, doesn't Trillian make the connection directly between the two clients, rather than sending it through the server?

      It doesn't work well when either user has a firewall blocking incoming connections.

  6. Trillian by sahrss · · Score: 5, Informative

    Trillian already supports 128 bit encryption over AIM and ICQ between Trillian users.

  7. Locking out clients? by mkro · · Score: 5, Interesting

    Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?

    --
    I shall go and tell the indestructible man that someone plans to murder him.
    1. Re:Locking out clients? by Hanji · · Score: 3, Insightful

      Because as nice as Jabber may or may not be theoretically for whatever reasons (I don't know anything about it), AIM has one BIG advantage: EVERYONE USES IT. And if you try to get people to switch to a Jabber network from AIM, explaining that it's "open," you'll just get blank stares, and comments that "but all my friends use AIM!"

      Technical superiority does not ensure success, unfortunately.

      --
      A Minesweeper clone that doesn't suck
  8. AOL using encryption by PirateDave+-) · · Score: 5, Funny

    It already is encrypted, isn't it?

    foxy28uk192323342 says: h1 asl lol
    brandon343jfdh says: lol brb fs

    Maybe I'm just cynical :/

  9. Why? by Tyrdium · · Score: 3, Insightful

    I don't know about other people, but my conversations on AIM usually go like this: Me: Hey Other guy: Hey Me: Anything interesting happening? Other guy: Not much. You? Me: Not much. Hey, wanna play Starcraft? Other guy: Sure. See you on in a few minutes. Usual channel. Me: Okay. See you there. Frankly, I couldn't care less whether or not anyone else was reading that, and I bet a lot of people feel the same way. It's a nice feature, sure, but it's not the most needed...

    1. Re:Why? by sahrss · · Score: 5, Insightful

      Some users (like me) have fairly serious or business conversations over these chat networks. Using unsecure chat is like speaking in a room with hidden nooks and cracks in the walls leading to other rooms; anyone can sniff an unsecure chat.

      I much prefer conducting my semi-private conversations in a high tower with thick walls, where strangers cannot overhear them.

      Trillian is what I use right now to allow this, but it only works with Trillian users, not normal AIM users. It would be nice if AIM made their encryption scheme usable by other clients...although I agree with other posters that it may just be a plan to keep other clients off the network.

  10. Re:Gaim-E? gaim-encryption by kfort · · Score: 5, Informative

    I find gaim-encryption to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk

  11. Re:Thank god by swtaarrs · · Score: 5, Interesting

    AIM is very insecure by nature. I downloaded Ethereal, a packet sniffer, and it has built in filters for extracting AIM messages out of the packets AIM sends. So anyone with a packet sniffer program and half a brain can easily eavesdrop on your conversation. And under the PATRIOT act, the US government can do this any time they want... ugh

  12. sure hope Apple adds this to iChat by SweetAndSourJesus · · Score: 3, Interesting

    Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.

    --

    --
    the strongest word is still the word "free"
  13. And you trust them? by cperciva · · Score: 3, Interesting

    Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.

    --
    Tarsnap: Online backups for the truly paranoid
  14. Really makes me wonder by ONU+CS+Geek · · Score: 3, Insightful

    If AOL has any ties to Verisign, et al.? If it's using PKI (which it says it is), and the "About AIM Personal Certificates" page (Link Here) says it is (which really doesn't go into how they're implemented, or how you can get a certificate), who's to say that they're not going to charge you for getting a certificate? Yahoo integrated encryption in their Yahoo Messenger Enterprise, and other companies have done this in the past (I believe that even ICQ had a version of their server up so that companies could set their own ICQ servers up).

    I honestly think it's all about the Money for AOL, and it's going to be prohibitive for Joe Sixpack to get this to work.

    --

    I disable sigs...do you?
  15. Re:Thank god by krisp · · Score: 3, Interesting

    iChat, which connects to AOL instant messager service, uses SSL to encrypt my end to the server. You can't sniff what i'm sending, and if the receipent is using SSL also, you can't sniff what she's reveiving, unless you are on AOL's server, or somewhere inbetween AOL servers where the message might be routed in plain text,.

  16. Here's how to get a free key by Anonymous Coward · · Score: 5, Informative

    Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.

    1. Re:Here's how to get a free key by Animats · · Score: 4, Interesting
      Yeah, right. Provide your name, address, date of birth, and social security number, and you get a key.

      Thawte originally promised to move the database outside of the US if the US ceased to have adequate privacy protections in law. After the Patriot Act, they should have done so, but they didn't. Thawte today is just a front for Verisign, which, among other things, operates a national wiretapping service for law enforcement and others.

      • Stepped-up concern over security has put the heat on carriers to ensure they can meet mandates under the FCC's 1994 Communications Assistance for Law Enforcement Act (CALEA), requiring telecom service providers to support the ability of law enforcement agencies to conduct lawful, authorized electronic surveillance of call content and call data.

        ... One company, VeriSign Inc., offers a one- stop, turnkey solution to help telecom carriers comply with CALEA.

        VeriSign's nationwide signaling network infrastructure, digital certificate technology and secure data centers enable it to provide a scaleable service bureau solution that saves carriers significant capital expense and virtually eliminates administration costs involved in meeting the legal, technical and operational requirements of CALEA.

        Using Verint Systems Inc.'s STAR-GATE, a solution that provides the means to access and deliver intercepted communications content and call data to law enforcement agencies, VeriSign offers a streamlined solution that meets the needs of wireline, wireless and cable telephony carriers. Puri explains that once contracted by the carrier, VeriSign becomes the primary point of contact for law enforcement. "Once we receive the order ... it's completely hands off for the carrier."

        Among the orders NetDiscovery processes are historical call records, pen registers or trap and trace (real-time call data as it occurs), as well as wire taps from both law enforcement and national security agencies. The company's personnel are set up to handle classified orders, having attained the appropriate government security clearances, Puri says.

        In addition to eliminating a carrier's need to maintain such personnel, NetDiscovery also eliminates the need to connect to the thousands of agencies with authority to request information.

        The solution supports circuit switches and beginning this quarter it will support packet-based gear, such as soft switches. The company is working with Cisco Systems Inc. to support its soft switches, routers and gateways. ...

        In addition to Cisco, VeriSign is working with four other "market-leading" vendors to ensure support for their packet-based offerings, it says. ...

        "Almost every provider has some sort of packet-based hardware, so support for packet under CALEA is critical. It cuts across all types of carriers from wireline to wireless to cable MSOs," he says.

        The company is looking also at solutions for ISPs and their gear (routers, gateways, etc.) although they are not included under CALEA, Puri adds.

      Verisign just had a session on wiretapping for ISPs at Supercomm. Basically, Verisign runs the US's wiretapping infrastructure. They thus can't be trusted as a security provider.

  17. Wouldn't be this illegal under the PATRIOT act ? by Krapangor · · Score: 3, Funny

    Combined with PDAs/laptops and WLAN access, terrorists could savely use this to coordinate terroristic attacks, especially Al-Kadia's evergreen of equitemporal suidice attacks on free people.
    The mighty PATRIOT act should prohibit such devices, won't it ?
    I'm not sure if this would be really a bad thing. Dangerous tools are restricted very often to protect people, even if the are many good/peaceful uses.
    Take e.g. guns which are restricted in many countries of the world due to their bad possibilities.

    --
    Owner of a Mensa membership card.
  18. Well, it's a start by randombit · · Score: 5, Informative

    Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:

    "AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."

    This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.

    Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.

  19. SecureIM by ElOttoGrande · · Score: 4, Informative
    SecureIM has been around for a while now. It basically acts as a proxy and you set your Aim to connect through it. Inside the proxy it encrypts everything with 256bit blowfish, then on the receiver's end reverses the process. The result is transparent encryption with the standard Aim client.

    It's easy to install but since both parties need to have it running can be tricky trying to get non-geeks to understand why they should install it.

    I used it for a while with the few(2) friends I could convince to run it but then kind of forgot about it...

  20. Re:The next step... by jellomizer · · Score: 3, Interesting

    Well IM is starting to become the most common form of electronic communication and it is generally taking the place of E-Mail for a lot of situations. Although most of the time now it is for personal communication. But IM can have more business application which needs encryption for Business to Business communication (to prevent corporate espionage) and also to do business over IM, such as customer support or placing an order over IM (say for some custom orders that normally have to be over the phone) so encryption is very important for IM. And it is worth it.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  21. GPG plugin for Licq by caluml · · Score: 4, Interesting

    I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
    I started to try and work on it, but it was too tricky. Anyone interested in helping out?

    --
    Get your own free personal location tracker
  22. The usefullness of this by iamdrscience · · Score: 4, Interesting

    For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.

    I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.

  23. Only businesses can use this feature by Animats · · Score: 4, Informative
    From the press release:
    • Security credentials that enable these capabilities â" Personal Digital Certificates â" are an optional service available to enterprises as part of the Enterprise AIM Services offering.
    That is so Bush Administration.
  24. This makes business sense. by acherrington · · Score: 5, Insightful

    Here is how I see it, there is a lot of push from AOL-TW executives to turn this product, with a large user base, into a real cashcow. The only way that it is doable is by pushing the product into the corporate areana. The AOL-TW execs would like to push all of the infrastructure and software completely into a corporation, same as a mail system (like exchange server, and outlook on the desk). Many businesses were reluctant because it didn't offer the very basics of security. While general users don't care about this, try selling this to a CIO who has had security pounded into their head over the last two years. What question is he/she going to ask, "Would you mind telling me about security for your product?" So when they give this out to you, the public... it's just a mass test, so they can start doing corporate sales. Just my thoughts....

    --


    Victory is gained, not in knowing your opponents next move, but in preempting them.
  25. Re:feh. by generic-man · · Score: 3, Informative

    AIM+ piggybacks onto the official AIM client, offering features like ad removal, automatic logging, and cloning (run two AIM processes at the same time). I use it with AIM 4.x, and all the other features in the official client work just fine.

    --
    For more information, click here.
  26. geeze by nomadic · · Score: 3, Funny

    Get over yourself. Nobody's going to read your AIM conversations. Nobody cares. You're not that interesting.

    Hell, the person you're AIMing probably doesn't want to read your messages either.

  27. Re:Thank god by carpe_noctem · · Score: 3, Funny

    That's pretty cool. It's a shame that iChat looks like something my cat coughed up, or else I'd be tempted to use it on my Mac instead of gaim.

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  28. I sure as hell don't. by SHEENmaster · · Score: 3, Interesting

    1 Sharp zaurus
    +
    1 copy of kismet
    ==
    1 transcription of the entire chat session

    Any decent packet sniffer will reveal all that is said. I suspect that they are offering this not to make it safer or get more subscribers, but rather to cover up certain activity.

    AOL's servers record chat sessions of members, I'm not certain as to whether or not they do it for non-members. The point is that anyone over there with the requisite access rights can spy on these things. End-to-end encryption will not be default, might require a subscription charge, and might mean end-to-end(AOL)-to-end.

    Forgive my pessimism, but I don't trust AOL in any situation. They screw over their members, they screw over those of us with smaller servers, they screw over friends of members. I think they are realizing that they cannot mainttain their current empire in the face of broadband, this may just be a feeble attempt to profit from their other markets. Subscription Netscape anyone?

    --
    You can't judge a book by the way it wears its hair.
  29. GPG by krokodil · · Score: 5, Informative

    I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.

    The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.

    No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.

    I guess if more open source IM clients will support it, it could become de-facto IM encryption
    standard...

    I use IM a lot for work and some information I exchange there could considered business secrets.

    1. Re:GPG by gbooker · · Score: 5, Interesting

      As a Fire developer myself, I thought that I could contribute a little more to this. We have started to participate in a discussion on the best way to do encryption over IM protocols. This discussion can be found here: http://www.chat.solidhouse.com/smsn/. The GAIM-E author has even contributed to this discussion.

      Also, we have drastically improved the way that the GPG encryption is handled. It now works on more protocols and will be more consistent. My favorite is that we now correctly recognize a gpg installed by fink.

      Here is how I invision this in the end. Assuming that AOL didn't use PGP (or GPG), then we (OS Client Authors) should try to support their protocol, along with PGP (or GPG) which would be considered more secure.

      Glad to run across another satisfied Fire user.

      --
      You see? It's like I've always said. You can get more with a kind word and a 2x4 than you can with just a kind word.
  30. Re:The next step... by orangesquid · · Score: 3, Funny

    PotatoBob: Hey, can I place an order
    AcmeCoSales: Of course. To where is this being shipped?
    PotatoBob: 17 Applebrook Lane, Milwaukee
    AcmeCoSales: What is your order?
    PotatoBob: One Potato Gun, model XM-4201B
    AcmeCoSales: Is that everything?
    PotatoBob: Yes
    AcmeCoSales: Your total is $134.99
    PotatoBob: That can't be right.
    AcmeCoSales: It is correct. That is the price in our catalog.
    PotatoBob: No, it's not.
    AcmeCoSales: Yes, it is.
    *** You have warned user AcmeCoSales. His/her warning level is now 20%
    *** You have warned user AcmeCoSales. His/her warning level is now 40%
    *** You have warned user AcmeCoSales. His/her warning level is now 60%
    *** You have warned user AcmeCoSales. His/her warning level is now 80%
    *** You have warned user AcmeCoSales. His/her warning level is now 100%
    *** User AcmeCoSales has Signed Off.

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive