Slashdot Mirror
New AIM Offering "end to end" Encryption
MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"
Trillian has had this feature for as long as I can remember using it.
Trillian already supports 128 bit encryption over AIM and ICQ between Trillian users.
Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?
I shall go and tell the indestructible man that someone plans to murder him.
It already is encrypted, isn't it?
foxy28uk192323342 says: h1 asl lol
:/
brandon343jfdh says: lol brb fs
Maybe I'm just cynical
I find gaim-encryption to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk
AIM is very insecure by nature. I downloaded Ethereal, a packet sniffer, and it has built in filters for extracting AIM messages out of the packets AIM sends. So anyone with a packet sniffer program and half a brain can easily eavesdrop on your conversation. And under the PATRIOT act, the US government can do this any time they want... ugh
When I last checked Trillian negotiated its 128-bit blowfish encryption key via 128-bit DH key exchange, which is not very secure. (It's about as secure as using a 128-bit RSA key.)
Go to Thawte, get their Free Personal Email Certificate for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.
Some users (like me) have fairly serious or business conversations over these chat networks. Using unsecure chat is like speaking in a room with hidden nooks and cracks in the walls leading to other rooms; anyone can sniff an unsecure chat.
I much prefer conducting my semi-private conversations in a high tower with thick walls, where strangers cannot overhear them.
Trillian is what I use right now to allow this, but it only works with Trillian users, not normal AIM users. It would be nice if AIM made their encryption scheme usable by other clients...although I agree with other posters that it may just be a plan to keep other clients off the network.
Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:
"AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."
This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.
Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.
Here is how I see it, there is a lot of push from AOL-TW executives to turn this product, with a large user base, into a real cashcow. The only way that it is doable is by pushing the product into the corporate areana. The AOL-TW execs would like to push all of the infrastructure and software completely into a corporation, same as a mail system (like exchange server, and outlook on the desk). Many businesses were reluctant because it didn't offer the very basics of security. While general users don't care about this, try selling this to a CIO who has had security pounded into their head over the last two years. What question is he/she going to ask, "Would you mind telling me about security for your product?" So when they give this out to you, the public... it's just a mass test, so they can start doing corporate sales. Just my thoughts....
Victory is gained, not in knowing your opponents next move, but in preempting them.
I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.
The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.
No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.
I guess if more open source IM clients will support it, it could become de-facto IM encryption
standard...
I use IM a lot for work and some information I exchange there could considered business secrets.