New Secure IM Client from NTT Due this Year

An anonymous reader writes "NTT in Japan has developed a new TLS-based secure instant messaging system that it says will comply with corporate compliance regulations, such as the post-Enron Sarbanes-Oxley Act. There's a PC version, as well as a Java one for i-Mode cell phones."

Gaim and OTR

[ChazeFroy]

OTR doesn't use TLS, but it does a great job encrypting conversations. Much better approach than SecureIM by Trillian or gaim-encryption.

Re:Gaim and OTR

[revscat]

For OS X users, the multi-protocol IM client Adium comes with OTR encryption built in by default.

It's a very nice client.

Re:Gaim and OTR

dont forget jabber.org

Re:Gaim and OTR

[brunson]

Nothing like reinventing the wheel.

Jabber can use TLS, it can also use PGP encryption over TLS or an unencrypted TCP connection, it's an open protocol documented in IETF standards track RFCs 3920-3923 and Jabber servers can communicate with each other just like SMTP servers. I installed my Jabber server in an afternoon and I can talk from my server to any other Jabber user, including GoogleTalk users.

Re:Gaim and OTR

[fossa]

Um... OTR is not PGP for a reason. I'm no crypto expert, but with PGP, Alice and Bob know each others public keys. They encrypt messages to each other, and anyone with the secret key, hopefully only Alice or Bob, can decrypt or forge a message. If these messages are stored, any breach due to a trojan, subpoena, etc. will be able to recover the messages.

OTR uses PGP to create a "shared secret" which is used to generate temporary encryption keys for each conversation. During the conversation, the security is the same as in the PGP case. After the conversation, the temporary encryption keys are discarded, so that no one may now decrypt the conversation (at least, they should be discarded). I'm a bit confused on the final step, but I think the shared secret is then published which allows anyone to create new temporary encryption keys which may be used to generate messages that belong to the conversation. This fact may be used to deny the validity of any claimed transcript of the conversation (and this way you don't need to trust that Bob has really discarded the temporary keys).

Encryption is pointless here

[timeOday]

The "compliance" they refer to is that this encrypted IM will have a logging capability. What this means is that outsiders won't be able to snoop (without a court order), which is fine. But your words can still be dug up out of context months or years later if somebody high enough on the ladder decides they want to get rid of you.

Whether email or IM, writing anything controversial is a really bad idea. Say it face to face or on the phone instead.

Of course the question arises of what to do when you receive a verbal order to do something against company policy. You could comply, and take a small chance of later reprecussions, or else refuse or demand the order in writing, and face smaller but almost guaranteed reprecussions over time.

Re:Jabber?

[Randle_Revar]

The XMPP RFC describes the useage of SASL and TLS:
http://www.ietf.org/rfc/rfc3920.txt
TLS can be used on client-sever connections and on sever-server connections.

JEP 27 describes the useage of OpenPGP for encryption:
http://www.jabber.org/jeps/jep-0027.html

RFC 3923 describes S/MIME useage:
http://www.ietf.org/rfc/rfc3923.txt

JEP 116 describes Encrypted Sessions, which seems to be somewhat reminiscent of SSH:
http://www.jabber.org/jeps/jep-0116.html
I don't know that anyone implements this yet.

BTW Can someone tell me whether the connection between the two people chatting with Jabber is P2P or whether it is routed via the server?

Normal chatting at least is all client-server. File transfer can be p2p (normal case) or client-server, while Jingle Audio is p2p.

Re:Jabber

[m_frankie_h]

You can do whiteboarding over Jabber using Coccinella.

jabberd2 can use your LDAP for authentication, data storage and maybe as a directory. I don't know about a web-based UI.