Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Secure IM Client from NTT Due this Year

Posted by CowboyNeal on from the excuse-to-say-docomo dept.

An anonymous reader writes "NTT in Japan has developed a new TLS-based secure instant messaging system that it says will comply with corporate compliance regulations, such as the post-Enron Sarbanes-Oxley Act. There's a PC version, as well as a Java one for i-Mode cell phones."

13 of 61 comments (clear)

  1. Gaim and OTR by ChazeFroy · · Score: 3, Informative

    OTR doesn't use TLS, but it does a great job encrypting conversations. Much better approach than SecureIM by Trillian or gaim-encryption.

    1. Re:Gaim and OTR by revscat · · Score: 2, Informative
      For OS X users, the multi-protocol IM client Adium comes with OTR encryption built in by default.

      It's a very nice client.

    2. Re:Gaim and OTR by brunson · · Score: 2, Informative

      Nothing like reinventing the wheel.

      Jabber can use TLS, it can also use PGP encryption over TLS or an unencrypted TCP connection, it's an open protocol documented in IETF standards track RFCs 3920-3923 and Jabber servers can communicate with each other just like SMTP servers. I installed my Jabber server in an afternoon and I can talk from my server to any other Jabber user, including GoogleTalk users.

      --
      09F911029D74E35BD84156C5635688C0
      Jesus loves you, I think you suck
    3. Re:Gaim and OTR by fossa · · Score: 4, Informative

      Um... OTR is not PGP for a reason. I'm no crypto expert, but with PGP, Alice and Bob know each others public keys. They encrypt messages to each other, and anyone with the secret key, hopefully only Alice or Bob, can decrypt or forge a message. If these messages are stored, any breach due to a trojan, subpoena, etc. will be able to recover the messages.

      OTR uses PGP to create a "shared secret" which is used to generate temporary encryption keys for each conversation. During the conversation, the security is the same as in the PGP case. After the conversation, the temporary encryption keys are discarded, so that no one may now decrypt the conversation (at least, they should be discarded). I'm a bit confused on the final step, but I think the shared secret is then published which allows anyone to create new temporary encryption keys which may be used to generate messages that belong to the conversation. This fact may be used to deny the validity of any claimed transcript of the conversation (and this way you don't need to trust that Bob has really discarded the temporary keys).

  2. This is just one more attempt .... by zappepcs · · Score: 4, Insightful

    This is just one more attempt, IMO, to realign privacy and security values to where they were before new technologies. Where IM is replacing conversations around the water cooler in the workplace, securing it from snooping is an okay thing. Logging it as official corporate communications is getting into, perhaps, dangerous territory. There is the part where it is a company resource, but when it comes close to being thought police, it is dangerous.

    I think that modern society is still trying to find a place of 'normalcy' in the midst of new technology. I don't believe that there is an equivelant of IM prior to the advent of IM, other than private conversations. Recording private conversations is still not an okay thing to do. Comparing this to text based conversations that deaf/mute people have with text based phones, it all gets a bit confusing as to what is okay to record and what isn't.

    Until it is clearly understood what is okay to snoop and record and what is not, people will make mistakes in what they allow to be recorded, and why, and how those recordings are used. No manner of encryption will fix the real issues. It seems that the only secure mannner to communicate is whispering so that no one can hear what is being said.... very low tech!

    --
    Support NYCountryLawyer RIAA vs People
  3. Source? by xtal · · Score: 3, Insightful

    If I can't look at the source.. it ain't secure.

    --
    ..don't panic
    1. Re:Source? by Anonymous Coward · · Score: 2, Insightful

      If I can't look at the source.. it ain't secure.

      Just because you can't see the source doesn't necessarily make it insecure. It just makes it harder for you to verify that it's secure.

      You can't see the source code for the computer in your car. Does that make it unsafe to drive?

    2. Re:Source? by m_frankie_h · · Score: 2, Interesting

      http://www.acm.org/classics/sep95/

      You have to look at the compiler, the OS, the microcode and the hardware, too.

    3. Re:Source? by lasindi · · Score: 2, Insightful

      If I can't look at the source.. it ain't secure.

      No ... if you can't look at the source, you can't know that it's secure. Open source is great, and IMHO it produces more secure products in general; but open source isn't some magic spell that makes programs secure. Firefox, Linux, KDE, etc. all have security problems now and then. Whether or not they aren't as bad as their proprietary counterparts is debatable, but nothing is 100% secure, FOSS or not.

      --
      I have discovered a truly remarkable proof of this theorem that this sig is too small to contain.
  4. Encryption is pointless here by timeOday · · Score: 2, Informative
    The "compliance" they refer to is that this encrypted IM will have a logging capability. What this means is that outsiders won't be able to snoop (without a court order), which is fine. But your words can still be dug up out of context months or years later if somebody high enough on the ladder decides they want to get rid of you.

    Whether email or IM, writing anything controversial is a really bad idea. Say it face to face or on the phone instead.

    Of course the question arises of what to do when you receive a verbal order to do something against company policy. You could comply, and take a small chance of later reprecussions, or else refuse or demand the order in writing, and face smaller but almost guaranteed reprecussions over time.

  5. Re:Jabber by DrXym · · Score: 2, Interesting
    Seriously, why wouldn't a company want a secure flexible internal IM system, for free, instead of an expensive proprietary system?

    Our company uses something called Lotus Sametime. Ever heard of it? Me neither until I joined. I've heard of Lotus of course, but not Sametime. Basically it's an AIM-a-like for corporate environments. Now you ask why they use it... because (and this are the only reasons as far as I can see) it has some screensharing / whiteboarding capabilities, its authentication can be tied into your corporate id & password and the directory hooks into LDAP. If there were something available in open source which was comparable, as robust and included a web-based UI for screenshare meetings, I am pretty certain they would consider switching. As there probably isn't, that's your answer.

    I don't particularly like Sametime but it does do what it's meant to do, more or less. It's certainly not flashy, is Windows-only and more insidiously requires IE Java to do the screen sharing but it works. I expect that site licences also plays a part in its continuing favour in our org. IMHO a site licence is a great way to chain a company to your tech - once they bought it, they're scared to switch away for fear of losing "value" on the deal.

    There is another unwritten advantage of a proprietary IM system. It stops your employees wasting time chatting to all their buddies on AIM, jabber etc. instead of doing work.

  6. Re:Jabber? by Randle_Revar · · Score: 4, Informative

    The XMPP RFC describes the useage of SASL and TLS:
    http://www.ietf.org/rfc/rfc3920.txt
    TLS can be used on client-sever connections and on sever-server connections.

    JEP 27 describes the useage of OpenPGP for encryption:
    http://www.jabber.org/jeps/jep-0027.html

    RFC 3923 describes S/MIME useage:
    http://www.ietf.org/rfc/rfc3923.txt

    JEP 116 describes Encrypted Sessions, which seems to be somewhat reminiscent of SSH:
    http://www.jabber.org/jeps/jep-0116.html
    I don't know that anyone implements this yet.

    BTW Can someone tell me whether the connection between the two people chatting with Jabber is P2P or whether it is routed via the server?

    Normal chatting at least is all client-server. File transfer can be p2p (normal case) or client-server, while Jingle Audio is p2p.

    --
    Climate Progress - Hell and High Water
  7. Re:Jabber by m_frankie_h · · Score: 2, Informative

    You can do whiteboarding over Jabber using Coccinella.

    jabberd2 can use your LDAP for authentication, data storage and maybe as a directory. I don't know about a web-based UI.