Cerulean Studios Releases Trillian IM Protocol Specifications

Runefox writes "Cerulean Studios, the company behind the long-lived Trillian instant messaging client, has released preliminary specifications to their proprietary "Astra" protocol, now named IMPP (Instant Messaging and Presence Protocol), which provides continuous client functionality as well as mandatory TLS encryption for clients. According to their blog, Cerulean Studios' motivation for the release is to promote interoperability among the throngs of IM services and clients available by allowing others to also use the protocol. Future concepts include federation with XMPP. While the documentation is in an early state and the protocol is claimed to still be in development, it is hoped that it will help decentralize the very heavily fragmented messaging ecosystem. It's implied that, in turn, greater options for privacy may become available in the wake of the PRISM scandal via privately-run federated servers, unaffiliated with major networks, yet still able to communicate with them."

Too little too late

[Jonah+Hex]

Seriously, the last time I heard about someone using Trillian was years ago. They are a victim of their own business choices and no longer relevant, I've recommended Pidgin for those who want a all-in-one program instead of separate chat programs, but frankly most people seem to want to stick with whatever the separate companies provide. - HEX

Re:Too little too late

Ironic really, their "business choices" included enabling access to IM networks whose protocols weren't open...now they're making a big deal out of their own proprietary protocol's "specifications" (i.e. useless advertising material) available.

And the captcha word of the day is "surreal," no less.

Re:Too little too late

[jonwil]

I used to use Trillian for a while but then I switched to the open-source Miranda IM client. Talks to most of the networks I need (IRC, ICQ, MSN, AIM) and has all the features I need (even more so with extra plugins). 100% open source so I can hack on it if I wanted to.

Only thing it doesn't do is Skype but you can thank Microsoft for that, not Trillian.

Re:Too little too late

[dkuntz]

I actually still use Trillian, expressly for the continuous client functionality. As there is also the iPhone app, OS X, Windows, etc, not every IM service allows you to log in in multiple locations simultaneously, and allow you to start a conversation on a mobile device, continue on a Windows box, then finish it on a Mac, and have the IM logs and history available on each one. And since a lot of my friends, coworkers, etc, don't rely only on Facebook chat, and I occasionally will send something important to someone, or they to me via IM, being able to look at 1 unified history for that person, and not needing to look on system A, B and C to find the logs, is quite beneficial.

I've seen some other clients that will do similar things, though mainly on the mobile side only (IM+). Pidgin also does not have a released binary for OS X. You can use one of the ports (Fink/MacPorts), or compile from source (people here may not have issues with that, average desktop types will), or use Adium, which uses the core of pidgin, but, so far, the only decent, and frequently updated, all in one IM program with persistence over multiple clients is Trillian.

Re:Too little too late

[davydagger]

pidgin is open source and does skype

Re:Too little too late

[magic+maverick+]

No. Not on its own it doesn't. It still requires the binary blob from Skype.

Re:Too little too late

[jalopezp]

It kind of does skype. You need to keep skype running, and I've found it often does not display incoming messages. More than once I've had to open up the skype chat window to see what someone's said.

Re:Too little too late

Keeping OS X users off the network is a feature, not a flaw.

Re:Too little too late

No, you can thank Miranda for that.
Trillian does Skype just fine, without even needing Skype installed, or at least it did, when I last used it. Now that Skype does Bookface and MSN, I just stick with that. Though I did quite like the way Trillian handles Twitter. In any case,. Skype-Kit has been around for a while, people have been bugging the Miranda team about it for a few years now, and as far as I know, Microsoft hasn't pulled the plug on it.

As far as I know, there's no reason for the Miranda team not to be able to support Skype via Skypekit, unless there's some sort of aversion to using Skype's library.

Seriously, what the fuck?

Why WOULDN'T you check your facts before posting?

Re:Too little too late

[Kalriath]

Nope, it's Skype Communications SarL's fault. That restriction existed long before the Microsoft purchase.

Re:Too little too late

[MiG82au]

Except the OTR plugin for it is old and goes nuts when talking to newer libOTRs and having multiple devices logged in.

I'm Not OK With This

I'm concerned that if this encryption is unbreakable to the authorities, this could be problematic in thwarting terrorists and other evildoers.
  I'm not sure its so good that communications is completely unbreakable, there should be some mechanism whereby the government and agencies trying to keep us safe can intercept and decode them.

Re:I'm Not OK With This

Yeah, wouldn't want any tea partiers to start a nonprofit without the IRS knowing about it.

Re: I'm Not OK With This

Ha ha ha ha ha! Good one! ....oh, wait. You're serious, aren't you?

Re:I'm Not OK With This

[davydagger]

like the anti-nuclear acvitists phil zimmerman was trying to protect.

How dare someone critize government or corporate intrests. They might as well be blowing up buildings.

Unimpressed

[cronot]

There has been a lot of backlash on their blog about this: Why didn't they just go with XMPP? What their protocol have that XMPP doesn't, or couldn't be extended to support?

Personally - just a guess (also, btw, disclaimer: I'm a subscriber) - I think they're dying. Their client haven't been getting any significant development for the past year, current issues with some protocols have been going unaddressed, and new features like Lync protocol support (which there are working OSS implementations) have been going completely ignored despite many people clamoring for it.

So, they have been silent for a long time, and now this. It's fishy.

Re:Unimpressed

[LordKronos]

Why didn't they just go with XMPP? What their protocol have that XMPP doesn't, or couldn't be extended to support?

http://xkcd.com/927/

Re:Unimpressed

[icebike]

XMPP doesn't provide for much in the way of security unless you are using strictly private single servers.

Once your contacts are scattered across multiple jabber servers all bets are off as far as security.
Your server will almost surely end up forwarding your message to other servers insecurely.

XMPP also struggles with binary blobs (images) etc.

Re:Unimpressed

Disclaimer: I run a small ejabberd server.

> Your server will almost surely end up forwarding your message to other servers insecurely

Eh? Require your server to only federate using SSL/TLS. (Granted, what other servers do with your bits is beyond your control, but *any* communication over the internet has this problem.)

> Once your contacts are scattered across multiple jabber servers...

AFAIK, this doesn't happen. [citation needed]

Re:Unimpressed

[hobarrera]

XMPP doesn't provide for much in the way of security unless you are using strictly private single servers.

Once your contacts are scattered across multiple jabber servers all bets are off as far as security.
Your server will almost surely end up forwarding your message to other servers insecurely.

XMPP also struggles with binary blobs (images) etc.

a) There's GPG for XMPP, which is not so uncommon.
b) They intend to federate to XMPP, so, all this applies to IMPP.
c) SSL isn't end-to-end.

As for binary blobs, there's jingle.

Re:Unimpressed

[bill_mcgonigle]

What their protocol have that XMPP doesn't, or couldn't be extended to support?

It has TLS, which is a bad idea for chat. Unless you're taking a deposition, or something, where you want provable identity, most chat is expected to be ephemeral and reputable. Picture two people sitting quietly chatting in a secure room. That's the goal for most online chat.

You want to use OTR for most chat, not TLS. It offers repudiation as well as authentication, security, and perfect forward secrecy. It's even obnoxious about repudiation on the wire.

TLS is great for other stuff. It's just the wrong choice for online chat.

disclaimer: trusting the summary.

Re:Unimpressed

[icebike]

Virtually none of the people i communicate use the same jabber service as I do. Most are overseas, some in countries that don't allow encryption. So even though my service offers encrypted connections, I know that its not encrypted as it travels from my server to their server and then on to the other end.
I use a service, I don't run my own.

Re:Unimpressed

[loufoque]

You can deal with Authentication using GPG.

Re:Unimpressed

[loufoque]

As far as I understand it, XMPP doesn't allow direct client-to-client communication, you have to go through one or several third-party servers, which will get the content of your messages even if you use encryption.
It would have certainly been better to build this as an extension to file-transfer or audio/video chat rather than making a new protocol however. (I don't know XMPP that much, but I suppose those three things are direct client-to-client for efficiency reasons)

Re:Unimpressed

[bill_mcgonigle]

You can deal with Authentication using GPG.

Certainly. GPG offers authentication, like TLS, and of course security through encryption, but neither offer repudiation or perfect forward secrecy, which are essential features of OTR and ought to be for any protocol implementing causal chat protocols. They'd be inappropriate features for the problems GPG and TLS are solving.

In general, you don't want to be able to prove that Alice or Bob said something in an online chat at some point in the future - that's not the nature of chatting. And if Mallory captures their computing devices, you don't want him to be able to forge messages using their private keys that make it look like they said something they didn't.

Re:Unimpressed

[Bert64]

So each user gets to choose what service they use.. If you individually aren't concerned about privacy then you can use a service which doesn't support encryption, if you are concerned then you can run your own service.

Ultimately you have to trust the party your communicating with, even if you talk to them securely you have no control over what they do with your communication after receiving it.

Re:Unimpressed

[Bert64]

You don't have to use a third party server, you can run your own server for this purpose...
You can also use end to end encryption tools such as OTR so that the server never has any unencrypted data.

Re:Unimpressed

[drinkypoo]

It has TLS, which is a bad idea for chat.

Wait, what? All you need to know with chat is that this message came from the same guy as the last message. TLS is fine for that.

Re:Unimpressed

[Fnord666]

And if Mallory captures their computing devices, you don't want him to be able to forge messages using their private keys that make it look like they said something they didn't.

Then I guess you don't want to be using OTR then, because this is one of its features.

From the OTR site:

The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you.

This is actually what gives you deniability. After the chat is completed, anyone can forge additional content. This means that no particular piece of content can be proven to be a part of the original conversation.

Re:Not for long.

[icebike]

But those laws can't possibly work once the allow the end users to use standard public/private encryption schemes rather than foisting some proprietary solution that relies on the central node being able to decrypt every message.

Once more applications start using key pairs to encrypt payload the three letter agencies will have to brute force decrypt everything.
Routing data is still harder to deal with.

Good... but questionable.

[UltraZelda64]

On the one hand, yes, in a way it is dumb to "open it up" after all this time when XMPP is there. On the other hand, with Google having lost its Federation support and soon enough to lose XMPP support altogether; with MSN Messenger being eliminated in favor of the Outlook.com site or the Skype with a totally closed protocol, and who knows what else, it seemed that XMPP was the only choice. Well, still, for now at least it is probably the best choice--let's see how IMPP takes off--but at least it's no longer the only "open" choice. The promise of Federation with XMPP servers is also good. Overall, I think the extra choice prevails in importance over everyone just jumping blindly to XMPP (simply because it's all that there is left).

I mean nothing against XMPP--I will be using it unless IMPP proves itself and offers something superior, but I appreciate the choice and the opportunity for the two to compete on a level (open) playing field for the best features. This just means there will be more choice when using multi-protocol clients like Pidgin, and will likely spawn special IMPP "native" instant messaging clients, similarly to what Psy is to XMPP. In the end, I would say this is a welcome change, and with the recent turn of events the timing really isn't too late.

Re:Not for long.

But those laws can't possibly work once the allow the end users to use standard public/private encryption schemes rather than foisting some proprietary solution that relies on the central node being able to decrypt every message.

Once more applications start using key pairs to encrypt payload the three letter agencies will have to brute force decrypt everything.
Routing data is still harder to deal with.

You can't have a turn-key encrypted communications program without trusting the implementation, and the key management system. You can do it all yourself... today. If you want wide acceptance, it's going to have to be the turn-key approach.

Most people don't care, you know. It's not that everyone has a "I'm not hiding something so I don't care" attitude, it's just not worth the effort to actively attempt to defeat every possible surveillance tool, it's not practical.

Re:Not for long.

[ttucker]

The problem is not so much the turn-key bit, as the fact that users have to effectively manage their own keys to provide any semblance of protection from eavesdropping from whichever three-letter agency. With your attacker in the middle of the communication channel, having the ability to modify/replace datagrams, there is no hope of securely exchanging keys over the internet....

Re:Not for long.

[icebike]

Management of your private key is the only burden.
Keeping that backed up, yet available on every device upon which you need it is admittedly a minor hassle.

Once you get used to doing that, its pretty easy to deal with this for email.

The longer this NSA issue hangs in the press the more likely people will accept this task.

I can see some company coming along that offers Zero Knowledge storage, where they can't decrypt anything you send them, even at gunpoint, because they don't have your decryption key.
You could theoretically keep your private keys on their server, and simply fetch them as needed, and never store them on the device. One password to rule them all.

Re:Not for long.

[Nerdfest]

SpiderOak does that right now, as a DropBox like service, and CrashPlan offers it as one of their security options for their backup service. I highly recommend both of them. It really isn't that hard to manage your private keys. I really wish people would start doing it for email as well, but I guess everybody just uses FaceBook these days anyway. Sigh.

That reminds me...

Why don't we yet have a truly distributed and encrypted chatting protocol, sorta like email except with much lower latency? Have both feature to talk to individual persons, keep the list of it on your local machine (or synced to actual trusted servers, whatever works for you), and as well as joining a "chatroom" within the entire network (which is just a string or whatever), rather than having to rely on having specific servers.

I'm sure people can work out the smilies plugin and random misc things later on. Just get the basics done, something everyone and everything can use.

It's a small pet peeve of me, similar to the pain of moving files between two arbitrary computers (http://xkcd.com/949/)

Re:That reminds me...

If I'm not mistaken, Retroshare does what you ask for.

http://retroshare.sourceforge.net/

Re:That reminds me...

[Lehk228]

We do, it's called xmpp

It's the provider, stupid !

[arielCo]

We have XMPP+Jingle, SIP+SIMPLE, OMA IMPS, and now this IMPP joins the club. Guess why people stick to Live Messenger, Skype, Google Talk, Facebook and (gasp) ICQ? These have providers and a pre-existing audience, and people don't care about the inner workings. You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too? Yes, there are a few and we all know one; just wait until said project goes belly-up.

Re:It's the provider, stupid !

[UltraZelda64]

You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too?

That's why you try to educate people on why they should use that "open" service instead of the increasingly-closed crap, offer to set it up for them (bonus: to register an XMPP account, typically no e-mail address or additional "personal" information is needed), install a good client, and just go on from there. If they like it and want to use it, great--if not, they can go back to whatever increasingly-closed service they were on to begin with. But from now on, they'll most likely only be able to find me on XMPP.

Unfortunately, the chances of people actually choosing to use it (or even wiling to try it) is relatively slim. Not because of anything inherently wrong with XMPP itself, but primarily the extreme foothold shitty text messaging and Facebook has these days. People for whatever reason these days love bending over with their pants down, paying ridiculous amounts for text messages (bragging "unlimited" this, "unlimited" that), and anything better (cheaper, not tied to one phone/system, security with TLS and OTR, etc.) is automatically shunned when the word "registration" pops up. Not to mention most people I talk to end up with a blank stare and do not care one bit when I bring up "security" and "privacy" in the conversation.

For a lot of people it really is an already-determined lost cause. Those people, I just won't "chat" with.

Re:It's the provider, stupid !

[hobarrera]

We have XMPP+Jingle, SIP+SIMPLE, OMA IMPS, and now this IMPP joins the club. Guess why people stick to Live Messenger, Skype, Google Talk, Facebook and (gasp) ICQ? These have providers and a pre-existing audience, and people don't care about the inner workings. You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too? Yes, there are a few and we all know one; just wait until said project goes belly-up.

People started caring about gtalk's inner workings when they realized they could not longer see a lot of their contacts (the non-google ones) in the new "hangouts" clients.

Jabber precedes Skype. XMPP precedes Gtalk.

Seems like most of your claims are invalid.

Also, there's a new XMPP<->SIP federation standards in the works (it's still a IETF draft though).

Re:It's the provider, stupid !

[arielCo]

You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too?

That's why you try to educate people on why they should use that "open" service instead of the increasingly-closed crap, offer to set it up for them (bonus: to register an XMPP account, typically no e-mail address or additional "personal" information is needed), install a good client, and just go on from there. If they like it and want to use it, great--if not, they can go back to whatever increasingly-closed service they were on to begin with. But from now on, they'll most likely only be able to find me on XMPP.

This is precisely what WON'T work, except to alienate your acquaintances. They don't want to be lectured on the importance of openness - at most they'll acknowledge it's a neat idea but in the end what they care about is: Does it work (reliably)? Does it have nice features (voice, video, and possibly file transfers and emoticons)? Can I use it across my devices? For example, Skype mostly fits the bill here.

I once had a guy ("we all know one" in GPP) pull that hard-sell on me and some other friends, in the early days of Google Talk; he'd keep his Messenger account logged in only to tell us that any further chats would be over XMPP or not at all. Guess what happened.

Unfortunately, the chances of people actually choosing to use it (or even wiling to try it) is relatively slim. Not because of anything inherently wrong with XMPP itself, but primarily the extreme foothold shitty text messaging and Facebook has these days.

I'll give you one downside: *nobody* outside of us techies has heard of XMPP. So *their* acquaintances are not on XMPP either and they would let you install that client only to chat with you.

People for whatever reason these days love bending over with their pants down, paying ridiculous amounts for text messages (bragging "unlimited" this, "unlimited" that), and anything better (cheaper, not tied to one phone/system, security with TLS and OTR, etc.) is automatically shunned when the word "registration" pops up. Not to mention most people I talk to end up with a blank stare and do not care one bit when I bring up "security" and "privacy" in the conversation.

For a lot of people it really is an already-determined lost cause.

Not everybody has shitty SMS plans (mine is unlimited for all purposes). Not all people care about secure communications, especially when they're about dinner plans and random chit-chat. They also don't perceive eavesdropping as a significant risk (they trust Google and Microsoft, especially the latter since they made his O/S), much less their gov't snooping in ("Pfft... my emails would bore them sick"). No cause of theirs is lost.

Those people, I just won't "chat" with.

Do you have non-techy relatives and friends, who can't be arsed to install Pidgin in their Macs? And you make it harder for them to contact you because you can't be arsed to register a perfunctory email account (with a silly fake name and behind a proxy if you're so keen on protecting UltraZelda64's identity) and use the client (inside a virtual machine if you fear malware/rootkits) it to say "Hi, grab a coffee?" ? People before causes, bro.

Re:It's the provider, stupid !

[arielCo]

STANDARDS vs SERVICES. I can plan my life with Summer Glau from courtship to the kids to be had and retirement, and refine it until my fingertips bleed, but it's not getting me any closer to a material reality. Or rewrite the English language into perfect consistency. Hmm... a Dr. Esperanto came to mind.

Re:It's the provider, stupid !

[loufoque]

There is an XMPP interface to Facebook chat which works pretty well. Works even better than GMail on some aspects.

Re:It's the provider, stupid !

[Jesus_666]

Guess why people stick to Live Messenger[...]?

No, they don't. Microsoft shut down Live Messenger in April. You're expected to use Skype instead.

My friends aren't exactly happy about that; Skype doesn't exactly have a great user interface. There's a reason why most of them have standardized on Jabber for IMs: You can use third-party clients with a reasonable user interface without running into compatibility issues. Additionally, most people also know someone who doesn't use their IM of choice and don't want to have multiple IM clients open at the same time; thus good compatibility with third-party multi-protocol clients is kind of a big feature.

Of course this doesn't apply if everyone you know uses the same protocol already and they're all happy with their client's UI.

Re:It's the provider, stupid !

People before causes, bro.

I don't agree with this. At some point you have to stick to your principles.

I totally agree that the networking phenomenon makes it difficult it to use solid communication protocols, and you do have to think honestly about how the average person will react. I've gone back and forth over time over where to draw that line.

However, corporations and the government manipulate this to their benefit. It's precisely because of this "people before causes" idea that they pull this, because people aren't willing to say "hey, can you download this program to chat?" If they say no, they say no, but sometimes you have to try.

I'm not a conspiracy theorist, but I do have principles, and I don't see it as a bad thing to try to live by them when I can. That doesn't mean other people are bad, just that you have to chip away at things where you can. (In any event, any realist is necessarily a conspiracy theorist today in some way.)

I remember a time when people were willing to try different programs to communicate, and it was no big deal. It seems like over time, people have become more and more wedded to frameworks provided by big companies like Google, Microsoft, and Apple, rather than tools. A shift in mindset wouldn't necessarily be a bad thing.

Re:It's the provider, stupid !

[UltraZelda64]

Unfortunately, it:
1) Requires a Facebook account, and I would never trust that company enough to create an account there.
2) Is not really XMPP from what I understand, just an interface for compatibility purposes.
3) Does not support Federation with all the other XMPP servers out there.

But yeah--I agree that if you've already given your information to Facebook, then their "chat" service might not be too bad. Certainly it's got users out the ass.

Re:It's the provider, stupid !

[petermgreen]

No, they don't. Microsoft shut down Live Messenger in April. You're expected to use Skype instead.

So the news articles claimed but at least for me pidgin still seems to connect sucessfully to it and get the buddy list (though it's a while since i've actually tried to talk to anyone on it, been using irc more laterly)

Re:It's the provider, stupid !

[UltraZelda64]

They don't want to be lectured on the importance of openness

Which is why I'd go over the unique features above all else, and only briefly touch on the "openness" details... such as Federation and the freedom to even host your own server if you want. The way I see it, the "openness" (specifically, the Federation) is just a bonus.

at most they'll acknowledge it's a neat idea but in the end what they care about is: Does it work (reliably)? Does it have nice features (voice, video, and possibly file transfers and emoticons)? Can I use it across my devices? For example, Skype mostly fits the bill here.

Reliability--yeah, people care about that, but it's not something most people consider when choosing a service. Most people I know just get pissed when the service doesn't work, but as soon as it works again they forget all about it. Most services have adequate reliability these days for reliability, though. Voice and video? These are instant messaging clients--I've never seen someone that demanded these features. Most people can also live without emoticons, and I haven't transferred a file with anyone in decades...

I'll give you one downside: *nobody* outside of us techies has heard of XMPP. So *their* acquaintances are not on XMPP either and they would let you install that client only to chat with you.

Yeah, so? Unlike AOL, Microsoft, Yahoo! and the rest, the people behind free standards don't tend to have unlimited $$$ to force their creations down everyone's throat using every type of media available for the broadest reach, so you have to do a little bit of explaining yourself. The good thing is that it doesn't have to be pure bullshit and marketing drivel like you would see on TV and in magazines or hear on the radio, but instead the *real* facts and advantages of using the service.

Even for most of these other services, people don't typically choose them just because they're heavily advertised. They choose to use them through word of mouth and curiosity, and above everything else because that's where all the people they know are at. I know of NO ONE who uses Skype, one person who *has* a Google Talk account but doesn't use it (plus two people I "converted" a while back), and countless people who use text messaging and/or Facebook exclusively. I no longer no anyone who uses AIM, and it seems that everyone has ditched Yahoo!'s messenger service as well.

Re:It's the provider, stupid !

[UltraZelda64]

I no longer no anyone who uses AIM

WTF... did I seriously just type that? Wow, I really need to get new glasses... know, I obviously meant...
Where is the edit function when you need it?

Re:It's the provider, stupid !

[UltraZelda64]

I remember a time when people were willing to try different programs to communicate, and it was no big deal. It seems like over time, people have become more and more wedded to frameworks provided by big companies like Google, Microsoft, and Apple, rather than tools.

I noticed the same thing. I have also noticed that with the explosion of text messaging, people tend to just use that and avoid *anything* that requires any amount of setting up whatsoever. While people used to be more willing to change, it seems that these days they are far more resistant to stray from text messaging and Facebook. They tend to use the claims "I'm on Facebook" or "everyone I know is on Facebook," or for text messaging "I'm paying for it so I use it" or "I have unlimited text messaging."

Basically, people use what they pay for above something that is free and far superior in many ways, and of course they gravitate towards whatever service is "big" and "popular" at the time. Before Facebook, it was MySpace.

Also, it seems that while people used to primarily use desktop machines and be open to installing programs to achieve additional functionality, these days more and more they seem tied to their cell phone and highly resistant to installing anything new. It's literally like they're welcoming a walled garden and just take whatever the Master gives them, with no thought whatsoever about alternatives. Basically, they seem to be viewing their phone as a dumb device and not as a portable computer, and relying on it more and more--exclusively.

These are some sad, disturbing trends.

Re:It's the provider, stupid !

[hobarrera]

It's not a service, it's a standard being drafted by the IETF, which would allow any xmpp or sip server to federate to the other protocol.

Re:It's the provider, stupid !

[Jesus_666]

Might be that they kept the protocol alive for now. I can't really tell either given the fact that nobody I know uses the official client.

Re:Not for long.

[icebike]

I'm a SpiderOak paying customer, and while they do have zero knowledge storage, but they don't have a way to just fetch them when they are needed, say, to drcrypt an email. You have to copy those keys to your local device. I'd prefer not to store private keys on a portable and easily lost device.

IM itself has been overtaken

[Camael]

I think its fairer to say Trillian did not fail because of their own efforts, but because the whole Instant Messaging scene was overtaken by mobile. Trillian is not the only IM service hurting today. Users have been quitting ICQ, AIM, MSN and other services for a while now.

Most people if they want to broadcast would send out a tweet. If they want to message a smaller circle of friends, mobile apps such as Whatsapp, LINE, Kakao etc. work nicely.

If Trillian could figure out a way to tap into the networks of Whatsapp, LINE, Kakao, Viber, Wechat and other mobile messaging apps, there might be a niche for their product.

Re:Not for long.

[icebike]

Exchanging keys over the inernet?

Why would you do that?

Send me an encrypted email. My public key is easily found via my email address. You don't have to unconditionally trust my key, so don't give me the address and combination to your safe. But you can send me email and build a relationship

IMPP name already taken.

[Eravnrekaree]

The IMPP name has already been used by the IETF for its own standard IM protocol. Its really something that they would have accidentally chosen the same name of an already existing protocol.

Trillian - Digsby - Facebook

[DavidD_CA]

I was a huge proponent of Trillian (and a paying customer) for quite some time. I used it to connect my AIM, ICQ, MSN, and Yahoo accounts.

At about the time I ditched ICQ, it seemed that Trillian was getting bigger and more bloated with features I didn't care about, and had frequent connection problems. And so I tried Digsby and loved it.

Then I believe I got a new computer, and for about a week I forgot to install Disgby. Turned out that nearly everyone I wanted to chat with was either on Facebook or SMS, and so I gave up on Digsby.

It's been well over a near now, and all I use are Facebook and SMS, and occasionally Skype. I can't think of a single person I've lost contact with because of that change.

TLS

[Weezul]

TLS is useless against PRISM which simply takes records from the server.

You need end-to-end encryption like OTR over XMPP. Afaik all the good XMPP clients like Adium and Jitsi include OTR be default. Of course OTR does nothing against traffic analysis. Worse, OTR is not a mandatory part of the protocol.

TorChat is resistant to traffic analysis, but nobody uses it. Also, it's badly designed so that, if many people did use it, then it'd be hard on the Tor network.

Pond is a new attempt traffic analysis resistant messaging and email over Tor, but Pond is in pretty early stages of development.

that will help

[SkunkPussy]

Lets deal with protocol fragmentation by introducing another protocol.

Re:Not for long.

[Nerdfest]

Many devices support encryption, and it seems to be becoming more common. It takes a lot of the worry out of it.

Re:Warlock Books

[Threni]

My advice-learn English, especially if you're claiming to live in America.

Facebook uses XMPP

[mathew42]

I rarely login to facebook, but I do have pidgin connected via XMPP and that works fine for chatting with non-technical friends on facebook. Facebook switching to a private protocol would be a shame, but I'm not sure I would bother installing a separate client.

Re:I've uninstalled Skype, you should too

[Gr8Apes]

Skype was never end to end encryption - and servers kept logs, in plain text. Skype was the epitome of a useless shell of security, as has now clearly been proven by MS's admissions. And no back door was needed. MS itself was scanning Skype messages and testing URLs. Skype and "secure" can only occur in the same sentence with "is not".

TLS encryption is junk

[ickleberry]

Easy for the NSA to get a false cert from the CA

Self signed certs are worthless too. Most people will accept any ould cert without wondering why a new one was issued

Re: Not for long.

[icebike]

Do you have a single clue how Public Key encryption works do you?

Start here: http://computer.howstuffworks.com/encryption3.htm

Re:Not for long.

[MiG82au]

I didn't really understand it, but it looked like socialist millionaire's protocol used by OTR reveals man in the middle key fudging.

Re:Not for long.

[ttucker]

The Socialist Millionaire problem as applied to cryptography still requires a pre-shared key to be known by both parties. This is somewhat less onerous than verifying PGP key signatures in person, but still requires some form of secure key exchange and management. Supposing the man in the middle were able to acquire the shared secret, it would be possible for him to authenticate with both clients separately, then merely pipe un-encrypted data between the two encrypted channels.

If the protocol featuring this technique makes it appear as if a secure pre-shared key is not vital to the authentication process, then its users are victims of security theater.

Re:Not for long.

[MiG82au]

It's implemented using a question and answer that should be known only to the two participants. I don't know if that counts as secure to you.

Re:Not for long.

[ttucker]

It's implemented using a question and answer that should be known only to the two participants.

From a cryptographic standpoint, this information forms the key, and is subject to all of the paranoia of any other secret key. From a practical/stenographic standpoint, this sort of information is much easier to conceal from surveillance than exactly four thousand ninety six uuencoded bits, and is probably much less likely to be intercepted auto-magically.

I don't know if that counts as secure to you.

When the secret knowledge is known by both parties, but not the NSA, it is a secure methodology. That sort of secret knowledge seems to be a precious commodity these days though.

The trouble here, which prevents this from being a universal solution to the wiretapping middleman elimination problem, is that you absolutely must have shared secret information with the other person at least once, and that would presumably have to be offline these days.