New AIM Offering "end to end" Encryption

MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"

Gaim-E

[jonman_d]

Gaim already has such a project [sourceforge.net]. Anyone use it? I've tried it in the past, but couldn't get it to work.

Re:Gaim-E? gaim-encryption

[kfort]

I find gaim-encryption [sf.net] to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk

Re:Gaim-E

[waytoomuchcoffee]

Actually, AIM already had this since last year, for corporate users. Also, the Hushmail [hushmail.com] has been doing this for a while now too.

Trillian

[waspleg]

supports 128 bit encrypted messages between 2 trillian users, and it auto-establishes the session

it rocks in case you haven't heard of it

Re:Trillian

[gad_zuki!]

Also, I believe Trillian was the first IM to provide end to end encryption. Its been a long while since my sessions with other trillian users have been plain-text.

Its nice to see a big company embrace encryption like this. Sure, they could just be slightly paranoid about various AIM sniffers out ther, including their own. [washingtonpost.com] I guess that idea didn't go too far.

Actually, I'm not too surprised. In an electronic world full of plain-text mail, plain-text passwords, plain-text just about everything short of S

Start of something bigger?

[waytoomuchcoffee]

Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..

Re:Start of something bigger?

[SkArcher]

My main interest in digitally signing electronic messages is to stop pr0n-spam instant messages.

trillian

[Anonymous Coward]

Trillian offers secure instant messagin, given that both sides have it enabled, which is rare.

So that's what they did...

[Albanach]

with W.A.S.T.E. [slashdot.org]?

What a W.A.S.T.E

[nounderscores]

Now that the source is closed (and that they've definitely modified it to scale for so many users) we can be told that there's encryption at both ends, but can you trust them not to go sniffing in the middle?

____________________________________
The Spiders are coming. Episode 4: June 10,2003 [e-sheep.com]

Trillian...

[swtaarrs]

Trillian [trillian.cc] has had this feature for as long as I can remember using it.

Re:Trillian...

[eddy]

But Trillian is bloated flashy-ware, while Miranda [miranda-im.org] (nightlies here [sourceforge.net]) is slim and nice.

Encryption supported via SecureIM [miranda-im.org] (DH/KE + AES) or gnupg plugin [miranda-im.org]

Re:Trillian...

[ptbarnett]

Trillian has had this feature for as long as I can remember using it.

But, doesn't Trillian make the connection directly between the two clients, rather than sending it through the server?

It doesn't work well when either user has a firewall blocking incoming connections.

Trillian

[sahrss]

Trillian [trillian.cc] already supports 128 bit encryption over AIM and ICQ between Trillian users.

Re:Trillian

[dunham]

When I last checked Trillian negotiated its 128-bit blowfish encryption key via 128-bit DH key exchange, which is not very secure. (It's about as secure as using a 128-bit RSA key.)

Re:Trillian

[dunham]

Yeah, I got the 128-bit blowfish part from their web page. This would be fairly secure encyption, but their protocol weakens it by using 128-bit diffie-hellman (DH). Currently, the discrete log problem is about the same complexity as the factoring problem, for which conservative people recommend 1024 bits or better. (And never less than 512 bits.)

I determined that they used 128-bit DH from packet dumps. The DH negotiation is done in hex characters in the first few messages between the users. (Later, th

Re:Trillian

[apankrat]

However it is vulnerable to man-in-the-middle attacks, which renders it pretty much useless as a mean of any serious protection. The reason Trillian supports it only for ICQ/AIM is because the protocol allows announcing extra client 'capabilities'. Trillian messenger uses this feature to notify peers that they are capable of 'trillian encryption'. Note that this is done via AOL servers, which may at some point decide not to propagate this 'unauthorized' capability and Trillian's encryption will suddenly sto

Locking out clients?

[mkro]

Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?

Re:Locking out clients?

[s10god]

Now there is an underhanded method Trillian connot fight... Use special new encryption and claim DMCA protction. ... And AOL is enough of a bunch of bastards to do just that.

Re:Locking out clients?

[jaavaaguru]

If that happens, why not use something better such as Jabber [jabber.org] then?

Re:Locking out clients?

[Hanji]

Because as nice as Jabber may or may not be theoretically for whatever reasons (I don't know anything about it), AIM has one BIG advantage: EVERYONE USES IT. And if you try to get people to switch to a Jabber network from AIM, explaining that it's "open," you'll just get blank stares, and comments that "but all my friends use AIM!"

Technical superiority does not ensure success, unfortunately.

Re:Locking out clients?

[Anonymous Coward]

If they wanted to lock out clients, they probably wouldn't have written a plaintext protocol [carleton.edu] and released it under the GPL.

Re:Locking out clients?

[csnydermvpsoft]

Lots of OS clients, such as GAIM, use the Oscar protocol.

Re:Locking out clients?

[MankyD]

I suppose they'll have to give more details about the encryption methods used. But not every conversation is encrypted. You have to install a certificate (as does your counterpart) before the encryption goes into effect.

Re:Locking out clients?

[anthony_dipierro]

Not if it's end-to-end encryption, which is the only kind that's useful anyway.

What about Trillian

[Tensor]

Trillian has had SecureIM over the ICQ protocol for AGES.

I never realized that would make it an illegal product to use in some states :)

AOL using encryption

[PirateDave -)]

It already is encrypted, isn't it?

foxy28uk192323342 says: h1 asl lol
brandon343jfdh says: lol brb fs

Maybe I'm just cynical :/

Why?

[Tyrdium]

I don't know about other people, but my conversations on AIM usually go like this: Me: Hey Other guy: Hey Me: Anything interesting happening? Other guy: Not much. You? Me: Not much. Hey, wanna play Starcraft? Other guy: Sure. See you on in a few minutes. Usual channel. Me: Okay. See you there. Frankly, I couldn't care less whether or not anyone else was reading that, and I bet a lot of people feel the same way. It's a nice feature, sure, but it's not the most needed...

Re:Why?

[Lemuel]

That's pretty much how my personal usage goes, too. At work, though, we are loath to send company business over the wire in plain text, so this feature could be useful for businesses.

Re:Why?

[kalidasa]

I have some pretty long and complex conversations over ICQ. So I'd say your mileage may vary.

Re:Why?

[sahrss]

Some users (like me) have fairly serious or business conversations over these chat networks. Using unsecure chat is like speaking in a room with hidden nooks and cracks in the walls leading to other rooms; anyone can sniff an unsecure chat.

I much prefer conducting my semi-private conversations in a high tower with thick walls, where strangers cannot overhear them.

Trillian [trillian.cc] is what I use right now to allow this, but it only works with Trillian users, not normal AIM users. It would be nice if AIM made their encryption scheme usable by other clients...although I agree with other posters that it may just be a plan to keep other clients off the network.

Re:Why?

[secolactico]

It would be nice if AIM made their encryption scheme usable by other clients...

Well, maybe not other AIM clients (eg trillian), but remember that the deal with MS will allow the IMs to interact? It's a reasonably safe bet that MSN messenger will be able to exchange secure messages with AIM.

Re:Why?

[carpe_noctem]

Even if you're talking about the most banal things in the world, using encryption is still necessary in an insecure world. Even though each conversation you have may be insignificant on its own, the sum of all conversations you have may provide enough information about your life to put you at risk.

Re:Why?

[Lord Ender]

Yes, well, I have used a packet sniffer (ethereal) to see what my roommate was saying about me behind my back over AIM. It would suck to lose this power. Of course, it sucks that he could do it to me, but luckily, he is too damn dumb.

Little late....

[jr87]

I think AOL is putting this out way too late. Other messanger servieces such as Gaim [slashdot.org] and Trillian have had encryption in for a while now. These services also have a lot of other features that make them superiour to the aim client. Why get AIM?

sure hope Apple adds this to iChat

[SweetAndSourJesus]

Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.

Re:sure hope Apple adds this to iChat

[bedouin]

Actually, there's something I'm more interested in. Since MSN and AIM are supposedly going to merge, would that mean I could dump M$'s messenger client in OS X, and just use iChat? Unfortunately all my friends are on MSN . . .

And you trust them?

[cperciva]

Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:And you trust them?

[The Lynxpro]

I trust AOL Time Warner far more than I do Microsoft. It was Warner Communications that funded Atari's rise...hence the prominence of video games in entertainment value today. Time Warner spent a fortune developing DVD and fought off Circuit City's attempts to corrupt the format. When was the last time a DVD crashed on you? AOL has funded Linux start-ups, spent resources on the development of the Mozilla web browser, funded TiVo and Palm, not to mention bringing email and internet access to the masses.

Re:And you trust them?

[Traa]

Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them

The alternative being that you don't encrypt your AIM messages and leave your 'secret-chat-sessions' visible for everyone.

What do you really have to hide from the governament?

Do you simply not trust your governament to recognize that your harmless chat wasn't a

Re:And you trust them?

[kaltkalt]

Yep, would be very Unamerican for them to not give ashcroft the keys in escrow. If they didn't do that, they'd be with bin laden.

Really makes me wonder

[ONU CS Geek]

If AOL has any ties to Verisign, et al.? If it's using PKI (which it says it is), and the "About AIM Personal Certificates" page (Link Here) [aim.com] says it is (which really doesn't go into how they're implemented, or how you can get a certificate), who's to say that they're not going to charge you for getting a certificate? Yahoo integrated encryption in their Yahoo Messenger Enterprise, and other companies have done this in the past (I believe that even ICQ had a version of their server up so that companies could set their own ICQ servers up).

I honestly think it's all about the Money for AOL, and it's going to be prohibitive for Joe Sixpack to get this to work.

we await silent tristero's empire

[discogravy]

would this be why W.A.S.T.E. was killed? I would guess so. Or...is this AOL's co-opting of WASTE itself? have they just taken the GPL code that was posted for that one day and slapped AIM on it?

Re:we await silent tristero's empire

[nounderscores]

and if so, can the FSF or Nullsoft or somesuch do a reverse SCO and sue for breach of licence?

_____________________________________
The Spiders are Coming. Episode 4: June 10,2003 [e-sheep.com]

I don't believe it.

[TerryAtWork]

If it isn't completely open source then they are running a man in the middle scam and recording the entire encrypted session in the clear.

All for our own protection, of course....

Woh! Go AOL!

[Com2Kid]

Freaky to think that AOL is actually, you know, aiding freedom of speech, rather than restricting it through their idiotic TOS.

(I left AOL a looong long time ago when they started censoring their joke sites, bleck!)

Hmm, next thing you know, Time Warner will be offering streaming movies up online with a pay-per-view system in place!

Actually not all that unbelievable, with the cost of computers being so low, maybe the "net convergence" of TV and the Internet COULD come true, daring technology for once bein

Here's how to get a free key

[Anonymous Coward]

Go to Thawte [thawte.com], get their Free Personal Email Certificate [thawte.com] for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.

Re:Here's how to get a free key

[Animats]

Yeah, right. Provide your name, address, date of birth, and social security number, and you get a key.

Thawte originally promised to move the database outside of the US if the US ceased to have adequate privacy protections in law. After the Patriot Act, they should have done so, but they didn't. Thawte today is just a front for Verisign, which, among other things, operates a national wiretapping service for law enforcement and others. [verisign.com]

• Stepped-up concern over security has put the heat on carriers to ensure they can meet mandates under the FCC's 1994 Communications Assistance for Law Enforcement Act (CALEA), requiring telecom service providers to support the ability of law enforcement agencies to conduct lawful, authorized electronic surveillance of call content and call data.

  ... One company, VeriSign Inc., offers a one- stop, turnkey solution to help telecom carriers comply with CALEA.

  VeriSign's nationwide signaling network infrastructure, digital certificate technology and secure data centers enable it to provide a scaleable service bureau solution that saves carriers significant capital expense and virtually eliminates administration costs involved in meeting the legal, technical and operational requirements of CALEA.

  Using Verint Systems Inc.'s STAR-GATE, a solution that provides the means to access and deliver intercepted communications content and call data to law enforcement agencies, VeriSign offers a streamlined solution that meets the needs of wireline, wireless and cable telephony carriers. Puri explains that once contracted by the carrier, VeriSign becomes the primary point of contact for law enforcement. "Once we receive the order ... it's completely hands off for the carrier."

  Among the orders NetDiscovery processes are historical call records, pen registers or trap and trace (real-time call data as it occurs), as well as wire taps from both law enforcement and national security agencies. The company's personnel are set up to handle classified orders, having attained the appropriate government security clearances, Puri says.

  In addition to eliminating a carrier's need to maintain such personnel, NetDiscovery also eliminates the need to connect to the thousands of agencies with authority to request information.

  The solution supports circuit switches and beginning this quarter it will support packet-based gear, such as soft switches. The company is working with Cisco Systems Inc. to support its soft switches, routers and gateways. ...

  In addition to Cisco, VeriSign is working with four other "market-leading" vendors to ensure support for their packet-based offerings, it says. ...

  "Almost every provider has some sort of packet-based hardware, so support for packet under CALEA is critical. It cuts across all types of carriers from wireline to wireless to cable MSOs," he says.

  The company is looking also at solutions for ISPs and their gear (routers, gateways, etc.) although they are not included under CALEA, Puri adds.

Verisign just had a session on wiretapping for ISPs at Supercomm. Basically, Verisign runs the US's wiretapping infrastructure. They thus can't be trusted as a security provider.

Re:Here's how to get a free key

[MrBlue VT]

Sure. I used the CA.pl script to do it. The man page is located at http://www.openssl.org/docs/apps/CA.pl.html [openssl.org]. Here are the commands I used (make sure to have the openssl binary in your path):

/usr/local/ssl/misc/CA.pl -newca
/usr/local/ssl/misc/CA.pl -newreq
/usr/local/ssl/misc/CA.pl -signreq
/usr/local/ssl/misc/CA.pl -pkcs12

Just follow the prompts and it should generate a .p12 certificate, which you can then import into AIM.

Hope this helps.

Wouldn't be this illegal under the PATRIOT act ?

[Krapangor]

Combined with PDAs/laptops and WLAN access, terrorists could savely use this to coordinate terroristic attacks, especially Al-Kadia's evergreen of equitemporal suidice attacks on free people.
The mighty PATRIOT act should prohibit such devices, won't it ?
I'm not sure if this would be really a bad thing. Dangerous tools are restricted very often to protect people, even if the are many good/peaceful uses.
Take e.g. guns which are restricted in many countries of the world due to their bad possibilities.

Re:Wouldn't be this illegal under the PATRIOT act

[KrispyKringle]

Just because you think it should be does not mean it is illegal under the PATRIOT Act.

The PATRIOT Act, as far as I know, does not ban any sort of encrypted communication; the Supreme Court has ruled, if I'm not mistaken, that private and anonymous speech is a fundamental component of the First Amendment right to free speech.

Furthermore, this is truly not different from encrypted e-mail or anything else, which, as a prior poster pointed out, was not used by any of the September 11 terrorists.

Guns are r

Well, it's a start

[randombit]

Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:

"AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."

This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.

Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.

SecureIM

[ElOttoGrande]

SecureIM [vonnieda.org] has been around for a while now. It basically acts as a proxy and you set your Aim to connect through it. Inside the proxy it encrypts everything with 256bit blowfish, then on the receiver's end reverses the process. The result is transparent encryption with the standard Aim client.

It's easy to install but since both parties need to have it running can be tricky trying to get non-geeks to understand why they should install it.

I used it for a while with the few(2) friends I could convince to run it but then kind of forgot about it...

feh.

[ErikZ]

What I REALLY want is AIM to automatically log all conversations. Like ICQ and IRC. Having to save to a chat file and come up with a name for the file every time is a step backwards.

Re:feh.

[SlashChick]

"What I REALLY want is AIM to automatically log all conversations..."

Er, Trillian [trillian.cc] does this. It also supports the ICQ and IRC protocols, though its IRC support is limited. (AIM, ICQ, MSN, and Yahoo support all work great out of the box.)

You can also use Trillian's built-in 128-bit encryption (as several others have pointed out.)

To add my own specific little plug for Trillian, I like that I can have three AIM accounts signed on at one time (and pick which one I want to use to send messages to others.) Th

Re:feh.

[dpete4552]

It's also noteable to mention that Trillian is closed source, and the cooler features aren't even free as in beer (e.g. Trillian "Pro"). Gaim supports Windows, and Linux out of the box, and every feature is both free as in beer and speech (including plugins). And I to can connect to multiple screen names of any medium and choose which to use to send messages to people with. Gaim also natively supports not only AIM, ICQ, MSN, IRC, and Yahoo, but Jabber as well, something the Trillian developers refuse to na

Re:feh.

[generic-man]

AIM+ [big-o-software.com] piggybacks onto the official AIM client, offering features like ad removal, automatic logging, and cloning (run two AIM processes at the same time). I use it with AIM 4.x, and all the other features in the official client work just fine.

Dead AIM

[prestomation]

DeadAIM does it. It's like AIM+ in that it latches on to the regular aim client. There's other nice features, tabbed messenger windows, cloning so you can run more then one s/n at once. Stuff like that

GPG plugin for Licq

[caluml]

I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
I started to try and work on it, but it was too tricky. Anyone interested in helping out?

The usefullness of this

[iamdrscience]

For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.

I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.

Re:The usefullness of this

[Realistic_Dragon]

I'm a little bit more paranoid than that - I wrote a one time pad encoder/decoder and swap floppy disks full of randomly generated pads (say hellooooo WinTV card - ideal for picking up random noise).

This is considerably more secure than public key or even symetric encryption as there is no possible way to reconstruct the message without the key, which is scrubbed by the app off both disks as the message is converted. (The encoder chooses the next coherent free block of random numbers to encode with.) As lo

Only businesses can use this feature

[Animats]

From the press release:

• Security credentials that enable these capabilities â" Personal Digital Certificates â" are an optional service available to enterprises as part of the Enterprise AIM Services offering.

That is so Bush Administration.

This makes business sense.

[acherrington]

Here is how I see it, there is a lot of push from AOL-TW executives to turn this product, with a large user base, into a real cashcow. The only way that it is doable is by pushing the product into the corporate areana. The AOL-TW execs would like to push all of the infrastructure and software completely into a corporation, same as a mail system (like exchange server, and outlook on the desk). Many businesses were reluctant because it didn't offer the very basics of security. While general users don't care about this, try selling this to a CIO who has had security pounded into their head over the last two years. What question is he/she going to ask, "Would you mind telling me about security for your product?" So when they give this out to you, the public... it's just a mass test, so they can start doing corporate sales. Just my thoughts....

geeze

[nomadic]

Get over yourself. Nobody's going to read your AIM conversations. Nobody cares. You're not that interesting.

Hell, the person you're AIMing probably doesn't want to read your messages either.

It's For Business Use

[Random Truth]

Companies are starting to buy IM not only for internal communications, but for fast and cheap communications with customers, such as for customer service or alerts. With encryption, a broker can comfortably talk to clients about stock trades over IM.

BTW - GAIM and Trillian might have it as well, but they illegally draft off the big 3 networks (they have no license to tap in), so expect them to be under some serious pressure now that money is starting to flow to the big 3 for enterprise-class IM.

Re:It's For Business Use

[joshki]

but they illegally draft off the big 3 networks

Care to explain why it's illegal?
Why should they have to have a license to connect to a public server?

Jabber has PGP-support

[Anonymous Coward]

The Jabber [jabber.org] protocol has supported PGP for a while, and quite a few clients support it. It's used both for end-to-end encryption and for signing both your presence and messages. I'm running a development version of Psi [affinix.com] with GPG currently.

Re:Jabber has PGP-support

[hey]

Also Jabber supports SSL connections to the server.
Which isn't end-to-end but doesn't hurt.

Wrong market

[Anonymous Coward]

I'm sure CuDdLES49128 and her 12 year-old friends were behind this 'innovative' feature.

I mean, honestly, most of AIM users don't even know what encryption is, much less think they need it.

Well, it could have advantages...

[Anonymous Coward]

I'm sure CuDdLES49128 and her 12 year-old friends were behind this 'innovative' feature.

Look on the bright side, though... When you try to pick up CuDdLES49128 for a date and she turns out to be Special Agent Bob Flannigan, you can avoid charges by accusing the FBI of circumventing your digital protection device!

Soon, "pleading the DMCA" will be as common as "pleading the 5th" ;)

AOL's choice encryption algorithm?

[carpe_noctem]

Pna nalbar fnl ebg13?

GPG

[krokodil]

I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.

The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.

No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.

I guess if more open source IM clients will support it, it could become de-facto IM encryption
standard...

I use IM a lot for work and some information I exchange there could considered business secrets.

Re:GPG

[gbooker]

As a Fire developer myself, I thought that I could contribute a little more to this. We have started to participate in a discussion on the best way to do encryption over IM protocols. This discussion can be found here: http://www.chat.solidhouse.com/smsn/ [solidhouse.com]. The GAIM-E author has even contributed to this discussion.

Also, we have drastically improved the way that the GPG encryption is handled. It now works on more protocols and will be more consistent. My favorite is that we now correctly recognize a gpg installed by fink.

Here is how I invision this in the end. Assuming that AOL didn't use PGP (or GPG), then we (OS Client Authors) should try to support their protocol, along with PGP (or GPG) which would be considered more secure.

Glad to run across another satisfied Fire user.

are they then using waste?

[linuxislandsucks]

Ars they then using Waste as the basis of the implementation?

Setting the record straight ..

[the_dreadnought]

Many of these replies are misleading or totally incorrect.

Trillian does *NOT* do the "same thing" .. This AOL beta, in addition to encryption using a certificate, is signing based on the certificate. Trillian does not have an option (as far as I can tell from the free version) to use certificates and/or sign messages.

Also, you do not need "Enterprise" services to use this functionality. I just tested it, and it works fine with the free client. Just get a free Thawte certificate, import it, and begin IM

This is good for business

[Punk Walrus]

We use AIM extensively at work, and we have a rule that no security information, like server IPs, mapped drives, proprietary info, or passswords of any kind are allowed to be used on an open-end IM or non-ecryoted e-mail. Often, we send half-and-half:

IM > See e-mail on the usual server. Password is "Fn68bX4" and the IP is 10.4+
E-mail> The IP to login to is +.10.120, and add "g6h0" to the password.

But really, often we just go to the office and tell them.

__________________________________

Free software ahead of the game

[debrain]

This is an example of where free software is certainly ahead of the commercial equivalents. Both Kopete [kde.org] and Gaim have had options to encrypt using PGP for quite some time. (Gaim for significantly longer, iirc)

By delegating the authentication and validation to PGP, they are potentially as-secure-as PGP. By doing in-house certification, ala. Trillian & AIM, the identification and encryption is an internal mechanism, and I would argue (successfully) that it is more difficult to prove its potential to be secure.

Not only does open source appear to have the feature first, it seems to do it provably better.

PGP

[robertchin]

They should really just allow you to import your PGP key, and then all of you messages will be encrypted if the other user also has their PGP key imported. Plus, when using the direct connect aim feature, you could actually verify the authenticity of the remote person...

Re:Thank god

[swtaarrs]

AIM is very insecure by nature. I downloaded Ethereal [sourceforge.net], a packet sniffer, and it has built in filters for extracting AIM messages out of the packets AIM sends. So anyone with a packet sniffer program and half a brain can easily eavesdrop on your conversation. And under the PATRIOT act, the US government can do this any time they want... ugh

Re:Thank god

[krisp]

iChat, which connects to AOL instant messager service, uses SSL to encrypt my end to the server. You can't sniff what i'm sending, and if the receipent is using SSL also, you can't sniff what she's reveiving, unless you are on AOL's server, or somewhere inbetween AOL servers where the message might be routed in plain text,.

Re:Thank god

[carpe_noctem]

That's pretty cool. It's a shame that iChat looks like something my cat coughed up, or else I'd be tempted to use it on my Mac instead of gaim.

Re:Thank bob

[davesag]

Try using Fire [sourceforge.net] then, it has built in support for GPG [sourceforge.net] to provide end to end encryption - works a treat, supports all the major IM protocols, and is developed under the GPL for those of you that care about such things.

Re:Thank bob

[carpe_noctem]

Actually, I did try Fire, and I was pretty impressed with the GUI, but it kept crashing, so I figure I'll check it out again in 6 months or so. ;)

The next step...

[yintercept]

...is to for someone somewhere to actually write something in AIM that is worthwhile to encrypt.

Personally, I think the original security of instant messaging was sufficient...that is, there is so much white noise, that the data stream just isn't worth tapping into.

Re:The next step...

[jellomizer]

Well IM is starting to become the most common form of electronic communication and it is generally taking the place of E-Mail for a lot of situations. Although most of the time now it is for personal communication. But IM can have more business application which needs encryption for Business to Business communication (to prevent corporate espionage) and also to do business over IM, such as customer support or placing an order over IM (say for some custom orders that normally have to be over the phone) so encryption is very important for IM. And it is worth it.

Re:The next step...

[orangesquid]

PotatoBob: Hey, can I place an order
AcmeCoSales: Of course. To where is this being shipped?
PotatoBob: 17 Applebrook Lane, Milwaukee
AcmeCoSales: What is your order?
PotatoBob: One Potato Gun, model XM-4201B
AcmeCoSales: Is that everything?
PotatoBob: Yes
AcmeCoSales: Your total is $134.99
PotatoBob: That can't be right.
AcmeCoSales: It is correct. That is the price in our catalog.
PotatoBob: No, it's not.
AcmeCoSales: Yes, it is.
*** You have warned user AcmeCoSales. His/her warning level is now 20%
*** You have warned user AcmeCoSales. His/her warning level is now 40%
*** You have warned user AcmeCoSales. His/her warning level is now 60%
*** You have warned user AcmeCoSales. His/her warning level is now 80%
*** You have warned user AcmeCoSales. His/her warning level is now 100%
*** User AcmeCoSales has Signed Off.

I sure as hell don't.

[SHEENmaster]

1 Sharp zaurus
+
1 copy of kismet
==
1 transcription of the entire chat session

Any decent packet sniffer will reveal all that is said. I suspect that they are offering this not to make it safer or get more subscribers, but rather to cover up certain activity.

AOL's servers record chat sessions of members, I'm not certain as to whether or not they do it for non-members. The point is that anyone over there with the requisite access rights can spy on these things. End-to-end encryption will not be default, might require a subscription charge, and might mean end-to-end(AOL)-to-end.

Forgive my pessimism, but I don't trust AOL in any situation. They screw over their members, they screw over those of us with smaller servers, they screw over friends of members. I think they are realizing that they cannot mainttain their current empire in the face of broadband, this may just be a feeble attempt to profit from their other markets. Subscription Netscape anyone?

Re:Hmm..

[abdulwahid]

I have been using Gabber [sourceforge.net] a Gnome Jabber client with its gpg support for sometime. I have quite a few people on my roaster who I can speak to with that extra level of privacy.

I think that case for privacy is strong. I don't like thinking that my personal conversations go in plain text across peoples' coporate networks. I have nothing to hide. What I say though is still private.

Many people don't see it as being an important issue but then would they send all their snail mail by postcard? I think the reason

Re:Hmm..

[ptbarnett]

Some(?) Jabber servers and clients also support SSL. You don't have the "signing" capabilities to verify a user's identity, but it would at least discourage monitoring by a third party, as long as you controlled the server.

I've toyed with setting up a Jabber server for my company and switching all our users (spread among MSN, Yahoo, and AIM) to it, so that it would be secure. But so far, no one seems to be concerned about the insecurity.

Re:Hmm..

[yppiz]

people on my roaster who I can speak to with that extra level of privacy.

HannibalLecter: With some fava beans and a nice chianti.

--Pat

Re:Hmm..

[ruronikenshin83]

Hell yes. My privacy is so important as to accomodate drug dealers and terrorists.

Why is that? Because when you exclude certain people from the basic privleges and rights afforded them by our Constitution, you open up a big 'ol can of worms.

Exclusion becomes a stepping stone on the road to complete disregard for those privileges and rights.

As Benjamin Franklin once said "Those who give away a little freedom for a little safety deserve neither freedom nor safety."

It's good for business

[drig]

I've found that business groups could really use instant messaging, but don't want to broadcast their IP over the net without some sort of protection. I think it's a better idea to run the IM server locally, but AIM requires no setup and has very nice clients. I can see, for instance, a sales team talking with the engineers using encrypted AIM.

Re:It's good for business

[CausticWindow]

That "Your computer is broadcasting an IP" thing is a hoax.

I know for a fact that all packets (benign or otherwise) have your IP in them.

Re:Hmm..

[stevejsmith]

Yeah...you know, maybe some alcohol and girls would be very useful for you. You know, so that you don't spend all of your time snooping your room mate's packets.

Re:Necessary?

[spazoid12]

The kind of person that wants to believe that his/her AIM conversations are now secure, from say...his/her employer.

But, I think AOL just wants less competition in the field of software sold to employers [washingtonpost.com].

How long until someone says AOL is enabling terrorists? Maybe a long time...maybe the encryption used is pretty weak.

Or, I wonder if AOL has a new office in Anguilla.

Re:Necessary?

[anthony_dipierro]

Are you kidding me? Haven't you ever sent passwords over AIM? Haven't you ever talked about last night's drug use?

Umm, neither have I. Drugs are bad, mmmkay?

Re:Size of Key?

[dknj]

So, how is AIM going to sell their Enterprise AIM Services [aim.com]? Something doesn't smell right

-dk

Re:Licq can do SSL

[caluml]

Only works if you can establish a TCP connection to one or the other of the parties direct.

Also, how do you know there isn't a MITM attack going on. GPG plugin for Licq, I say. (And to all the others - don't go on about Trillian. Some of us only use Linux here.)

Re:Key storage

[slashkitty]

it's out, download and look at the program. You need to have a personal certificate for this to work. It doesn't currently offer the creation of this cert within aim, I imagine this would be provided only by the enterprise version of aim. You can however go and create a personal cert. somewhere else and import it. It will ask for the cert password everytime you start up AIM. It puts a lock beside your screenname, then, automatically when two people with the capability talk to each other, it moves up to