Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
America Online Encryption Security

New AIM Offering "end to end" Encryption 329

MankyD writes "The current AIM beta is now offering message encryption. They don't offer a lot of details but it's nice to see they are offering some extra privacy. Will the new AIM be illegal in Michigan?"
This discussion has been archived. No new comments can be posted.

New AIM Offering "end to end" Encryption

Comments Filter:
  • Gaim-E (Score:5, Informative)

    by jonman_d ( 465049 ) <nemilar@optonl i n e . n et> on Sunday June 08, 2003 @12:12PM (#6143802) Homepage Journal
    Gaim already has such a project [sourceforge.net]. Anyone use it? I've tried it in the past, but couldn't get it to work.
    • by kfort ( 1132 ) on Sunday June 08, 2003 @12:19PM (#6143864)

      I find gaim-encryption [sf.net] to be very well done. It works transparently, using variable key sizes, and uses a security model similar to that of ssh. Kirk

    • Actually, AIM already had this since last year, for corporate users. Also, the Hushmail [hushmail.com] has been doing this for a while now too.
    • Trillian (Score:3, Informative)

      by waspleg ( 316038 )
      supports 128 bit encrypted messages between 2 trillian users, and it auto-establishes the session

      it rocks in case you haven't heard of it

      • Re:Trillian (Score:3, Interesting)

        by gad_zuki! ( 70830 ) *
        Also, I believe Trillian was the first IM to provide end to end encryption. Its been a long while since my sessions with other trillian users have been plain-text.

        Its nice to see a big company embrace encryption like this. Sure, they could just be slightly paranoid about various AIM sniffers out ther, including their own. [washingtonpost.com] I guess that idea didn't go too far.

        Actually, I'm not too surprised. In an electronic world full of plain-text mail, plain-text passwords, plain-text just about everything short of S
  • by waytoomuchcoffee ( 263275 ) * on Sunday June 08, 2003 @12:15PM (#6143825)
    Why is this kick ass? Because of the following little gem on the on the beta description: "[m]essages sent between AIM members can be digitally encrypted and signed." This might be the first time a product for the masses will actually lead to people learning about digital signatures, and setting up their own. You can see where this is leading -- people will get interested, and start to look into encryption in general. This could be the start of mass acceptance of encrypted and signed email. I am tired of looking like a paranoid geek for signing my emails -- I do it for solidarity, and to raise the privacy/encryption consciousness of those getting my emails..
  • trillian (Score:3, Informative)

    by Anonymous Coward on Sunday June 08, 2003 @12:15PM (#6143830)
    Trillian offers secure instant messagin, given that both sides have it enabled, which is rare.
  • by Albanach ( 527650 ) on Sunday June 08, 2003 @12:15PM (#6143832) Homepage
    with W.A.S.T.E. [slashdot.org]?
  • Trillian... (Score:5, Informative)

    by swtaarrs ( 640506 ) <swtaarrs@NosPAm.comcast.net> on Sunday June 08, 2003 @12:16PM (#6143835)
    Trillian [trillian.cc] has had this feature for as long as I can remember using it.
  • Trillian (Score:5, Informative)

    by sahrss ( 565657 ) on Sunday June 08, 2003 @12:16PM (#6143840)
    Trillian [trillian.cc] already supports 128 bit encryption over AIM and ICQ between Trillian users.
    • Re:Trillian (Score:5, Informative)

      by dunham ( 35989 ) on Sunday June 08, 2003 @12:24PM (#6143905) Homepage
      When I last checked Trillian negotiated its 128-bit blowfish encryption key via 128-bit DH key exchange, which is not very secure. (It's about as secure as using a 128-bit RSA key.)
    • Re:Trillian (Score:3, Insightful)

      by apankrat ( 314147 )
      However it is vulnerable to man-in-the-middle attacks, which renders it pretty much useless as a mean of any serious protection. The reason Trillian supports it only for ICQ/AIM is because the protocol allows announcing extra client 'capabilities'. Trillian messenger uses this feature to notify peers that they are capable of 'trillian encryption'. Note that this is done via AOL servers, which may at some point decide not to propagate this 'unauthorized' capability and Trillian's encryption will suddenly sto
  • Locking out clients? (Score:5, Interesting)

    by mkro ( 644055 ) on Sunday June 08, 2003 @12:16PM (#6143843)
    Will they finally be able to make AIM incompatible with unauthorized (Read: Open source) clients?
  • by Tensor ( 102132 )
    Trillian has had SecureIM over the ICQ protocol for AGES.

    I never realized that would make it an illegal product to use in some states :)
  • by PirateDave -) ( 679653 ) on Sunday June 08, 2003 @12:18PM (#6143861)

    It already is encrypted, isn't it?

    foxy28uk192323342 says: h1 asl lol
    brandon343jfdh says: lol brb fs

    Maybe I'm just cynical :/

  • Why? (Score:3, Insightful)

    by Tyrdium ( 670229 ) on Sunday June 08, 2003 @12:18PM (#6143863) Homepage
    I don't know about other people, but my conversations on AIM usually go like this: Me: Hey Other guy: Hey Me: Anything interesting happening? Other guy: Not much. You? Me: Not much. Hey, wanna play Starcraft? Other guy: Sure. See you on in a few minutes. Usual channel. Me: Okay. See you there. Frankly, I couldn't care less whether or not anyone else was reading that, and I bet a lot of people feel the same way. It's a nice feature, sure, but it's not the most needed...
    • Re:Why? (Score:2, Insightful)

      by Lemuel ( 2370 )
      That's pretty much how my personal usage goes, too. At work, though, we are loath to send company business over the wire in plain text, so this feature could be useful for businesses.
    • I have some pretty long and complex conversations over ICQ. So I'd say your mileage may vary.
    • Re:Why? (Score:5, Insightful)

      by sahrss ( 565657 ) on Sunday June 08, 2003 @12:35PM (#6143995)
      Some users (like me) have fairly serious or business conversations over these chat networks. Using unsecure chat is like speaking in a room with hidden nooks and cracks in the walls leading to other rooms; anyone can sniff an unsecure chat.

      I much prefer conducting my semi-private conversations in a high tower with thick walls, where strangers cannot overhear them.

      Trillian [trillian.cc] is what I use right now to allow this, but it only works with Trillian users, not normal AIM users. It would be nice if AIM made their encryption scheme usable by other clients...although I agree with other posters that it may just be a plan to keep other clients off the network.
      • Re:Why? (Score:3, Interesting)

        by secolactico ( 519805 )
        It would be nice if AIM made their encryption scheme usable by other clients...

        Well, maybe not other AIM clients (eg trillian), but remember that the deal with MS will allow the IMs to interact? It's a reasonably safe bet that MSN messenger will be able to exchange secure messages with AIM.
    • Even if you're talking about the most banal things in the world, using encryption is still necessary in an insecure world. Even though each conversation you have may be insignificant on its own, the sum of all conversations you have may provide enough information about your life to put you at risk.
    • Yes, well, I have used a packet sniffer (ethereal) to see what my roommate was saying about me behind my back over AIM. It would suck to lose this power. Of course, it sucks that he could do it to me, but luckily, he is too damn dumb.
  • Little late.... (Score:2, Informative)

    by jr87 ( 653146 )
    I think AOL is putting this out way too late. Other messanger servieces such as Gaim [slashdot.org] and Trillian have had encryption in for a while now. These services also have a lot of other features that make them superiour to the aim client. Why get AIM?
  • by SweetAndSourJesus ( 555410 ) <JesusAndTheRobot&yahoo,com> on Sunday June 08, 2003 @12:21PM (#6143891)
    Since iChat is one of the few "authorized" AIM clients, maybe it will get access to this.

    • Actually, there's something I'm more interested in. Since MSN and AIM are supposedly going to merge, would that mean I could dump M$'s messenger client in OS X, and just use iChat? Unfortunately all my friends are on MSN . . .
  • And you trust them? (Score:3, Interesting)

    by cperciva ( 102828 ) on Sunday June 08, 2003 @12:23PM (#6143903) Homepage
    Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them.
    • Comment removed based on user account deletion
    • I trust AOL Time Warner far more than I do Microsoft. It was Warner Communications that funded Atari's rise...hence the prominence of video games in entertainment value today. Time Warner spent a fortune developing DVD and fought off Circuit City's attempts to corrupt the format. When was the last time a DVD crashed on you? AOL has funded Linux start-ups, spent resources on the development of the Mozilla web browser, funded TiVo and Palm, not to mention bringing email and internet access to the masses.
    • Quite apart from the issue of security holes, does anyone trust AOL-TW to even *try* to make this secure? I'd be extremely surprised if they weren't keeping AIM keys in "escrow" where the NSA^W FBI^W Department of Homeland Security can access them

      The alternative being that you don't encrypt your AIM messages and leave your 'secret-chat-sessions' visible for everyone.

      What do you really have to hide from the governament?

      Do you simply not trust your governament to recognize that your harmless chat wasn't a
    • Yep, would be very Unamerican for them to not give ashcroft the keys in escrow. If they didn't do that, they'd be with bin laden.
  • by ONU CS Geek ( 323473 ) * <ian,m,wilson&gmail,com> on Sunday June 08, 2003 @12:24PM (#6143906) Homepage
    If AOL has any ties to Verisign, et al.? If it's using PKI (which it says it is), and the "About AIM Personal Certificates" page (Link Here) [aim.com] says it is (which really doesn't go into how they're implemented, or how you can get a certificate), who's to say that they're not going to charge you for getting a certificate? Yahoo integrated encryption in their Yahoo Messenger Enterprise, and other companies have done this in the past (I believe that even ICQ had a version of their server up so that companies could set their own ICQ servers up).

    I honestly think it's all about the Money for AOL, and it's going to be prohibitive for Joe Sixpack to get this to work.
  • by discogravy ( 455376 ) on Sunday June 08, 2003 @12:29PM (#6143943) Homepage
    would this be why W.A.S.T.E. was killed? I would guess so. Or...is this AOL's co-opting of WASTE itself? have they just taken the GPL code that was posted for that one day and slapped AIM on it?
  • by TerryAtWork ( 598364 ) <research@aceretail.com> on Sunday June 08, 2003 @12:30PM (#6143953)
    If it isn't completely open source then they are running a man in the middle scam and recording the entire encrypted session in the clear.

    All for our own protection, of course....

  • Freaky to think that AOL is actually, you know, aiding freedom of speech, rather than restricting it through their idiotic TOS.

    (I left AOL a looong long time ago when they started censoring their joke sites, bleck!)

    Hmm, next thing you know, Time Warner will be offering streaming movies up online with a pay-per-view system in place!

    Actually not all that unbelievable, with the cost of computers being so low, maybe the "net convergence" of TV and the Internet COULD come true, daring technology for once bein
  • by Anonymous Coward on Sunday June 08, 2003 @12:33PM (#6143979)
    Go to Thawte [thawte.com], get their Free Personal Email Certificate [thawte.com] for your browser/email. Then, from your browser (it works in Mozilla/IE) export it as a .p12 file. Then go in to the Advanced option in AIM's Security preferences, and import the .p12 file. You'll start getting an extra password prompt and a little lock icon.
    • by Animats ( 122034 ) on Sunday June 08, 2003 @01:11PM (#6144243) Homepage
      Yeah, right. Provide your name, address, date of birth, and social security number, and you get a key.

      Thawte originally promised to move the database outside of the US if the US ceased to have adequate privacy protections in law. After the Patriot Act, they should have done so, but they didn't. Thawte today is just a front for Verisign, which, among other things, operates a national wiretapping service for law enforcement and others. [verisign.com]

      • Stepped-up concern over security has put the heat on carriers to ensure they can meet mandates under the FCC's 1994 Communications Assistance for Law Enforcement Act (CALEA), requiring telecom service providers to support the ability of law enforcement agencies to conduct lawful, authorized electronic surveillance of call content and call data.

        ... One company, VeriSign Inc., offers a one- stop, turnkey solution to help telecom carriers comply with CALEA.

        VeriSign's nationwide signaling network infrastructure, digital certificate technology and secure data centers enable it to provide a scaleable service bureau solution that saves carriers significant capital expense and virtually eliminates administration costs involved in meeting the legal, technical and operational requirements of CALEA.

        Using Verint Systems Inc.'s STAR-GATE, a solution that provides the means to access and deliver intercepted communications content and call data to law enforcement agencies, VeriSign offers a streamlined solution that meets the needs of wireline, wireless and cable telephony carriers. Puri explains that once contracted by the carrier, VeriSign becomes the primary point of contact for law enforcement. "Once we receive the order ... it's completely hands off for the carrier."

        Among the orders NetDiscovery processes are historical call records, pen registers or trap and trace (real-time call data as it occurs), as well as wire taps from both law enforcement and national security agencies. The company's personnel are set up to handle classified orders, having attained the appropriate government security clearances, Puri says.

        In addition to eliminating a carrier's need to maintain such personnel, NetDiscovery also eliminates the need to connect to the thousands of agencies with authority to request information.

        The solution supports circuit switches and beginning this quarter it will support packet-based gear, such as soft switches. The company is working with Cisco Systems Inc. to support its soft switches, routers and gateways. ...

        In addition to Cisco, VeriSign is working with four other "market-leading" vendors to ensure support for their packet-based offerings, it says. ...

        "Almost every provider has some sort of packet-based hardware, so support for packet under CALEA is critical. It cuts across all types of carriers from wireline to wireless to cable MSOs," he says.

        The company is looking also at solutions for ISPs and their gear (routers, gateways, etc.) although they are not included under CALEA, Puri adds.

      Verisign just had a session on wiretapping for ISPs at Supercomm. Basically, Verisign runs the US's wiretapping infrastructure. They thus can't be trusted as a security provider.

  • by Krapangor ( 533950 ) on Sunday June 08, 2003 @12:37PM (#6144009) Homepage
    Combined with PDAs/laptops and WLAN access, terrorists could savely use this to coordinate terroristic attacks, especially Al-Kadia's evergreen of equitemporal suidice attacks on free people.
    The mighty PATRIOT act should prohibit such devices, won't it ?
    I'm not sure if this would be really a bad thing. Dangerous tools are restricted very often to protect people, even if the are many good/peaceful uses.
    Take e.g. guns which are restricted in many countries of the world due to their bad possibilities.
    • Just because you think it should be does not mean it is illegal under the PATRIOT Act.

      The PATRIOT Act, as far as I know, does not ban any sort of encrypted communication; the Supreme Court has ruled, if I'm not mistaken, that private and anonymous speech is a fundamental component of the First Amendment right to free speech.

      Furthermore, this is truly not different from encrypted e-mail or anything else, which, as a prior poster pointed out, was not used by any of the September 11 terrorists.

      Guns are r

  • Well, it's a start (Score:5, Informative)

    by randombit ( 87792 ) on Sunday June 08, 2003 @12:37PM (#6144011) Homepage
    Realistically, replacing a protocol that uses plaintext with one that uses crypto is good. But I wouldn't trust encrypted AIM for planning any revolutions, folks. To quote one of the linked pages:

    "AIM encryption goes beyond basic Secure Socket Layers (SSL) encryption" and "Although SSL is widely used, it does not provide the best security over a Public Instant Messaging network."

    This is a big WARNING SIGN, especially considering that a) they provide zero details about what they are using (big no-no in the first place), and b) WASTE, the only other AOLish crypto I've taken a look at, had some fairly serious problems (this was not just my asessment - check the cryptography@metzdowd.com archives for a rundown). This is not exactly confidence inspiring.

    Lastly, are they seriously suggesting rolling out a full PKI for all AIM users? Again, details are light so I'm not sure this is what they mean, but it does seem to be implied. If so, someone needs to inform them of the harsh realities of PKI. Certs for AOL users wouldn't be too hard, since they already have addresses, CC #s, etc to let them (at least with reasonable probability) check on people's identity. But everybody else - forget it.
  • SecureIM (Score:4, Informative)

    by ElOttoGrande ( 183478 ) on Sunday June 08, 2003 @12:39PM (#6144022)
    SecureIM [vonnieda.org] has been around for a while now. It basically acts as a proxy and you set your Aim to connect through it. Inside the proxy it encrypts everything with 256bit blowfish, then on the receiver's end reverses the process. The result is transparent encryption with the standard Aim client.

    It's easy to install but since both parties need to have it running can be tricky trying to get non-geeks to understand why they should install it.

    I used it for a while with the few(2) friends I could convince to run it but then kind of forgot about it...

  • feh. (Score:3, Interesting)

    by ErikZ ( 55491 ) on Sunday June 08, 2003 @12:39PM (#6144029)
    What I REALLY want is AIM to automatically log all conversations. Like ICQ and IRC. Having to save to a chat file and come up with a name for the file every time is a step backwards.

    • "What I REALLY want is AIM to automatically log all conversations..."

      Er, Trillian [trillian.cc] does this. It also supports the ICQ and IRC protocols, though its IRC support is limited. (AIM, ICQ, MSN, and Yahoo support all work great out of the box.)

      You can also use Trillian's built-in 128-bit encryption (as several others have pointed out.)

      To add my own specific little plug for Trillian, I like that I can have three AIM accounts signed on at one time (and pick which one I want to use to send messages to others.) Th
      • It's also noteable to mention that Trillian is closed source, and the cooler features aren't even free as in beer (e.g. Trillian "Pro"). Gaim supports Windows, and Linux out of the box, and every feature is both free as in beer and speech (including plugins). And I to can connect to multiple screen names of any medium and choose which to use to send messages to people with. Gaim also natively supports not only AIM, ICQ, MSN, IRC, and Yahoo, but Jabber as well, something the Trillian developers refuse to na
    • Re:feh. (Score:4, Informative)

      by generic-man ( 33649 ) on Sunday June 08, 2003 @12:54PM (#6144139) Homepage Journal
      AIM+ [big-o-software.com] piggybacks onto the official AIM client, offering features like ad removal, automatic logging, and cloning (run two AIM processes at the same time). I use it with AIM 4.x, and all the other features in the official client work just fine.
    • Dead AIM (Score:2, Informative)

      DeadAIM does it. It's like AIM+ in that it latches on to the regular aim client. There's other nice features, tabbed messenger windows, cloning so you can run more then one s/n at once. Stuff like that
  • GPG plugin for Licq (Score:5, Interesting)

    by caluml ( 551744 ) <slashdot@spamgoe ... g ['ere' in gap]> on Sunday June 08, 2003 @12:43PM (#6144053) Homepage
    I would like to see a GPG plugin for Licq. Some kind of ICQ user ID to GPG key id mapping file, so that I could say 12098242 = 0xe66d4af, and all communication from then on to that user would automatically be encrypted to that key. I know it has SSL encryption built in, but that doesn't work if you're both behind firewalls.
    I started to try and work on it, but it was too tricky. Anyone interested in helping out?
  • by iamdrscience ( 541136 ) on Sunday June 08, 2003 @12:44PM (#6144059) Homepage
    For some reason a couple people have posted so far questioning the usefullness of this. I've used Trillian's SecureIM encryption a number of times and I'll try to give an example of a situation where encrypted IM was useful.

    I needed a root password from my brother, we were both running Trillian so we just turned on SecureIM and he gave it to me. This was far easier than any other encrypted messaging we could have done. We've traded passwords a couple other times the same way.

    • I'm a little bit more paranoid than that - I wrote a one time pad encoder/decoder and swap floppy disks full of randomly generated pads (say hellooooo WinTV card - ideal for picking up random noise).

      This is considerably more secure than public key or even symetric encryption as there is no possible way to reconstruct the message without the key, which is scrubbed by the app off both disks as the message is converted. (The encoder chooses the next coherent free block of random numbers to encode with.) As lo
  • by Animats ( 122034 ) on Sunday June 08, 2003 @12:46PM (#6144077) Homepage
    From the press release:
    • Security credentials that enable these capabilities â" Personal Digital Certificates â" are an optional service available to enterprises as part of the Enterprise AIM Services offering.
    That is so Bush Administration.
  • by acherrington ( 465776 ) <acherrington@nOspAm.gmail.com> on Sunday June 08, 2003 @12:52PM (#6144129)
    Here is how I see it, there is a lot of push from AOL-TW executives to turn this product, with a large user base, into a real cashcow. The only way that it is doable is by pushing the product into the corporate areana. The AOL-TW execs would like to push all of the infrastructure and software completely into a corporation, same as a mail system (like exchange server, and outlook on the desk). Many businesses were reluctant because it didn't offer the very basics of security. While general users don't care about this, try selling this to a CIO who has had security pounded into their head over the last two years. What question is he/she going to ask, "Would you mind telling me about security for your product?" So when they give this out to you, the public... it's just a mass test, so they can start doing corporate sales. Just my thoughts....
  • geeze (Score:4, Funny)

    by nomadic ( 141991 ) <nomadicworld@ g m a i l . com> on Sunday June 08, 2003 @12:59PM (#6144170) Homepage
    Get over yourself. Nobody's going to read your AIM conversations. Nobody cares. You're not that interesting.

    Hell, the person you're AIMing probably doesn't want to read your messages either.
  • Companies are starting to buy IM not only for internal communications, but for fast and cheap communications with customers, such as for customer service or alerts. With encryption, a broker can comfortably talk to clients about stock trades over IM.

    BTW - GAIM and Trillian might have it as well, but they illegally draft off the big 3 networks (they have no license to tap in), so expect them to be under some serious pressure now that money is starting to flow to the big 3 for enterprise-class IM.

  • by Anonymous Coward
    The Jabber [jabber.org] protocol has supported PGP for a while, and quite a few clients support it. It's used both for end-to-end encryption and for signing both your presence and messages. I'm running a development version of Psi [affinix.com] with GPG currently.
  • by Anonymous Coward
    I'm sure CuDdLES49128 and her 12 year-old friends were behind this 'innovative' feature.

    I mean, honestly, most of AIM users don't even know what encryption is, much less think they need it.
    • by Anonymous Coward
      I'm sure CuDdLES49128 and her 12 year-old friends were behind this 'innovative' feature.
      Look on the bright side, though... When you try to pick up CuDdLES49128 for a date and she turns out to be Special Agent Bob Flannigan, you can avoid charges by accusing the FBI of circumventing your digital protection device!

      Soon, "pleading the DMCA" will be as common as "pleading the 5th" ;)
  • GPG (Score:5, Informative)

    by krokodil ( 110356 ) on Sunday June 08, 2003 @01:30PM (#6144366) Homepage
    I am using Fire (MacOS X multi-protocol IM client) and it has GPG encryption for long time.

    The way they done it, it is quite easy to make it work with other IM clients: they just use GPG to sign/encrypt each message and then send it plain text in ASCII armor. The client on other side can detect such messages and decode them.

    No protocol extensions required. I wish somebody address support for such mechanism in standard Yahoo and ICQ clients and other clients.

    I guess if more open source IM clients will support it, it could become de-facto IM encryption
    standard...

    I use IM a lot for work and some information I exchange there could considered business secrets.

    • Re:GPG (Score:5, Interesting)

      by gbooker ( 60148 ) on Sunday June 08, 2003 @04:29PM (#6145364) Homepage Journal
      As a Fire developer myself, I thought that I could contribute a little more to this. We have started to participate in a discussion on the best way to do encryption over IM protocols. This discussion can be found here: http://www.chat.solidhouse.com/smsn/ [solidhouse.com]. The GAIM-E author has even contributed to this discussion.

      Also, we have drastically improved the way that the GPG encryption is handled. It now works on more protocols and will be more consistent. My favorite is that we now correctly recognize a gpg installed by fink.

      Here is how I invision this in the end. Assuming that AOL didn't use PGP (or GPG), then we (OS Client Authors) should try to support their protocol, along with PGP (or GPG) which would be considered more secure.

      Glad to run across another satisfied Fire user.
  • Ars they then using Waste as the basis of the implementation?
  • Many of these replies are misleading or totally incorrect.

    Trillian does *NOT* do the "same thing" .. This AOL beta, in addition to encryption using a certificate, is signing based on the certificate. Trillian does not have an option (as far as I can tell from the free version) to use certificates and/or sign messages.

    Also, you do not need "Enterprise" services to use this functionality. I just tested it, and it works fine with the free client. Just get a free Thawte certificate, import it, and begin IM
  • We use AIM extensively at work, and we have a rule that no security information, like server IPs, mapped drives, proprietary info, or passswords of any kind are allowed to be used on an open-end IM or non-ecryoted e-mail. Often, we send half-and-half:

    IM > See e-mail on the usual server. Password is "Fn68bX4" and the IP is 10.4+
    E-mail> The IP to login to is +.10.120, and add "g6h0" to the password.

    But really, often we just go to the office and tell them.

    __________________________________

  • by debrain ( 29228 ) on Sunday June 08, 2003 @03:04PM (#6144921) Journal
    This is an example of where free software is certainly ahead of the commercial equivalents. Both Kopete [kde.org] and Gaim have had options to encrypt using PGP for quite some time. (Gaim for significantly longer, iirc)

    By delegating the authentication and validation to PGP, they are potentially as-secure-as PGP. By doing in-house certification, ala. Trillian & AIM, the identification and encryption is an internal mechanism, and I would argue (successfully) that it is more difficult to prove its potential to be secure.

    Not only does open source appear to have the feature first, it seems to do it provably better.
  • They should really just allow you to import your PGP key, and then all of you messages will be encrypted if the other user also has their PGP key imported. Plus, when using the direct connect aim feature, you could actually verify the authenticity of the remote person...

If all else fails, lower your standards.

Working...