Secure Internet Live Conferencing

An Anonymous Coward writes: "Newsforge has an article about new generation secure chat protocol called SILC (Secure Internet Live Conferencing). The article features the protocol and its features like secure file transfer. Interesting article and very interesting protocol." We posted a story about SILC last year; looks like they've come a long way since then.

Secure talking not very common

Somehow, it is quite hard to _really_ initiate a secure communication without much work. You can ofcourse:

- send e-mail signed with PgP, but that doesn't really fall under 'instant-messaging' or 'conferencing'
- run a SSL-enabled IRC client and connect to a secure IRC network (lot's of compiling and patching here)
- use Licq's OpenSSL features ... but since no certificates are used during instantiation, it could still be hijacked
- using 'talk' on a machine that is accessed through SSH ... hardly to call userfriendly

I must note that I haven't read the article, but a standarized, easy, and secure (meaning that Man-In-The-Middle attacks are not possible due to strict certificate-based identity checking) conferencing programs could be the next Big Thing

One downside ...

No more AOL chat rooms for Biff the big hairy trucker pretending to be Buffy the sweet little virgin. Now he can securely coerce little kiddies to visit without worrying about being traced.

Cross Posting

I'm gonna be called a troll for this...

But do we really have to cross post everything that gets posted on Newsforge? It is already sydicated everywhere else (linux.com [linux.com], and others I'm sure).

I've used this, it is excellent

This is great to see this get some coverage. I'e used this in the past, and it is excellent.

The best I can say for encryption over IM's is the blaim plugin for GAIM. The only problem being that both sides must be using gaim + blaim.

Use stunnel, stupid

stunnel [stunnel.org] helps to encrypt normally non-encrypted data streams.

I've got my own ircd which I require the clients to use stunnel or an ssl-enabled client to connect. Soon, I can limit access purely by accepted certs, thereby keeping lusers out.

Of course the same can be done with OpenSSH [openssh.com]. I use that at work to bypass my office firewall and use my home cable connection for a proxy to usenet, email, and other service. The best part of this is I can bypass my ofice proxy so they don't record where I netsurf. it looks a lot like a bunch of ftp and telnet to them.

Re:Use stunnel, stupid

You are merely protecting the path between your workstation and the server through which you access the IRC network of your choice. Don't forget that IRC is a network, and that that it's distributed nature puts the security of your communications beyond your own control. Tunneling will not change much to IRC security. What would noticeably increase privacy would be encrypted discussions between client side scripts communicating through DCC. It would add a layer and would use the IRC server as a directory and session initiation environment.

Jabber has got signatures/encryption as well

Jabber [jabber.org] is an openly-developed, XML-based messaging platform. As anyone might expect, it has built-in security features, from SSL server connections, to PGP signatures/encryption. A number of clients is available for various platforms.

Fire the marketing department!

A better marketing department would have called it 'SLIC'.

Or, to more accurately portray the likely discussion, 'SICK'.

Betther than SSH/Stunnel/etc. + IRC

The reason why this project is so good is that it just works. you install the client and you can connect securely without screweing around with configuring a dozen different programs, etc. I had it up and running in the time it took to download the .rpm and install it.

Security creating more security issues?

I must step back and look at this from another point of view. What, precisely is the original purpose of this? Certainly I'm all for it -- the concept is incredibly cool -- but it somehow doesn't seem like something to replace IRC with. Frankly, nickname wars should be stopped with the nickserv/chanserv. You can't have the nickname blah? Try blah-, or ` or _ or whatever suits you. Get over it, or go to another network. Its not that big a deal. It seems to me that these clients will require a bit more power to them, and the protocol will as well. The encryption will make packets larger, and thus easier to use in a war style. Because I have been exposed to the not-so-nice part of IRC, it occurs to me to consider the possibilities here. Though anti-flood features can easily be implimented into the client, this is not the end of the possibilities. Another possibility to be considerred in the line of security is ip publicity. They seem to indicate that hostmasks will be available, which thus allows people to get at the ip address and use them for DoS attacks. Of course a masking procedure utilizing wildcards could be implimented as many smaller IRC servers have done. This provokes the possibility of multiple people on the same ISP from the same area with the same nickname showing up. These public keys are most likely obnoxious-to-remember alpha-numeric codes. Who wants that? Then again, if the client has a decent friends list, that, too, can be rectified. The next question I have regards forgery and trust. The server admins, who I will call opers for my convenience, will now have more reason to trust peoples' claims against others regarding abuse because there are now so few ways to perform abuse, and so much added security. But how easy will it be for someone to forge records of someone performing some sort of abuse? It seems to me that all of the information necessary will be provided in the /whois query for the purpose of identification. Will legitimate users be able to use opers as an effective means of cutting back on the inevitable abuse, or will it be too easy to forge offenses and thus make opers far too skeptical to help out in many ways? That's all I'll type for now, but these are certainly (in my opinion) issues for consideration.

What's wrong with IPsec ?

I wouldn't mind to have simplified H.323, but who the hell needs reinvented wheel, when there is ESP for IPv6 and there is IPv6 with all buil=in goodies ?

Free Voice Chat Program?

This is slightly offtopic, but are there any free voice conferncing programs for Linux and windows? I've tried Gnomemeeting, but it uses a flawed system that doesn't work with NAT easily. I'd like to find a program that could do this, and use GPG keys for encryption for an added coolness feature. Any coming soon? Thanks,

David

Jabber + GPG...

BTW, for those who already haven't seen Gabber has GPG support. This should surely make some ppl happier, full-blown GPG in IM. -Pk

Good, but Trillian may be simpler

I've been using Trillian [trillian.cc] for a while. It's a free (like beer) mult-medium chat client for Windows. The newest version supports 128-bit blowfish encryption for chatting over AIM and ICQ networks with other Trillian clients. This is achieved by using a key exchange method like Openssh. It is far from mature. As the newsforge article notes about other such systems, it lacks the authentication and key management aspects, so it is not really very secure yet; however, those could be achieved with relative ease, I beleive, and the general method might be a lot more viable for a transition from current insecure systems.

The point is that the way Trillian does it, all messages are encrypted into ascii-armored "messages" that are sent through preexisting messging protocols. A new protocol would probably be better, but it will be hard to get people to switch. Plus you need servers, and you will likely run into the same problems of the big companies working against interoperability. With Trillian, I can talk securely to those who care and have the client, and still talk to everybody else, and it doesn't take special servers, so we don't have to start our own or wait for AOL to finally think that security might be a good thing.

My point is not, "Hey everybody, switch to Trillian," but rather that the system of changing the client operation and leaving the protocol the same may not be as good as a completely redesigned protocol, but it may be more workable. ...However, if you use Windows, do check Trillian out! [trillian.cc]

Re:Sounds cool...

Check out Trillian [trillian.cc]. It is a chat client that is compatible with 5 different instant messaging protocols plus it has encrypted messages when IMing other people with the same client.