Secure Internet Live Conferencing 61
An Anonymous Coward writes: "Newsforge has an article about new generation secure chat protocol called SILC (Secure Internet Live Conferencing). The article features the protocol and its features like secure file transfer. Interesting article and very interesting protocol." We posted a story about SILC last year; looks like they've come a long way since then.
Secure talking not very common (Score:2)
- send e-mail signed with PgP, but that doesn't really fall under 'instant-messaging' or 'conferencing'
- run a SSL-enabled IRC client and connect to a secure IRC network (lot's of compiling and patching here)
- use Licq's OpenSSL features
- using 'talk' on a machine that is accessed through SSH
I must note that I haven't read the article, but a standarized, easy, and secure (meaning that Man-In-The-Middle attacks are not possible due to strict certificate-based identity checking) conferencing programs could be the next Big Thing
Re:Secure talking not very common (Score:3, Insightful)
Re:Secure talking not very common (Score:2, Insightful)
Link a few of those localhost-only IRC servers together via ssh tunnels, and voila, secure network. However, accounts on the machines hosting the IRC servers are required.
Given the above, one could create an account with the shell pointing to an IRC client binary, so specific user accounts wouldn't always be necessary.
The pro: Don't have to retrofit existing IRC clients on any platform for SSL or other PKI compatibility. Just ssh forward ports 113 (identd) and 6667 (ircd), and point your favorite program to localhost on 6667. Or whatever port on which you've got ircd listening.
The con: You need an account on the localhost-only IRC server's host.
we use a VPN with FreeS/WAN (Score:1, Interesting)
This is one of the more secure ways of doing secure communication i guess, and very comfortable, as dcc works too etc (as long as no box is getting hijacked security is almost perfect).
One downside ... (Score:1)
Small downside (Score:2)
While this is a legitimate issue, I think its a negligible one for two reasons: 1) most people like Biff get caught in sting operations, or when the kid has second thoughts and tells their parents. 2) At my office, I know our network admins sometimes get bored and grab packets from people's computers to see what they're up to. I'd rather not have someone in a filthy Doctor Who T-Shirt reading my Instant Messages. To me, this application of said protocol far outweighs the chance a child molestor will be able to cover his tracks a little bit better.
Cross Posting (Score:3, Interesting)
But do we really have to cross post everything that gets posted on Newsforge? It is already sydicated everywhere else (linux.com [linux.com], and others I'm sure).
Re:Sounds cool... (Score:1, Informative)
I've used this, it is excellent (Score:1, Informative)
The best I can say for encryption over IM's is the blaim plugin for GAIM. The only problem being that both sides must be using gaim + blaim.
Use stunnel, stupid (Score:3, Interesting)
I've got my own ircd which I require the clients to use stunnel or an ssl-enabled client to connect. Soon, I can limit access purely by accepted certs, thereby keeping lusers out.
Of course the same can be done with OpenSSH [openssh.com]. I use that at work to bypass my office firewall and use my home cable connection for a proxy to usenet, email, and other service. The best part of this is I can bypass my ofice proxy so they don't record where I netsurf. it looks a lot like a bunch of ftp and telnet to them.
Re:Use stunnel, stupid (Score:4, Informative)
Re:Use stunnel, stupid (Score:3, Informative)
You can't simply fix a broken protocol by tunneling it over a secure connection. IRC wasn't made with security in mind, and it shows. Stunnel is no more than a temporary and very dirty hack, until something better shows up. That might be SILC, or this project I've started along with a few other IRC addicts: CIRCUS [sf.net].
Then there's other fixes regarding network scalibility, for instance. And don't forget the boom of IM in the last few years, which has shown quite a few features which IRC is lacking, and an updated protocol might take a shot at improving user experience, going way beyond what IRC can offer.
Re:Use stunnel, stupid (Score:2)
Stunnel is set up to listen on one port and forward the decrypted data to the port where the ircd is listening.
My setup isn't a solution, but it's a combination available software; I'm not integrating one into the other.
Re:Use stunnel, stupid (Score:2, Interesting)
If anything, most of the IM software seems like a stripped-down IRC client: Connect to a server; check your notify list; send private messages to people; create "chats" and invite your friends in; send files to people on your notify list (I've never used MSN or AIM, do they even support file transfer?); and then a few external program launching that could easily be done by a client script.
So what exactly is lacking in IRC? IRC has public "channels" as well as private chats, direct-connect chats and file-transfer, support for many clients and bots, even server-run moderation by control of the user. Will you miss your pretty flower? We could still use those sounds that everybody loves in IRC...
All one really needs is a small notify list window (with right-click action) add-on for mIRC and suddenly people are using IRC again
Re:Use stunnel, stupid (Score:2)
First, an ICQ-style notification list. That alone, although it only depends on a client mod, would be great.
Second, in IRC, you can never be sure you're talking to the right person. The nick might have been hijacked or something. Having a central database of nicknames would solve the problem. Yeah, there's NickServ, but it's also a hack -- IRC needs an integrated authentication service.
Plus, people won't be using text interfaces for long. Once there's bandwidth enough, people are going to use voice and video, and save by a dirty hack IRC can't expand into that. Any IRC-replacing protocols must expand easily and cleanly -- you can't tell what the future holds for more efficient means of communication.
Being able to authorize people to go into your notify list or not is also a desirable feature for some.
I don't want to turn IRC into ICQ. I want to grab the best of both worlds into a single application, with the addition of cryptography and network scalibility enhacements.
Jabber has got signatures/encryption as well (Score:3, Informative)
Re:Jabber has got signatures/encryption as well (Score:1)
Fire the marketing department! (Score:1, Funny)
Or, to more accurately portray the likely discussion, 'SICK'.
Betther than SSH/Stunnel/etc. + IRC (Score:2, Insightful)
Security creating more security issues? (Score:1)
What's wrong with IPsec ? (Score:1)
Free Voice Chat Program? (Score:1, Offtopic)
David
Re:Free Voice Chat Program? (Score:1, Offtopic)
it supports encryption and is multi platform.
oh and if you're a windows developer the original speak freely site [fourmilab.ch] has lots of good points.
Re:Free Voice Chat Program? (Score:2)
There is actually an older program named Speak Freely [speakfreely.org]. I've used it for a number of years and still love it. It runs on *BSD, Linux, Solaris, Windows and probably others. The windows version has a pretty well designed GUI, but the Unix version is CLI based. It comes with two GUI interfaces in the source's CONTRIB dir which are written in TCL. It has a number of encryption modes (4 I think) including using PGP to do the encryption. It also has many audio compression modes making it suitable for anything from High Bandwidth applications all the way down to a 2400bps modem (Really!). The codecs are GSM, ADPCM, LPC, LPC-10, and Simple. Simple just drops certian bits and can be mixed with any other codec. You can run it with out audio compression as well. If you're a fan of amateur radio, this program runs the links of the IRLP project [irlp.net]. Very cool stuff.
My personal favorite way to run it is to have my linux box run a reflector and then have people connect to that and that way I can have multiple people in my conversation. The program is due for a bit of an update, anyone want to volenteer? (I looked at the TODO list and it's all beyond what I can do...)
--Josh
Re:Free Voice Chat Program? (Score:2)
What's the best codec for using with dialup modems? Also is there a way to see if you're friends are online? Thanks,
David
Re:Free Voice Chat Program? (Score:2)
The best Codec for dialup is GSM. It's compressed 5:1 so that you can send it over 19.2kbps. I use IRC or Everybuddy to see if my friends are online. You just put in their hostname/IP address to connect (or they put in yours) so you can give that info over any IM protocall you want. Perhaps a Jabber extention would be in order...
--Josh
Jabber + GPG... (Score:1)
Good, but Trillian may be simpler (Score:2, Insightful)
I've been using Trillian [trillian.cc] for a while. It's a free (like beer) mult-medium chat client for Windows. The newest version supports 128-bit blowfish encryption for chatting over AIM and ICQ networks with other Trillian clients. This is achieved by using a key exchange method like Openssh. It is far from mature. As the newsforge article notes about other such systems, it lacks the authentication and key management aspects, so it is not really very secure yet; however, those could be achieved with relative ease, I beleive, and the general method might be a lot more viable for a transition from current insecure systems.
The point is that the way Trillian does it, all messages are encrypted into ascii-armored "messages" that are sent through preexisting messging protocols. A new protocol would probably be better, but it will be hard to get people to switch. Plus you need servers, and you will likely run into the same problems of the big companies working against interoperability. With Trillian, I can talk securely to those who care and have the client, and still talk to everybody else, and it doesn't take special servers, so we don't have to start our own or wait for AOL to finally think that security might be a good thing.
My point is not, "Hey everybody, switch to Trillian," but rather that the system of changing the client operation and leaving the protocol the same may not be as good as a completely redesigned protocol, but it may be more workable. ...However, if you use Windows, do check Trillian out! [trillian.cc]
Re:Good, but Trillian may be simpler (Score:1)
I should say, SILC sounds like a fine replacement for IRC. I was simply addressing the idea of using it for "instant messaging".