Comment IM Encryption Items (Score 1) 336
1) The various advocates of run FOO over SSL are missing a point. Sure you can encrypt the traffic to make it hard to read, but the messages are still in cleartext in the IM server. So, your boss might not be able to read it... but the person running the server certainly can.
SSL only provides "on the wire" encryption. It doesn't prevent the server operator from snooping on you. We assume that the server operators are not logging our traffic, but do we really know ?
And, even if the server operators are on the level (I have no data to suggest otherwise), you are only really protected if everyone you IM is also doing SSL. If you send something awful using your SSL-amped client to a non-SSL's coworker, your boss doesn't have to decode your transmission, he can just look at your co-worker's transmission.
2) Having said that, users of a TOC (not OSCAR) based AIM client can do SSL quite easily. Get a copy of OpenSSL and stunnel on your system. Configure stunnel to accept a cleartext connection and forward it SSL'd to toc.oscar.aol.com. Then connect your TOC based client to the stunnel program. That works just fine because the AOL TOC/WWW server supports SSL.
3) The only potentially "safe" solution, assuming your keybord/screen/mouse aren't being spyed on is to use end-to-end based encryption. Currently the only major public product out there that does this is Trillian... and I don't think the Trillian encryption code has been objectively reviewed to determine that their stuff really prevents snooping on the wire and at the AOL server.
Cheers,
Fuzz
SSL only provides "on the wire" encryption. It doesn't prevent the server operator from snooping on you. We assume that the server operators are not logging our traffic, but do we really know ?
And, even if the server operators are on the level (I have no data to suggest otherwise), you are only really protected if everyone you IM is also doing SSL. If you send something awful using your SSL-amped client to a non-SSL's coworker, your boss doesn't have to decode your transmission, he can just look at your co-worker's transmission.
2) Having said that, users of a TOC (not OSCAR) based AIM client can do SSL quite easily. Get a copy of OpenSSL and stunnel on your system. Configure stunnel to accept a cleartext connection and forward it SSL'd to toc.oscar.aol.com. Then connect your TOC based client to the stunnel program. That works just fine because the AOL TOC/WWW server supports SSL.
3) The only potentially "safe" solution, assuming your keybord/screen/mouse aren't being spyed on is to use end-to-end based encryption. Currently the only major public product out there that does this is Trillian... and I don't think the Trillian encryption code has been objectively reviewed to determine that their stuff really prevents snooping on the wire and at the AOL server.
Cheers,
Fuzz
