Re: In regards to the insecurity of AOL Instant Messenger
From: John Scimone (sert@snosoft.com)Date: 08/06/02
- Previous message: moksha faced: "Re: In regards to the insecurity of AOL Instant Messenger"
- In reply to: jbarbo1: "RE: In regards to the insecurity of AOL Instant Messenger"
- Next in thread: Jason Barbour: "RE: In regards to the insecurity of AOL Instant Messenger"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: John Scimone <sert@snosoft.com> To: jbarbo1 <jbarbo1@umbc.edu>, "Adam Carr" <itsacarr@adelphia.net>, <vuln-dev@lists.securityfocus.com> Date: Tue, 6 Aug 2002 13:57:32 +0000
On Tuesday 06 August 2002 12:51 pm, jbarbo1 wrote:
> >Now my question, is how secure are normal "ims" on AIM. How difficult =
> >would it be to listen to anothers msgs and if at all possible, how could =
> >this be fixed.=20
>
> Sniffing the line that the messages are transferred on would reveal the
> contents. They are not encrypted. Maybe if encryption was used, it would
> prevent eavesdropping, at least, some of it.
>
> What about a man in the middle attack, anyone know of that being done
> sucessfully? Posing as the main AIM server, then redirecting the contents
> of the messages to the real server. Even on a side note, has anything ever
> been done like an Open AIM Server. I know people have created open clients,
> but what about an open server for it?
Does the AIM protocol have any kind of authentication to defeat MiM attacks
whereby an attacker couldn't drop himself in the middle and log all outgoing
conversations and change the actual conversation if he wanted? I don't know
much about the protocol and I'm pretty sure it's closed source, but has
enough work been done by researchers into the protocol to determine if this
is possible. It seems to be it would be trivial for AOL's server to have a
random id generated upon every successful login attempt by a user that would
need to be included with every message and action on the client side in order
for it to register. This would at least prevent an attack by hopping into
the middle of a conversation and would require a more extensive attack by
being in the middle for the initial login.
- Previous message: moksha faced: "Re: In regards to the insecurity of AOL Instant Messenger"
- In reply to: jbarbo1: "RE: In regards to the insecurity of AOL Instant Messenger"
- Next in thread: Jason Barbour: "RE: In regards to the insecurity of AOL Instant Messenger"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
