Re: lack of encryption in instant messengers

none wrote:

The most widely used instant messenger systems lack an end-to-end encryption
feature. Why is this?

Good question.
There are a number of reasons:

* How do I prove that you are who you say you are?

The traditional way to do this is to get a certificate authority to
issue you a certificate. It is fairly easy to get such certificates
for no cost. Thwate for example has it's Freemail initiative. That
said, we all know there is no such things as universal trusted third
party.
Zphone tried to remove this problem completely by getting people to say
short code words to each other. This is not completely secure as it not
impossible to mimic your voice.

Even so it is hard enough that making a compromised version of the
Zphone that has an easily predictable sequence of code words is trivial
in comparsion.

* Real security requires opening up the protocol - this is politically
impossible in most IM outfits.

MSN, Skype, Yahoo and ICQ have a vested interest in keeping their
protocols closed.
If you release cryptographic software it is general rule that you have
to open the protocol in order for it to gain an credibility.

* Most of what people say isn't secret.

About the worst thing people will say over IM is how they did drugs at
the weekend. This kind of talk interests nobody.

Most of the traffic is generally unimportant chit-chat.

* Is really neccessary?

I'd bet that most contacts on an IM list are people that you can visit
in the flesh anyway.

Simon.

.

Relevant Pages

  • Re: lack of encryption in instant messengers
    ... Do the third party gaim plugins count as encryption? ... The traditional way to do this is to get a certificate authority to ... Zphone that has an easily predictable sequence of code words is trivial ... Real security requires opening up the protocol - this is politically ...
    (sci.crypt)
  • Re: [Half OOT] The Cons of Using Self-Signed Certificate
    ... commercial certificate. ... The point of using certificate is that the server and the client using ... encrypted protocol instead of unencrypted protocol. ...
    (Debian-User)
  • Re: [Half OOT] The Cons of Using Self-Signed Certificate
    ... commercial certificate. ... The point of using certificate is that the server and the client using ... encrypted protocol instead of unencrypted protocol. ...
    (Debian-User)
  • RE: config-free login to IAS/RADIUS server
    ... You may very well have bought a certificate for the HTTPS ... protocol and not the IAS protocol. ... The only commercial vendor I found that actually sells IAS certificates is ... having to release a complicated procedural to our guests. ...
    (microsoft.public.windows.server.networking)