[OTR-dev] Re: [Gaim-devel] gaim-OTR, AIM DirectIM, and messaging signals

Mon Feb 20 15:52:18 EST 2006

On Feb 20, 2006, at 12:11 PM, Ethan Blanton wrote:

> Evan Schoenberg spake unto us the following wisdom:
>> On Feb 20, 2006, at 1:04 AM, Mark Doliner wrote:
>>> That would be kind of a pain, but if you really want to fix it I
>>> guess that's the only way to do it.  Personally I'd rather see us
>>> implement AIM's built-in encryption capabilities.  That wouldn't  
>>> solve
>>> the problem, but it would hopefully make it less of an issue?
>>
>> Eh, from what I've heard, AIM's built-in encryption is nothing to
>> write home about nor possibly even to write gaim-devl about.  IANAC,
>> though.
>
> It's interesting that you say it's nothing to write home about ...
> what have you heard?  My understanding is that it uses AOL-signed
> SSL-style certificates for authentication, although I don't know what
> it does for encryption past that and it's certainly possible that they
> did something stupid in their algorithms.  Assuming that they do *any*
> sort of identity checking at all before issuing the certificate, it's
> at least equivalent to almost everything else out there (and
> practically better, since most people don't verify their keys at
> *all*, but that's not a technical point), and even if they don't but
> they register certificates to screen names, it's worth *something*.

That hadn't been my understanding, so I did a bit of research.  It  
turns out I was basically wrong about AOL's official encryption, and  
I apologize for spreading misinformation. :)

It turns out what I was thinking of is Trillian's SecureIM which has  
become a common form of AIM encryption.  SecureIM providese no  
authentication or signing whatsoever.  As a side note, it uses   
Blowfish-based encryption.

The AOL-official encryption is an entirely different story.   
joust.kano.net, where Keith Lea has a good description of the  
protocol and how it works, is down, and but google's cache of the  
appropriate page [1] isn't.  Brief summary is that it's end-to-end  
SSL encryption, not only of messages but also of file transfers,  
direct IM connections, and Get File connections.  It also allows for  
secure chat rooms via a very strange mechanism of the chat room  
creator sharing a secret key with invitees (anybody can join the  
room, but only those invited can read the plaintext... with the  
amusing side effect that you could have multiple encrypted chats  
simultaneously in the same room).  Users of this mechanism need an  
SSL cert... savvy users can generate their own and self-sign them or  
pay to have them signed, and AOL offers verisign-signed certificates  
for a key.  I have no idea what the registration / verification  
mechanism is for the latter process.

A side note about the AOL encryption: As detailed at [2], there is an  
aimencrypt.com website which explains to clueless users how to obtain  
a free signed certificate.  Fantastically, it's free because  
aimencrypt bought one and gives it to users to download so they can  
have a cool lock by their name... just wow.

-Evan

[1] http://64.233.179.104/search?q=cache:jYfa2ow86SUJ:joust.kano.net/ 
wiki/oscar/moin.cgi/AimSecureIm+AimSecureIM&hl=en&gl=us&ct=clnk&cd=1
[2] http://fae.cs.columbia.edu/aimencrypt.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.cypherpunks.ca/pipermail/otr-dev/attachments/20060220/38641078/attachment.pgp>