On Feb 20, 2006, at 12:11 PM, Ethan Blanton wrote:
> Evan Schoenberg spake unto us the following wisdom:
>> On Feb 20, 2006, at 1:04 AM, Mark Doliner wrote:
>>> That would be kind of a pain, but if you really want to fix it I
>>> guess that's the only way to do it. Personally I'd rather see us
>>> implement AIM's built-in encryption capabilities. That wouldn't
>>> the problem, but it would hopefully make it less of an issue?
>> Eh, from what I've heard, AIM's built-in encryption is nothing to
>> write home about nor possibly even to write gaim-devl about. IANAC,
> It's interesting that you say it's nothing to write home about ...
> what have you heard? My understanding is that it uses AOL-signed
> SSL-style certificates for authentication, although I don't know what
> it does for encryption past that and it's certainly possible that they
> did something stupid in their algorithms. Assuming that they do *any*
> sort of identity checking at all before issuing the certificate, it's
> at least equivalent to almost everything else out there (and
> practically better, since most people don't verify their keys at
> *all*, but that's not a technical point), and even if they don't but
> they register certificates to screen names, it's worth *something*.
That hadn't been my understanding, so I did a bit of research. It
turns out I was basically wrong about AOL's official encryption, and
I apologize for spreading misinformation. :)
It turns out what I was thinking of is Trillian's SecureIM which has
become a common form of AIM encryption. SecureIM providese no
authentication or signing whatsoever. As a side note, it uses
The AOL-official encryption is an entirely different story.
joust.kano.net, where Keith Lea has a good description of the
protocol and how it works, is down, and but google's cache of the
appropriate page  isn't. Brief summary is that it's end-to-end
SSL encryption, not only of messages but also of file transfers,
direct IM connections, and Get File connections. It also allows for
secure chat rooms via a very strange mechanism of the chat room
creator sharing a secret key with invitees (anybody can join the
room, but only those invited can read the plaintext... with the
amusing side effect that you could have multiple encrypted chats
simultaneously in the same room). Users of this mechanism need an
SSL cert... savvy users can generate their own and self-sign them or
pay to have them signed, and AOL offers verisign-signed certificates
for a key. I have no idea what the registration / verification
mechanism is for the latter process.
A side note about the AOL encryption: As detailed at , there is an
aimencrypt.com website which explains to clueless users how to obtain
a free signed certificate. Fantastically, it's free because
aimencrypt bought one and gives it to users to download so they can
have a cool lock by their name... just wow.