ICQ / AOL is testing encryption – by adopting XMPP [Update]

January 18, 2008

Florian Jensen beaks the news about AOL adopting the Jabber protocol XMPP – at least on a test server. This is a good move for the interoperability of instant messaging service but also a good one for security and for me.

The ICQ traffic goes unencrypted over the network and I know of special programs which sniff the traffic for pop3, smtp, icq, …. communications and log the login data into a log file (good on routers 😉 ). So you don’t need someone to understand the Oscar protocol, any script kiddie can use these tools . This is the reason I don’t use ICQ except on networks I trust. You’ll ask yourself why I use ICQ (with Kopete as client) at all? Too many friends which I know for a long time (when ICQ was the only instant messaging system – you know the time before it was bought by AOL 😉 ) are still using ICQ. I’ve also a Jabber account and some of my friends have switched to Jabber or are using both as I do, but most use ICQ as their only IM system for > 10 years.

As XMPP is a “good” internet protocol the usage of TLS / SSL encryption is common throughout clients and servers. If AOL is really switching to XMPP it would really increase the security, so lets hope that this is the first step. Even if they are keeping their protocol and only allow XMPP Servers to send messages to their clients it would help me. I just would stop using my ICQ ID and switch completely to my Jabber ID, which than can communicate to my ICQ buddies.

Update: As Edwin Aoki from AOL pointed out in his comment you’re save if you’re using the original AOL clients. Sorry for not making that clear. The problem is only that I don’t know anyone who is using the original clients, even the friends who are using Windows are running alternative clients.


RSS feed for comments on this post. TrackBack URI

  1. Robert,

    We’ve always been concerned about security, and you’re correct that many IM clients (across all of the major IM networks) pass message traffic over plaintext protocols (both our AIM and ICQ clients use TLS/SSL and a one way hash for the password exchange and have for some time).

    Almost 8 years ago we implemented a security protocol on top of AIM based on public keys that protected traffic not only at the transport level but at the application level so that you could be assured of true end-to-end encryption of messages, direct IMs, and file transfers. One of the largest problems, ironically, was that too many people who were using non-AOL clients couldn’t take advantage of it (or didn’t care about the products we’d released), and our customers said that they preferred us working on other features.

    But we continue to make security a priority, and you can look for stronger solutions from us and our partners in the months ahead.

    -Edwin Aoki
    -Technology Fellow/Lead Architect, AOL Products

    Comment by Edwin Aoki — January 18, 2008 #

  2. […] I pointed out in my post about “ICQ / AOL is testing encryption – by adopting XMPP” the original AOL software may communicate in a secure way but most 3rd party software does not. But […]

    Pingback by Robert Penz Blog » Open AIM 2.0 leads hopefully to more security — March 11, 2008 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress
Entries and comments feeds. Valid XHTML and CSS. 36 queries. 0.042 seconds.