Scott Hanselman

MSN Messenger Encryption and Privacy

April 25, '05 Comments [8] Posted in Reviews
Sponsored By

Here's a very shiny program, Secway's SIMP MSN IM Security Solution. Mark Hammond turned me onto it, and it's very slick.  It's slick for a few reasons.

  • It flat out just works. This is partially because of its interface, and partially because of it's architecture.
    • It's a local SOCKS proxy server that sits between your MSN Messenger and the service. This makes the application transparent to MSN Messenger.
    • It also works with Trillian, which, as an aside, is a program that Patrick Cauldwell swears by, but I just haven't been able to get into. Maybe I need to try again?
  • It makes security easy.
    • The most difficult part of security is key creation and exchange. SIMP makes both a snap.
    • It doesn't handle identity, you say? It doesn't need to; it's already handled by the fact that you're logged into your IM Account!

I'm setup on SIMP with my MSN Messenger account. If you've got me on your MSN Friends List, chat me securely and be impressed with how smoothly your experience goes.

Note: Be sure to check with your local IT department and your company's security policy before you install any software that enables secure communication. Also, note that SIMP is free for Personal use only.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Monday, April 25, 2005 7:32:09 AM UTC
"The most difficult part of security is key creation and exchange. SIMP makes both a snap. "

still you have to manually verify the validity of the key upon first exchange (like PGP) - to mitigate "man in the middle attacks".

dominick
Monday, April 25, 2005 7:48:55 AM UTC
Valid point. How would you suggest we do that?
Monday, April 25, 2005 9:23:02 AM UTC
Over a couple of beers perhaps?
Mr. B
Monday, April 25, 2005 9:36:53 AM UTC
"It doesn't handle identity, you say? It doesn't need to; it's already handled by the fact that you're logged into your IM Account!"

I dont agree, I still think proper identity or authenticity is required. Having an MSN account is not a proof of identity.

Integrating this with X.509 client certificates could be an option. In Denmark where I live, we have public and government controlled personal X.509 certificates. Integrating this into products like SIMP could give us that last but very important "proof of identity".

About the keyexchange... SIMP uses diffie-hellman exchange, which does not require client or server side verification. This creates secure connection between the client and the server (in this case between two parties in a chat session). If multiparty chatting is required, more sofisticated keyexchange needs to take place.

/Bo
Monday, April 25, 2005 11:50:08 AM UTC
I have been using this for a few months now; the one thing that i find a bother is file transfer, leaving it on all the time i forget about it and when sending files to family/friends the data transfer rate is a killer because of the encryption. even if the other party isnt running encryption it will still kill the transfer rate.
Monday, April 25, 2005 12:51:38 PM UTC
"Valid point. How would you suggest we do that?"

like in PGP - use an out-of-band mechanism like email, voice, whatever (just don't use msn :) to verify with your peer if the hash (= fingerprint) of the key that got exchanged is the proper one.


Monday, April 25, 2005 2:56:16 PM UTC
Mr. B. - LOL. :)

Bo - Sure, it doesn't prove "Identity" with a Capital I, but I was trying to point out (apparently unsuccessfully) that having the IM account in the first place did mean SOMETHING.

Dominick - Cool.
Scott Hanselman
Friday, September 02, 2005 10:02:10 PM UTC
how do i verify my account it keeps saying you need to verify your account so you can use msn messenger but i dont have a clue how to do it it says click on your inbox then click on the first link i dont no what the link is and i dont no where my email box is can you please help me i want to use my msn thanx x
katie xXx
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.