MSN Messenger Encryption and Privacy
Here's a very shiny program, Secway's SIMP MSN IM Security Solution. Mark Hammond turned me onto it, and it's very slick. It's slick for a few reasons.
- It flat out just works. This is partially because of its interface, and partially because of it's architecture.
- It's a local SOCKS proxy server that sits between your MSN Messenger and the service. This makes the application transparent to MSN Messenger.
- It also works with Trillian, which, as an aside, is a program that Patrick Cauldwell swears by, but I just haven't been able to get into. Maybe I need to try again?
- It makes security easy.
- The most difficult part of security is key creation and exchange. SIMP makes both a snap.
- It doesn't handle identity, you say? It doesn't need to; it's already handled by the fact that you're logged into your IM Account!
I'm setup on SIMP with my MSN Messenger account. If you've got me on your MSN Friends List, chat me securely and be impressed with how smoothly your experience goes.
Note: Be sure to check with your local IT department and your company's security policy before you install any software that enables secure communication. Also, note that SIMP is free for Personal use only.
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
I dont agree, I still think proper identity or authenticity is required. Having an MSN account is not a proof of identity.
Integrating this with X.509 client certificates could be an option. In Denmark where I live, we have public and government controlled personal X.509 certificates. Integrating this into products like SIMP could give us that last but very important "proof of identity".
About the keyexchange... SIMP uses diffie-hellman exchange, which does not require client or server side verification. This creates secure connection between the client and the server (in this case between two parties in a chat session). If multiparty chatting is required, more sofisticated keyexchange needs to take place.
like in PGP - use an out-of-band mechanism like email, voice, whatever (just don't use msn :) to verify with your peer if the hash (= fingerprint) of the key that got exchanged is the proper one.
Bo - Sure, it doesn't prove "Identity" with a Capital I, but I was trying to point out (apparently unsuccessfully) that having the IM account in the first place did mean SOMETHING.
Dominick - Cool.
Comments are closed.
still you have to manually verify the validity of the key upon first exchange (like PGP) - to mitigate "man in the middle attacks".