Secure IM - in a nutshell

[Mark Doliner]

On Wed, Jan 26, 2011 at 11:57 PM, ANDY <sirald66 at gmail.com> wrote:
> So if I understand the help/faq correctly, in a nutshell - none of the major
> IMs (Yahoo, MSN, Facebook) use SSL security other than to authenticate the
> session at best?

I think that's more accurate that not.  I think logins for AIM,
Facebook, Google Talk, ICQ, MSN, and Yahoo are all either encrypted
with SSL/TLS or use some sort of digest such that your password is not
sent in the clear.

Full encryption of all data should happen for Google Talk and also
maybe for AIM/ICQ (see the settings on the Advanced tab when changing
the settings for your IM account).

> Aside from some great effort that casual/novice users are unlike to make,
> things such as SILC is the only option?

I guess I should point out that if you're concerned about ISPs being
forced to log IMs, the encryption you're asking about probably isn't
going to help you much.  The encryption discussed above only deals
with encrypting traffic from your computer to the IM provider.  At
which point the IM provider can log your IMs all day long.

If you want your communication to be private then you need an
end-to-end encryption solution, like OTR.

> [The republicans in congress are soon proposing that ISPs be required to
> retain 2 years of logs for all customer logins, email/IM and IP
> destinations.  Although casual net use wasn't a concern until now, I'm
> starting to lock down my communications with HTTPS.]

I feel compelled to state that I think this will never happen.  It's
kind of an absurd requirement.  This would be a tremendous burden upon
a lot of people, and the gain is marginal at best.  If people know
their communication is being monitored then they'll start using
end-to-end encryption, in which case the monitoring is useless and
you're just inconveniencing everyone.  I also can't imagine people
being ok with this from a "I live in a free country" point of view.

--Mark