Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
A Secure, Open Source Instant Messenger?

By aragorn in News
Sun Jul 16, 2000 at 01:09:01 PM EST
Tags: Internet (all tags)
Internet

I have a bit of an IM problem, to put it mildly. It's not that I talk to a lot of people (maybe half a dozen), but they all use different networks. So, down in the corner of my screen I have three different clients running. This is acceptable at 1600x1200, but rather out of hand at 800x600 on my laptop. The other thing is that some people are on more than one network, so it's a rather less than optimal situation.


So, naturally, I've had recurring thoughts about just writing one single client for every network. Possibly even throwing in a little icon to tell me when I have mail (kind of a communications center sort of thing). One of the clients I run I wrote myself because I wanted an IM with public key encryption. A friend and I are the only people who use it, though. It wasn't too bad to write, and it did afford me some understanding of how to go about writing an IM client (and server ;-) but I think that a client that integrates the major networks would be non-trivial to code.

At the same time, though, I think it would be a really slick thing to have available. Especially if the encryption were laid on top of one or more of the major protocols instead of being off on it's own. Another neat possibility (I think) would be to make it aware of people who are on more than one network so that it could make intelligent decisions about how to get a message to them.

I've looked around and been unable to find anything like this out on the net (especially with the encryption). What I'm wondering is: does anyone know of any existing projects with similar goals? What kind of interest would there be in this sort of thing? (I'd rather not spend a bunch of time on something like this if nobody gives $0.02 about it.) Is there any sort of interest in the whole encryption thing? I'm a bit of a nut about security and a lot of the time I'm forced to use a large flat network where I know people are sniffing my traffic, but does anybody else really care about this sort of thing?

I'd also be interested in any pointers anyone might have on undertaking a project of this magnitude as well as any ideas or suggestions in general.

I haven't been following K5 for that long, so if this is not an appropriate thing to submit, please just moderate me down. Thanks.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by aragorn


Display: Sort:
A Secure, Open Source Instant Messenger? | 34 comments (34 topical, editorial, 0 hidden)
Tips (2.80 / 4) (#1)
by PresJPolk on Sun Jul 16, 2000 at 07:01:10 AM EST

While I don't think this is good discussion material, I'll give some tips anyway:

If you want a unified client, or the ability to run your own servers, use Jabber.

If you doubt Jabber's potential for long-term success, you can wait for OpenIM to be written.

If you want secure communications now, you can send me some docs on how to use OpenSSL in an app, and I'll add encryption to the AIM client I've written.



Re: Tips (2.00 / 2) (#7)
by wrenkin on Sun Jul 16, 2000 at 11:12:21 AM EST

The latest version of Licq (0.85) has support for encrypted comunication (via OpenSSL) between Licq users. The AOL 'encryption' is kinda lame. You can still tell that it's ICQ traffic IIRC. So this kinda thing has already been done, even though it doesn't work with regular ICQ users. I think a problem is that users of less enlightened clients (The vast majority at the moment) might be 'left behind'... And if they're the majority on your list, does encrypted communication to a few random users matter at all to you?
--Is this death, or is this Ohio?
[ Parent ]
Protocols (2.00 / 2) (#2)
by ameoba on Sun Jul 16, 2000 at 09:04:04 AM EST

The basic idea seems simple enough. If you know the protocols involved, all IM's work in similar enough ways that you could have one GUI to cover the whole thing. Unfortunately, not all the major protocols are public; notably ICQ.
ICQ's protocol exists in several different versions (of which several are acceptable ), and the newer versions appear to ALREADY have some encryption in them, however the encryption is just in the headers. (To stop people from figuring them out?) And with the nasty reverse engineering clause in licence, figuring out the protocols won't be easy.
Bad news aside, if such a project were to get underway, I would be more than happyy to use it.

A program that satisfies one of the criteria... (3.30 / 3) (#3)
by thelaw on Sun Jul 16, 2000 at 09:48:58 AM EST

i don't know anything about support for encryption, but the project everybuddy might be a good place to start.

jon

dead link? (none / 0) (#8)
by mcwee on Sun Jul 16, 2000 at 11:50:25 AM EST

This link seems to not be feeling very well-- which is unfortuante, because the prog sounds cool. Does anyone have an URL for a mirror?

The PMjA; it's a whole new kind of Truth.
[ Parent ]

Re: dead link? (none / 0) (#16)
by xyzzy on Sun Jul 16, 2000 at 02:30:55 PM EST

Google cached everybuddy.com. You can't do much more than look at the first page, though.

[ Parent ]
Perl! (2.00 / 1) (#4)
by eann on Sun Jul 16, 2000 at 10:42:20 AM EST

Sometime in the last week or so, a Perl module to do much of what you described was mentioned in comp.lang.perl.announce.

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.


Re: Perl! (none / 0) (#5)
by aragorn on Sun Jul 16, 2000 at 11:09:03 AM EST

Do you recall the name of the module? I'd be interested in this as I'm strongly leaning toward Perl for implementing this.

[ Parent ]
Some pointers. (2.60 / 5) (#6)
by Inoshiro on Sun Jul 16, 2000 at 11:11:12 AM EST

Licq has SSL encryption automagically between any two Licq clients compiled against OpenSSL

Jabber is a client which supports all current and future IM networks by having centralized places to translate between the protocols.

The only problems are that Jabber clients that are useful beyond proof of concept are non-existant. However, it would be very nice to see some convergence between Licq and Jabber such that encryption would be available for more clients, and so that Jabber actually has a useable client :^).



--
[ イノシロ ]
Re: Some pointers. (4.00 / 1) (#10)
by julian on Sun Jul 16, 2000 at 01:34:27 PM EST

The Macintosh Jabber client supposedly supports SSL and possibly PGP now. The GNOME one will hopefully do so soon. :)
-- Julian (x-virge)
[ Parent ]
Re: Some pointers. (5.00 / 1) (#21)
by Anonymous Hero on Sun Jul 16, 2000 at 03:50:29 PM EST

Have you never heard of Gabber (gabber.sourceforge.net), Jarl, Jabbernaut or WinJab?!?!

[ Parent ]
We're going to go ahead with the project (2.33 / 3) (#9)
by aragorn on Sun Jul 16, 2000 at 01:33:02 PM EST

I just got off the telephone with a friend of mine who does Windows programming for a living. I described what I was thinking about doing and asked if he would be able to help out with a Windows client. He said he would and could. In fact, he went so far as to say that if I didn't get behind this project, he would go ahead and do it himself (crazy guy). So, anyhow, it looks like we're going to go ahead and give it a shot. I'm in the process of putting together a web page to explain fully what we came up with during our discussion. I'll post an URL here later in the day for anybody who is interested. Thanks for the input so far!

Re: We're going to go ahead with the project (3.00 / 1) (#15)
by The Welcome Rain on Sun Jul 16, 2000 at 02:24:05 PM EST

I hope it's IMPP-compliant. Otherwise you may be wasting your time.

[ Parent ]
Re: We're going to go ahead with the project (none / 0) (#17)
by aragorn on Sun Jul 16, 2000 at 02:42:47 PM EST

Good call. I'm reading the RFC presently. Thanks!

[ Parent ]
"Gale" is a secure, open-source instant (4.00 / 4) (#11)
by egnor on Sun Jul 16, 2000 at 01:36:30 PM EST

... but it's largely not compatible with the popular commercial instant messaging systems out there. (We do have AIM gateway software available, but you lose encryption when you use it.) Do check it out, though, I happen to think it's pretty keen (but then, I am the primary author). It's the only IM system I'm aware of that uses end-to-end encryption. You might be interested in my (slightly out of date) survey of other open source instant messaging projects.

Unfortunately, "secure" and "compatible" are pretty much mutually exclusive. It's true that you could use (say) AIM as a transport for encrypted messages... but what would be the point? They'd need special client software to decrypt the messages anyway, and at that point you might as well be using a better transport (i.e. one that uses open source servers).

Finally, I'd like to encourage everyone to beware of the "multi-headed client" solution that's so popular these days (Everybuddy, Jabber, etc). It's true that it's the only way to achieve interoperability today, but this solution should really be regarded as stopgap; it doesn't scale. AOL's gateway proposal expresses this concern more eloquently than I can...



I really don't like pushing my own stuff. Really. (4.80 / 4) (#12)
by julian on Sun Jul 16, 2000 at 01:42:57 PM EST

But the article I wrote, Jabber and the Open Source Community, describes one such system which is in working order. As inoshiro said, some of the clients are a bit immature. Over time, they'll mature, though. You have to remember that all of them are quite young right now.

Only one Jabber client that I know of supports SSL (Jabber, the server and the protocol, supports SSL and now PGP communication), but more clients will hopefully be supporting it soon. Any help we can get from people, documentors, client authors, people to help with the protocol, is much appreciated :)


-- Julian (x-virge)
Re: I really don't like pushing my own stuff. Real (5.00 / 1) (#13)
by julian on Sun Jul 16, 2000 at 01:48:39 PM EST

More specifically, also see the Jabber Developer FAQ for more information on security.
-- Julian (x-virge)
[ Parent ]
Re: I really don't like pushing my own stuff. Real (none / 0) (#27)
by Anonymous Hero on Mon Jul 17, 2000 at 03:24:09 PM EST

No offense intended, but I didn't think much of jabber last time I looked at it. Admittedly it's been a while, but the system's architecture seemed very clumsy. The servers are doing more work than is necessary (honestly, I'd rather the server for any IM system did as little as possible) and the system seemed very inflexible with regards to content-type. Well, that's going from what little documentation I could find at the time (most of the links didn't work). And there was a lot of very uncivilised talk about various IM's and authentication or encryption schemes (which didn't help my impressions of the system any). Maybe things have changed, but I don't have much use for Jabber, as it was described then.

[ Parent ]
Re: I really don't like pushing my own stuff. Real (none / 0) (#34)
by karjala on Tue Jul 18, 2000 at 10:17:41 AM EST

The Jabber client needs to allow its users to set it so that it won't run on windows startup.

[ Parent ]
Don't do it yourself!! (4.00 / 4) (#14)
by egnor on Sun Jul 16, 2000 at 02:23:37 PM EST

Above all, I advise strongly that you don't roll your own system. The field of instant messaging is littered with pet projects that never went anywhere. If the existing systems (Jabber, Everybuddy, Gale et al.) don't do what you want, pick the one that's closest (or looks most likely to succeed, or has a development culture you like) and add the features you want to it.

The problem is that, if you want to do more than create a new client for an existing system, network effects and compatibility requirements mean that there can't be very many competitors. Sure, you may have a cool system, but unless it's way better (not just a little bit better) than what's already out there, nobody will switch, and you'll be left talking to a friend or two.

(But then, maybe that's what you want...)

I admire your entrepreneurial, pioneering spirit (after all, I did start my own system, years ago), but in this field at this time you'd be better off in a different field if that's what you want to do.

Re: Don't do it yourself!! (2.00 / 2) (#18)
by aragorn on Sun Jul 16, 2000 at 02:54:09 PM EST

Your point is well taken. I think that Jabber is currently the closest to where I'd like to go. Unfortunately, from what I read on their website I have to question whether they will be able to get it all together in time for it to become popular. I think for now that I'm going to go ahead and give it a try on my own. From a realistic standpoint, you're probably right. However, there is that small chance that enough people will find what I'm doing useful for it to become at least somewhat widespread. Failing that, though, I think I'll certainly learn something from the experience. Thanks for the comment!

[ Parent ]
Re: Don't do it yourself!! (3.50 / 2) (#19)
by Anonymous Hero on Sun Jul 16, 2000 at 03:28:04 PM EST

But if you write a new transport (PGP/GPG?) for Jabber, then everybody who uses Jabber can use that transport, and -you- can use everybody else's clients (I think). It's kindof a win-win situation.

[ Parent ]
Re: Don't do it yourself!! (2.50 / 2) (#20)
by aragorn on Sun Jul 16, 2000 at 03:47:46 PM EST

It's quite possible that my understanding of how Jabber works is incomplete. However, from what I have gleened from their pages, a transport is from server to server, not client-server-client (encrypted all the way). I see that there is SSL support between client and server, but then the server would be a potential point of compromise. My thinking is that it would be better to have a generic encryption protocol that would work over any IM protocol (be it AIM, ICQ, MSN, Jabber, or whatever comes out next week). I think the main work to be done here is to actually <u>design</u> this protocol. An elegant first implementation of it is somewhat secondary. If a good, simple, robust encryption protocol designed to work over IM's were freely available, then any client could implement it (Jabber included). Personally, I think it would be simpler (after having designed a good encryption protocol) to write a basic, lightweight, tightly focused client which proves that it will run over arbitrary IM's than to muck around with various existing clients. Once the protocol is laid out and proven, it would be an easy matter for anyone who wants to use it to implement it in their clients.

[ Parent ]
Re: Don't do it yourself!! (4.00 / 1) (#32)
by deuteron on Mon Jul 17, 2000 at 06:52:42 PM EST

because jabber JID's are email-like (user@server/resource), it wouldn't be hard to (P)GP(G) encrypt messages. this, obviously, would provide encryption from client to client. i think several projects are in the works to make this happen.

[ Parent ]
The website is up (5.00 / 1) (#22)
by aragorn on Sun Jul 16, 2000 at 05:06:27 PM EST

Having read over the comments posted so far and having had a discussion with a co-conspirator ;-) I have prepared a preliminary web page outlining what we would like to do and why we think it's a good idea. In the course of reading through the comments posted here and doing more research via the links which some of you provided, I have realized that a wholly new IM client unto itself is not an optimal solution to my problem. Rather, I've come to believe that the best course of action would be to lay out a cryptosystem designed specifically for the unique set of conditions imposed by the various IM protocols. I still plan to implement this initially in a minimal client of my own (which will run over various IM networks) but I think that a broader and better ultimate goal would be to provide this cryptosystem to people working on other clients (like Jabber) and possibly get involved in helping to implement it. I'd like to thank everyone that has contributed to this discussion so far. I've learned a lot already and will certainly continue to monitor this discussion for any other ideas or suggestions anyone is willing to lend.

Re: The website is up (linkage here) (none / 0) (#23)
by aragorn on Sun Jul 16, 2000 at 05:40:41 PM EST

Oh aren't I brilliant. Okay, the page is at http://www.aftermath.net/sim/index.html.
I guess that's what I get for not sleeping last night. :)

[ Parent ]
Uhh (1.00 / 1) (#24)
by Neuromancer on Sun Jul 16, 2000 at 08:45:52 PM EST

AIM isn't secure to begin with, there is more than enough eavesdropping going on on that damn network. Also, everybuddy and jabber are out there. If you want secure, write an encrypted client :-)

console clients (1.00 / 1) (#25)
by semis on Mon Jul 17, 2000 at 10:49:57 AM EST

Hi. While we are on the topic of instant messangers.. I'm trying to find a decent console icq or jabber client.

zicq and its followings are OK, but don't show up correctly on all kinds of terminals.. and also are sometims a bit buggy and cumbersome.

Jabber sounds really good.. but I haven't found any console clients. What I'm really after would be some kind of script for my irc client that can plug in to icq, aol etc.. this way I can have a nice mature interface, and talk to all my friends :)

I mean.. why should I have to run a different client just because my friends don't know how to use IRC?

I.

micq (none / 0) (#26)
by l4m3 on Mon Jul 17, 2000 at 11:19:26 AM EST

zicq is actually a fork fromthe micq project. micq is a cli icq clone that can be compiled without curses or slang support.

Last I used it did not support file transfers or icq chat sessions, but those are not normally expected from a command line version. The only drawback I know of in my use of the client is it does not as of version 0.4.4 support large messages (>512bytes).

It's a great program though, and one of the more common ways I chat with others on ICQ I have mainly been running it from a 486sx33 black and white laptop and it works fine, even from there.

[ Parent ]
IM and IRC (none / 0) (#28)
by mbrubeck on Mon Jul 17, 2000 at 03:26:50 PM EST

It's not quite what you want, but if your friends are using Jabber then the Jabber IRC Transport will allow them to join an IRC channel. Then you can chat at them through your favorite IRC client while they use their Jabber client. The transport is still in development, but it works.

This doesn't help for users of the other IM networks, though.

[ Parent ]

svc_irc (4.00 / 1) (#31)
by Eimi on Mon Jul 17, 2000 at 06:07:08 PM EST

Try connecting to port 6667 on irc.jabber.org. The Jabber server acts as an irc server for you. Use your user name as your nick, and if your irc client supports passwords, you can put your password in that way. Otherwise it will as you. I actually use this on a daily basis (from X-Chat). It's a bit buggy, but for the most part works really well. I just wish it were better documented, since no one seems to know about it.

[ Parent ]
Python, Jabber, and the Python Cryptography Toolki (none / 0) (#29)
by Anonymous Hero on Mon Jul 17, 2000 at 03:36:20 PM EST

You may want to consider Python as your implementation language. The Python Cryptography Toolkit (PCT) provides most of the cryptographic goodies you might want (most of the cryptographic functionality is in the form of bindings to OpenSSL). RSA, ElGamal, DSA, Blowfish, CAST, DES, IDEA, etc. encryption schemes have bindings. Hashes such as MD5 and SHA-1 also have bindings. Diffie-Hellman is not implemented, but is trivial to do so with Python's long numbers (read: bignum). The authors are currently busy with other things at the moment, so the documentation is a little stale and parts are unimplemented (like the chaffing/winnowing protocol and a really good random number generator). A Python implementation of Bruce Schneier and co.'s Yarrow-160 cryptographic PRNG is available as part of Pisces, an SPKI implementation built on top of the PCT.

A Python library for Jabber exists at http://download.jabber.org/python/PyJabber-1.0.RC2.tar.gz . No Python client exists yet beyond the test client (to my knowledge).

Personally, I'm going to be working on both of these projects for my own benefit and enjoyment. Should you decide to use these tools, I would be more than willing to assist with your project since its goals would then coincide with some of mine.

Robert Kern



Everybuddy and Java and encryption (none / 0) (#30)
by detroit on Mon Jul 17, 2000 at 06:05:08 PM EST

I'd kinda like to see a good encrypted im client too. I was playing with some code from a Java port of everybuddy, trying to outline what a java-based universal im could do, and that was one thought. Public key between clients.
Even if jabber starts using ssl, it's only between server and client, and ignores the server/server routes. Jabber may or may not hold my logins/passwords, and even when using aim/yahoo/everybuddy, they're still plaintext or a trivial encoding. I think the best option would be to put a layer on top of the existing messenger systems, esp on some universal, client-based messenger, to do public key (or similar) protection on all messages sent to and fro. The other party would have to have the same software, or if it's just gpg/pgp, a similar module to scramble/descramble messages.
I'm a java junkie, and since it's growing and inherently cross-platform, I'd like to create a universal gui with that (or at least port someone else's efforts, like everybuddy). It'd be an interesting opp to work with the net and crypto packages...

Jeff

a friend and I are working on this (none / 0) (#33)
by thomas on Tue Jul 18, 2000 at 05:53:33 AM EST

A friend and I are working on an open-source IM project... the NetMSG project (netmsg.sourceforge.net). At the moment, it's in the extreme infant stages; I'm hoping to have a prototype of a basic, fully-extensible fully-scriptable client up in a few weeks.

I'm hoping to make this completely platform-independent; most of the scripts & modules should run perfectly under console, X, windoze, and whatever. The scripting language will probably be TCL. I'll probably also include a feature whereby the client will automatically download and install modules (from the other party) to handle extended message types that it doesn't understand; after, of course, attempting to check an online trojan database and after asking the user if it's ok :-)

As for encryption; while that's not really my domain, I'm hoping to include some form of public-key as early as possible.

I'll probably post a seperate write-up on this in a few weeks, once the first prototype exists; but for now, feel free to add your own comments, here or in the web forums on the sourceforge project page.

War never determines who is right; only who is left.

A Secure, Open Source Instant Messenger? | 34 comments (34 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!