I recently switched to using Off-the-Record to encrypt my instant messaging communications when possible. I don’t particularly have anything to hide, but why should I rely on the security of my IM providers to protect the privacy of my conversations, when I can secure it myself? This got me thinking about the security of the network protocols used by the various IM clients which are in common use today.
I found a useful survey on CNET from a couple of years ago which provides a lot of interesting information about what is encrypted and what isn’t. ICQ, Windows Live Messenger and Yahoo Messenger all send your conversations in the clear. GTalk, Skype and AIM conversations on the other hand, go over an encrypted channel. After starting up tcpdump on my laptop and logging into MSN, to my surprise, I started seeing the email addresses of my MSN friends flying over the network in the clear! A nosey sysadmins dream. One thing that surprised me is that all of these IM services claimed that they don’t log the content of conversations; I expected them all to be hoarding conversation data.
Firesheep has been out for over a week. If somebodys looking for a quick easy project to shift the spotlight onto MSN/ICQ/Yahoo, how about ripping apart the Firesheep code and making an equivalent addon for watching IM traffic? Everyone else: Use Google Talk instead of MSN/ICQ/Yahoo, it’s safer. Oh, and check out OTR; even if your private key is compromised, it can’t be used to recover old conversations. It’s neat technology.