# Why no Firesheep for IM?

I recently switched to using [Off-the-Record](https://www.cypherpunks.ca/otr/)
to encrypt my instant messaging communications when possible. I don't
particularly have anything to hide, but why should I rely on the security of my
<abbr title="Instant messaging">IM</abbr> providers to protect the privacy of my
conversations, when I can secure it myself? This got me thinking about the
security of the network protocols used by the various IM clients which are in
common use today.

I found a [useful
survey](https://news.cnet.com/8301-13578_3-9962106-38.html#contentBody) on CNET
from a couple of years ago which provides a lot of interesting information about
what is encrypted and what isn't. ICQ, Windows Live Messenger and Yahoo
Messenger all send your conversations in the clear. GTalk, Skype and AIM
conversations on the other hand, go over an encrypted channel. After starting up
tcpdump on my laptop and logging into MSN, to my surprise, I started seeing the
email addresses of my MSN friends flying over the network in the clear! A nosey
sysadmins dream. One thing that surprised me is that all of these IM services
claimed that they don't log the content of conversations; I expected them all to
be hoarding conversation data.

Firesheep has been out for over a week. If somebodys looking for a quick easy
project to shift the spotlight onto MSN/ICQ/Yahoo, how about ripping apart the
Firesheep code and making an equivalent addon for watching IM traffic? Everyone
else: Use Google Talk instead of MSN/ICQ/Yahoo, it's safer. Oh, and check out
<abbr title="Off-the-Record">OTR</abbr>; even if your private key is
compromised, it can't be used to recover old conversations. It's neat
technology.