Overview

Every time you send an instant message, there is a chance that someone snooping around on the Internet can view its contents (especially thanks to programs like AIM Sniff). Also, by default all of your messages will pass through AOL's instant messenger server. This is significant because the AIM Terms of Service has recently (as of March 3, 2005) been updated to revoke any expectation of privacy that you might have had:

In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy.

To prevent instant messages from falling into the wrong hands, all versions of AOL Instant Messenger software since 5.2 have support for encrypted instant messages. The target audience of this new technology has been corporations, who will buy Personal Certificates for all of it's employees. However, this technology can also be leveraged by the general public. To date, this is the simplest and most secure free method of encrypting instant messages via AIM.

As featured in Slate.

Get your AIM Personal Certificate

Download the source code (.pl)

This software is licensed under the CC-GNU GPL.

Technical Details

The motivation for creating this page was to provide a simple and secure means of encrypting instant messages using the built-in function of AOL Instant Messenger 5.2-5.9. AIM Pro includes built-in encryption as well, but this is not as secure. It does use the industry standard TLS encryption technology, but this only encrypts between the AIM client and the server. This still allows conversations to be recorded on the AIM server, unlike the end to end solution offered in the 5.x versions. While other services are out there, such as AIM Encrypt, they are also fundamentally flawed (PDF). By issuing the exact same certifcates to all users, the encryption can be defeated. At best, these provide only a data 'scrambling' technique. The process implemented here is different because each certificate is generated 'on the fly' (using OpenSSL) based on the user's input, resulting in a customized version for each user. The supplied password is never stored on the server and is used only to protect the key from unauthorized use. This provides the same level of security as certificates that are commerically available, except these are self-signed (see FAQ). If you have concerns about the security of this method please contact me.

FAQ

Q. What operating systems does this work on?

A. This has been tested using AIM 5.2.3292 and 5.9.3690 for Windows. Theoretically, it should also work on any version of the AIM client that supports AOL's method of encryption.

Q. How do I know my conversation is encrypted?

A. In the instant message window, you will explictly see a message that says:

Encrypted conversation. Messages from "YourBuddysName" are signed by ____________.

Conversations can only be encrypted if both buddies have a certificate.

Q. Will this certificate work with the ones issued by AIM Encrypt and the like?

A. Yes! Because all AIM users have standard encryption methods any certificate will work for encryption. It should be noted that any messages encrypted (sent) by you are using the flawed method that AIM Encrypt uses if your buddy uses that. To solve this, get your buddy to get a real certificate right here!

Q. During my conversation I see a message that says "warning un-trusted certificate", is that bad?

A. In general, no. That just means that your buddy is using a self-signed certificate (see next FAQ).

Q. What does self-signed mean?

A. Self-signed indicates that this certificate was created by the person using it. In a general sense, it can effect the overall security of a system, but it does not ever result in weaker encryption techniques. A standard security certificate has a third party verify that the user of the certificate is indeed who it claims to be. For instance, there is no one stopping your friend from creating a certificate with your name, e-mail, screenname, etc. Your AIM password protects you from this type of deception.

Home > Projects > AIM Security

MyTake™

o Native IPv6 DNS Still Not a Reality

o iPod Killer

o Time Warner Cable Business Class

o The Solution to San Diego Traffic

o Ticketmaster Website Fataly Flawed

o A letter to Rep. Camp supporting the Digital Media Consumers Rights Act

SignOnSanDiego.com RSS Feeds State

Slashdot

o Massive Martian Glaciers Found

o How To Find a Mobile Games Publisher?