Additionally, some IRC servers allow SSL connections -- the ones I've seen use port 994 (ircs). Trillian also can do encrypted DCC (which is, besides the initial handshake, handled by the two clients instead of the server). AIM has no native support for encrypted connections (or, if it does, I have never seen it used); Trillian allows two users (each with the Trillian client) to communicate securely via SSL. apl ----- Original Message ----- From: "Nick Lange" <nicklangeat_private> To: "Alex Lambert" <alambertat_private> Cc: <vuln-devat_private> Sent: Tuesday, August 06, 2002 12:31 PM Subject: Re: In regards to the insecurity of AOL Instant Messenger > Trillian allows SSL over AIM protocol [or did allow in .72, haven't checked > the RC1 release yet]. > lICQ allowed SSL over ICQ as well... > so it's there if you're willing to use alternative clients, but most people > don't. > nick > ----- Original Message ----- > From: "Alex Lambert" <alambertat_private> > To: "Adam Carr" <itsacarrat_private>; <vuln-devat_private> > Sent: Tuesday, August 06, 2002 11:15 AM > Subject: Re: In regards to the insecurity of AOL Instant Messenger > > > > > Now my question, is how secure are normal "ims" on AIM. How difficult = > > > would it be to listen to anothers msgs and if at all possible, how could > = > > > this be fixed.=20 > > > > "msgsnarf records selected messages from AOL Instant Mes- > > senger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger > > chat sessions." (msgsnarf(8) manpage) > > > > AFAIK, none of the above protocols are usually encrypted. dsniff > > (http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz) can pick them > up. > > > > > > > > apl > > ----- Original Message ----- > > From: "Adam Carr" <itsacarrat_private> > > To: <vuln-devat_private> > > Sent: Monday, August 05, 2002 5:58 PM > > Subject: In regards to the insecurity of AOL Instant Messenger > > > > > > > After seeing the recent emails about the hide windows while away = > > > function while I don't quite understand that as a security threat this = > > > does remind me of other insecurities of AIM and some questions I had as > = > > > well. > > > > > > The first threat to AIM users that I am aware of and have tested myself > = > > > is under Direct Connects with another user. With a targets ip, it is not > = > > > difficult at all to intercept the dcc's messages and to input your own. > = > > > Quite frightening. A simple fix is to change the port which AIM direct = > > > connects on. Seeing as how my explanations are not that great I invite = > > > anyone else who is aware of this to explain that flaw in AIM. > > > > > > Now my question, is how secure are normal "ims" on AIM. How difficult = > > > would it be to listen to anothers msgs and if at all possible, how could > = > > > this be fixed.=20 > > > > > > I know AIM has\had it's share of other vulnerabilities so please speak = > > > up if you know of any. Thanks ... > > > > > > Cheers ... > > > Adam > > > > > > > > > > > > > > > > > > >
This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 13:03:59 PDT