3
on the ISP level, how can someone monitor messenger talks? isn't the p2p architecture immune to such surveillance? and how do different instant messaging clients compare in that sense?
ouais
Posted 2011-04-27T22:08:13.697
Reputation: 33
Can instant messengers conversations be monitored?
Answers
5
Yes, they can be monitored by anyone along the path of the conversation. There are steps that can be taken to mitigate this. For example, Pidgin with either the Pidgin Encryption or OTR plugins can be used to setup encrypted channels between the two endpoints. It also works with chat services such as GTalk, AIM, MSN, etc where the infrastructure is managed by a third party.
Xenoactive
Posted 2011-04-27T22:08:13.697
Reputation: 992
0
All of your outgoing traffic goes through your ISP's wire. Unless that traffic is encrypted with pre-shared keys that have never been exchanged over that wire, your ISP can monitor anything. Indeed, all the routers that your traffic goes through can do so.
If the chat server offered an SSL service, your traffic would be encrypted using its certificate. However, since the chat service can decrypt your traffic (because it's the one encrypting it), it can monitor your chat traffic. This takes your ISP out of the loop but forces you to trust your chat server and also the issuing authority of the SSL certificate.
p2p isn't inherently secure because your outgoing traffic is still hitting your ISP's wire, unless it is encrypted with pre-shared keys that have never been exchanged over that wire. p2p encryption relies on a key or "certificate" offered by the other peer you are connecting to. Takes your ISP out of the loop, but forces you to trust the other peer.
TL;DR: Listen to @Xenoactive.
LawrenceC
Posted 2011-04-27T22:08:13.697
Reputation: 63 487
Secure key negotiation over an open wire is completely possible. The problem is with authenticating who you're actually talking to. – Ben Voigt – 2011-04-27T23:50:27.817
See Diffie-Hellman key exchange. – Hello71 – 2011-04-28T00:36:01.323
isn't any of the chat services secure? does SSL encryption mitigate any of this? as far as I know it should – ouais – 2011-04-27T22:19:07.853
SSL terminates at the server/provider. So in theory an inside person could still monitor it. OTR is the only truly secure method. – Keith – 2011-04-27T22:29:23.350
could u please explain what does "terminates at the server" means? – ouais – 2011-04-28T18:44:02.033
It basically means that the server decrypts the communications. For example, on a client/server chat network, the client sends the chat text to the server, which the relays it to the other end of the conversation. If the service offers SSL encryption, then each client maintains an independent encrypted session. The server in the middle decrypts and re-encrypts. You can overcome this with something like Pidgin Encryption or OTR which in essence inserts another layer of encryption that only the two people can decrypt. – Xenoactive – 2011-05-07T03:20:02.270