Secure instant messaging

From LinuxReviews
Jump to navigationJump to search

Instant messaging on the Internet is a very popular activity. Most people do it. Girls apparently love something called "MSN". But is instant messaging secure? And if now, how do you make it secure?


Few people are aware that most IM protocols used today send everything in plaintext. Yes. In Plain Text. What you write using any popular IM program on the market today is not encrypted, is not private, and is absolutely not limited to you and the person you are talking to.

Todays IM protocols

Alice wants to talk to Bob. Both of them use the same popular IM service.

Alice writes something. This text is then transmitted in plain text to the IM service's server. It is then transmitted in plain text to Bob.

If the advesary is watching Alice's connection locally OR watching the IM services server then the advesary knows that Alice is talking to Bob and also what they are talking about.

The advesary can even interrupt their conversation and pretend to be both Alice and Bob: They write something the advesary don't like, now Alice is talking to the advesary, Bob is talking to the Advesary, but both Alice and Bob think that they are still talking to eachother.

Todays other IM protocols

A few instant messaging clients have support for encryption. A few also support using a socks proxy to hide your location from the adversary. These are widely available, but, sadly, not widely used. Todays secure IM solutions:

Gaim OTR

OTR allows you to have private conversations over instant messaging in a secure way with one unique property: The keys are thrown away after the conversation is over. This means that it is not possible to learn what was said by looking at someones computer after the conversation is over.


GnuPG is a great way to send encrypted e-mail. There are also IM programs who support using IM, including but not limited to PSI.