Image of the glider from the Game of Life by John Conway
Skip to content

Streamline Client Encryption Before I Lose My Mind

I am getting really frustrated with encrypting conversations between differing IM clients. Why in the world does this have to be so difficult? First, let's talk about the principle of the matter. Then we'll get into the nitty-gritty.

Regardless of who I am talking to, regardless of what instant messaging client I am using, and regardless of what protocol I am using, I should be able to protect my conversation from the prying eyes of others. There shouldn't be any hassle on what to implement and what encryption software to use, even though the algorithm would have to be the same, obviously.

In other words, in a perfect IM world, I should be able to log into the Jabber network using the Gajim client on Linux, and talk to Joe, who is using the Adium X client on his Mac, and have an encrypted conversation. The conversation would employ public key cryptography using GPG as the encryption standard. However, there should be no issue using PGP and GPG together. If I can most certainly use the two together when encrypting and decrypting files, then chats should be no different.

Now, in the real world, I can't have an encrypted conversation with Joe, because the plugin for Adium X doesn't play nice with my encryption capabilities on Gajim, Gaim, Psi, (insert favorite client here). Just tell him to use Gaim, or a client I am using, right? Wrong!! This just isn't a headache for Mac users, it's a headache for EVERY different IM client that utilizes encryption. The only two that I know that play well together is Gajim and Psi. And that is only the case, because they were both built using the same API's.

So, let's look at the nitty-gritty of it all. I'm a Jabber user, so I'll review Jabber clients.

Gaim has three options. There is the Gaim-encryption plugin, the Off-The-Record (OTR) plugin and the Gaim-e plugin. The Gaim-e plugin is the only plugin that uses your personal GPG key that you already have (if you created one, obviously). Unfortunately, it looks like the project is no longer in development, as the SourceForge page has been down for some time. The other two plugins, Gaim-encryption and OTR, use their own standards for encrypting. This means that unless the buddy you are chatting with is also using Gaim and using the matching plugin, it won't work. So even though Gaim may be the all-in-one for all your personal needs, it seems to be the client that creates the most issues for other users. Just because it may be the most widely used, does not mean it can do it's own thing in this regard.

Gajim and Psi are much less headache prone. For one, they started off on the right foot. They are completely different Jabber clients, and yet they play very well with each other with regards to encryption. They both utilize your personal GPG key pair. This is very handy, because not only is a standard developed, I don't have to use the client to decrypt the conversation. As I log all of my chats, I can decrypt the conversation without the need of the client. This is very handy. They may not be the all-in-one solution that Gaim is (multi-protocol, IRC, etc), but they work and do a good job at it. Unfortunately, Gaim (except for Gaim-e) and other clients and plugins don't play at all with Gajim and Psi. Does this mean that I have to have 2 or 3 or 4 clients installed to have encrypted conversations with different people? I shouldn't have to, I can tell you that.

I could continue with other clients, both proprietary and FOSS, but suffice it to say, encryption interoperability between clients is a pain. I shouldn't have to alienate contacts in my buddy list because they use a different client than I do or a different plugin. So, here is what I propose to streamline the process:

  • Utilize your personal GPG key. So Gaim makes it easy with a simple plugin to install. When it comes to encryption, easy usually means weakening security. Besides, if someone is interested in encrypting their conversations, chances are that they will do what is necessary, which would mean creating a personal GPG key. Now they have one key, not several, for email, files, and chats. They key should also be used regardless of messaging protocol.
  • Utilize the same API and protocol for the key exchange. Even if a personal GPG key is created, it is useless if different clients cannot communicate with the keys. This means the transport of the public key to the other client needs to be streamlined in one API. Gajim and Psi are the perfect example of such an exchange.
  • Make the IM encryption standard platform independent.Finally, the above two standards aren't completely functional if they can't be implemented across several platforms. This includes Linux, Macintosh, Windows, *BSD, Solaris, etc. This standard should be the defining crux of all three. By doing so, this ensures that the most people are reached, and that the least amount of headache is created. Keeping these standards platform independent really is the most important of the three

There should be a governing body in place that sees these ideals as I do. If not, I am willing to start one if anyone would be interested helping me. I wouldn't know how though, and I do have other responsibilities. Still, I think such a body should be in place, whether I start it or not.

Now, I am sure that you have all sorts of concerns or insights regarding this post. Please, please, I am interested in what they are. Comment below and let them be heard. Thanks.

UPDATE: I just learned that Adium X uses the OTR plugin that Gaim can also use. Those two clients can communicate securely. This is a step in the right direction, although not perfect.

{ 9 } Comments

  1. Doran Barton | July 19, 2006 at 1:41 pm | Permalink

    I'm confused because I thought you quit using any non-Jabber IM service. Jabber, of course, supports SSL-based encryption nativey. Why are you concerned about encryption plugins if all you're using is Jabber - which supports encryption natively? I'm confused.

  2. Aaron | July 19, 2006 at 2:22 pm | Permalink

    True, but as far as I am aware, using your Gmail account on Jabber, there is no SSL support. Everything is sent and stored in plain text.

    Also, that is great for Jabber users, but what about MSN, Yahoo, AOL, ICQ, Novell, and other proprietary protocol users who want to use encryption. What about the Jabber users who use the legacy transports to connect to those protocols. There are more concerns than just "use SSL".

    While I am just using Jabber, and SSL may be an option outside of Gmail, this doen't help the millions of other IM users.

  3. Andrew | August 7, 2006 at 10:22 am | Permalink

    Apparently you can use windows, trillian and otr together as well. Although it looks like a bit of a hack.

  4. Bauer Fichtner | February 21, 2007 at 3:28 pm | Permalink

    Just for your information: Kopete does support gpg-encryption and works well with gajim and psi. gpg-encryption is broken in latest realease (0.12.4), but everything

  5. Bauer Fichtner | February 21, 2007 at 3:30 pm | Permalink
  6. afsar jamal | March 11, 2008 at 2:28 am | Permalink

    i,have much mind power and i am sure that i can help any one on any matter by ideas , suggestion, advice,
    and also by any other means if any one want then do contact me at my e-mail . i assure you all that u will get
    profit from my side

  7. afsar jamal | March 11, 2008 at 2:29 am | Permalink

    my id is

  8. ZOG | June 6, 2008 at 11:45 pm | Permalink

    an apparently minor upgrade on psi recently seemed to completely break, or at least change its method of encryption with pretty much no documentation or instruction on how to fix it.
    gajim seems to go in and out of encrypted mode completely randomly without giving any indication WHY, the only way I could tell it wasn't encrypting messages when the other person was marked away was to do a packet trace. All of this kind of behavour is crap.. if encyrption is selected they should either encrypt, or refuse ot work at all if there is a problem with a big error message telling you exactly why it doesn't work, not just silently disabling encryption on you.

  9. rabbitambulance | July 24, 2009 at 4:10 am | Permalink

    So now it's three years after, and it hasn't gotten better AFAICT.
    In fact, a friend and me both use Psi+GPG, and now not even that will work. I'm starting to lose faith in the whole open source thing.

{ 2 } Trackbacks

  1. [...] to standards. In fact, the specification that I think should be adhered to the most, isn’t. I’ve blogged about this before, so I apologize to the planets that I am syndicated to in advance for duplicating content. However, [...]

  2. [...] to standards. In fact, the specification that I think should be adhered to the most, isn’t. I’ve blogged about this before, so I apologize to the planets that I am syndicated to in advance for duplicating content. However, [...]

Post a Comment

Your email is never published nor shared.