Image of the glider from the Game of Life by John Conway
Skip to content
{ 2006 07 19 }

Streamline Client Encryption Before I Lose My Mind

I am getting really frustrated with encrypting conversations between differing IM clients. Why in the world does this have to be so difficult? First, let's talk about the principle of the matter. Then we'll get into the nitty-gritty.

Regardless of who I am talking to, regardless of what instant messaging client I am using, and regardless of what protocol I am using, I should be able to protect my conversation from the prying eyes of others. There shouldn't be any hassle on what to implement and what encryption software to use, even though the algorithm would have to be the same, obviously.

In other words, in a perfect IM world, I should be able to log into the Jabber network using the Gajim client on Linux, and talk to Joe, who is using the Adium X client on his Mac, and have an encrypted conversation. The conversation would employ public key cryptography using GPG as the encryption standard. However, there should be no issue using PGP and GPG together. If I can most certainly use the two together when encrypting and decrypting files, then chats should be no different.

Now, in the real world, I can't have an encrypted conversation with Joe, because the plugin for Adium X doesn't play nice with my encryption capabilities on Gajim, Gaim, Psi, (insert favorite client here). Just tell him to use Gaim, or a client I am using, right? Wrong!! This just isn't a headache for Mac users, it's a headache for EVERY different IM client that utilizes encryption. The only two that I know that play well together is Gajim and Psi. And that is only the case, because they were both built using the same API's.

So, let's look at the nitty-gritty of it all. I'm a Jabber user, so I'll review Jabber clients.

Gaim has three options. There is the Gaim-encryption plugin, the Off-The-Record (OTR) plugin and the Gaim-e plugin. The Gaim-e plugin is the only plugin that uses your personal GPG key that you already have (if you created one, obviously). Unfortunately, it looks like the project is no longer in development, as the SourceForge page has been down for some time. The other two plugins, Gaim-encryption and OTR, use their own standards for encrypting. This means that unless the buddy you are chatting with is also using Gaim and using the matching plugin, it won't work. So even though Gaim may be the all-in-one for all your personal needs, it seems to be the client that creates the most issues for other users. Just because it may be the most widely used, does not mean it can do it's own thing in this regard.

Gajim and Psi are much less headache prone. For one, they started off on the right foot. They are completely different Jabber clients, and yet they play very well with each other with regards to encryption. They both utilize your personal GPG key pair. This is very handy, because not only is a standard developed, I don't have to use the client to decrypt the conversation. As I log all of my chats, I can decrypt the conversation without the need of the client. This is very handy. They may not be the all-in-one solution that Gaim is (multi-protocol, IRC, etc), but they work and do a good job at it. Unfortunately, Gaim (except for Gaim-e) and other clients and plugins don't play at all with Gajim and Psi. Does this mean that I have to have 2 or 3 or 4 clients installed to have encrypted conversations with different people? I shouldn't have to, I can tell you that.

I could continue with other clients, both proprietary and FOSS, but suffice it to say, encryption interoperability between clients is a pain. I shouldn't have to alienate contacts in my buddy list because they use a different client than I do or a different plugin. So, here is what I propose to streamline the process:

  • Utilize your personal GPG key. So Gaim makes it easy with a simple plugin to install. When it comes to encryption, easy usually means weakening security. Besides, if someone is interested in encrypting their conversations, chances are that they will do what is necessary, which would mean creating a personal GPG key. Now they have one key, not several, for email, files, and chats. They key should also be used regardless of messaging protocol.
  • Utilize the same API and protocol for the key exchange. Even if a personal GPG key is created, it is useless if different clients cannot communicate with the keys. This means the transport of the public key to the other client needs to be streamlined in one API. Gajim and Psi are the perfect example of such an exchange.
  • Make the IM encryption standard platform independent.Finally, the above two standards aren't completely functional if they can't be implemented across several platforms. This includes Linux, Macintosh, Windows, *BSD, Solaris, etc. This standard should be the defining crux of all three. By doing so, this ensures that the most people are reached, and that the least amount of headache is created. Keeping these standards platform independent really is the most important of the three

There should be a governing body in place that sees these ideals as I do. If not, I am willing to start one if anyone would be interested helping me. I wouldn't know how though, and I do have other responsibilities. Still, I think such a body should be in place, whether I start it or not.

Now, I am sure that you have all sorts of concerns or insights regarding this post. Please, please, I am interested in what they are. Comment below and let them be heard. Thanks.

UPDATE: I just learned that Adium X uses the OTR plugin that Gaim can also use. Those two clients can communicate securely. This is a step in the right direction, although not perfect.

Posted by Aaron Toponce on Wednesday, July 19, 2006, at 8:36 am. Filed under Gaim, Jabber, Linux, OSS, Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 9 } Comments