Re: [Fed-Talk] iChat Encryption in Lion
Re: [Fed-Talk] iChat Encryption in Lion
- Subject: Re: [Fed-Talk] iChat Encryption in Lion
- From: Shawn Geddis <email@hidden>
- Date: Wed, 04 Jan 2012 15:35:03 -0500
Folks,
There seems to be confusion and then confusion compounded by partial responses. Please accept the following to help clear things up as to the references made here.
Method "previously available" for obtaining a MobileMe iChat Identity
* iChat Client "A" enables encryption via Preferences->Accounts
- Receives a MobileMe provisioned X.509 Identity for iChat Signing and Encryption
Common Name: <user name>
Extended Key Usage:
Client Authentication (1.3.6.1.5.5.7.3.2)
Apple iChat Signing (1.2.840.113635.100.4.2 )
Apple iChat Encryption (1.2.840.113635.100.4.3)
b) iChat Client "B" enables encryption via same method as "A"
NOTE: It was/is also possible for folks to create these identities using "Certificate Assistant"
for use with iChat on Mac OS X 10.6.
iChat "Encryption" came in multiple forms, but with different intent:
1) iChat Client "A" <===> iChat Client "B" (direct Point-to-Point)
a) iChat Client "A" selects iChat Client "B" to send Comms (txt, audio, video)
b) iChat Client "A" encrypts content using recipients public key from MobileMe Certificate
Content is sent directly to iChat Client "B" (point-to-point)
NOTE: This is why folks had to open up additional Firewall ports for Audio/Video to work
c) iChat Client "B" receives the encrypted content and decrypts it using their corresponding private key
d) ... the process continues back and forth...
*OS X Lion":
Use FaceTime to perform the same encrypted Audio/Video between OSX/iOS clients
2) iChat Client "A" <== "AOL" ==> iChat Client "B"
a) iChat Client "A" selects iChat Client "B" to send Text Messages
b) iChat Client "A" encrypts content using recipients public key from MobileMe Certificate
c) Content is sent from iChat Client "A" through AOL (api.oscar.aol.com) to iChat Client "B"
d) iChat Client "B" receives the encrypted content and decrypts it using their corresponding private key
d) ... the process continues back and forth...
*OS X Lion":
Select "Use SSL" setting in Preferences->Accounts->Server Settings to encrypt channel
This is the same as having a Browser-based SSL communication
AOL Servers can access content, since this is comms between Client-Server
3) iChat Client "A" <== Jabber Server ==> iChat Client "B"
a) Jabber Server Admin configures Server to enable SSL - Server Cert (default: port 443)
b) iChat Client "A" selects iChat Client "B" to send Text Messages
c) Content is sent from iChat Client "A" to Jabber Server using SSL
d) Content is sent from Jabber Server to iChat Client "B" using SSL
*OS X Lion":
This is still available.
Relevant Apple Knowledge Base Articles that should be helpful:
MobileMe: "Secure iChat" is unavailable in OS X Lion
http://support.apple.com/kb/TS3902
Creating a Secure iChat certificate
http://docs.info.apple.com/article.html?path=MobileMeBack/Account/en/acct17035.html
iChat 5.0 Help
============
- Setting up secure chatting
http://docs.info.apple.com/article.html?path=iChat/5.0/en/9759.html
- Security pane of Accounts preferences
http://docs.info.apple.com/article.html?path=iChat/5.0/en/20004.html
- Revoking a Secure iChat certificate
http://docs.info.apple.com/article.html?path=iChat/5.0/en/9771.html
- If you're having problems with secure chatting
http://docs.info.apple.com/article.html?path=iChat/5.0/en/9770.html
- Sending messages directly to another person
http://docs.info.apple.com/article.html?path=iChat/5.0/en/9718.html
- Sharing your screen with a buddy
http://docs.info.apple.com/article.html?path=iChat/5.0/en/11883.html
- About screen sharing security
http://docs.info.apple.com/article.html?path=iChat/5.0/en/17157.html
- About video chatting with AIM buddies
http://docs.info.apple.com/article.html?path=iChat/5.0/en/9758.html
-Shawn
On Jan 3, 2012, at 12:06 PM, Joel Esler wrote:
> Not it is not safe. I think the 443 may be the authentication piece.
>
> As one of the people that writes detection for Snort, no, AIM is not encrypted.
>
> J
>
> On Dec 20, 2011, at 12:04 PM, Pike, Michael (IHS/HQ) wrote:
>
>> but it is safe to say that local sniffing is not possible?
>>
>> On Dec 20, 2011, at 7:52 AM, Danziger, Alan D. wrote:
>>
>>> Not really - you're conflating "travels over encrypted pipe" (SSL) vs.
>>> "Contents are encrypted between sender and recipient" (secure chat).
>>>
>>> Misleading would be implying that you ARE fully secured, just because the
>>> pipe between you and the chat server is secure. If a vendor is to err, I
>>> strongly prefer they imply something is less secure than it actually is,
>>> than the vice versa.
>>>
>>> -=Alan
>>>
>>> On 12/19/11 11:04 PM, "Pike, Michael (IHS/HQ)" <email@hidden>
>>> wrote:
>>>
>>>> The why does it communicate with Oscar.aol.com<http://Oscar.aol.com> on
>>>> SSL? Port 443?
>>>>
>>>> Isn't that misleading?
>>>>
>>>> Transcribed by Siri on my iPhone 4S
>>>>
>>>> On Dec 19, 2011, at 7:19 PM, "Ruben Brochner"
>>>> <email@hidden<mailto:email@hidden>> wrote:
>>>>
>>>> For OS X Lion, see:
>>>> "MobileMe: 'Secure iChat' is unavailable in OS X Lion"
>>>> http://support.apple.com/kb/TS3902
>>>>
>>>> For 10.4.3 through 10.6.8, see:
>>>> "MobileMe: Setting up and troubleshooting secure iChat"
>>>> http://support.apple.com/kb/HT1952
>>>>
>>>> - Ruben
>>>>
>>>> On Dec 19, 2011, at 5:42 PM, Pike, Michael (IHS/HQ) wrote:
>>>>
>>>> I looked all around, and there was a support article on Apple¹s website
>>>> which is now gone, so I am hoping someone here can answer it.
>>>>
>>>> iChat used to have an encryption mechanism, however, since upgrading to
>>>> Lion it is gone. I did however notice SSL on port 443 is used for the
>>>> Oscar aim serverŠ
>>>>
>>>> Can anyone on here confirm or deny that traffic is being encrypted
>>>> between chats? Or is it subject to network sniffing?
>>>>
>>>> Thanks,
>>>> Mike
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden