Re: [Fed-Talk] iChat Encryption in Lion
Re: [Fed-Talk] iChat Encryption in Lion
- Subject: Re: [Fed-Talk] iChat Encryption in Lion
- From: "Pike, Michael (IHS/HQ)" <email@hidden>
- Date: Wed, 04 Jan 2012 21:44:53 +0000
- Thread-topic: [Fed-Talk] iChat Encryption in Lion
By the way, the insult comment was a joke. ;)
Transcribed by Siri on my iPhone 4S
On Jan 4, 2012, at 2:31 PM, "Pike, Michael (IHS/HQ)" <email@hidden> wrote:
> Thanks Shawn!
>
> This helps a lot, I was sweating bullets as when I saw the Use SSL, it led me to believe the traffic is encrypted to AOL and to the client, but I knew AOL could decrypt if wanted.
>
> We frequently use iChat to insult others in the office and that would surely suck if it was picked up by an IM snooper :) As long as it leaves my computer and comes in encrypted I am fine... don't think AOL cares what we are saying :)
>
> On another note, I'm not sure of AOL's current financial state, but are there any plans for Apple to run their own "iCloud" chat service (in lieu of AOL)? Or other rumors (which I know Apple wont comment on) is that iMessage will be integrated into OS X Lion which will circumvent the need for ichat between Apple people (and they are the only ones I communicate with anyhow).
>
> Mike
>
>
> Mike
>
> On Jan 4, 2012, at 1:35 PM, Shawn Geddis wrote:
>
>> Folks,
>>
>> There seems to be confusion and then confusion compounded by partial responses. Please accept the following to help clear things up as to the references made here.
>>
>> Method "previously available" for obtaining a MobileMe iChat Identity
>> * iChat Client "A" enables encryption via Preferences->Accounts
>> - Receives a MobileMe provisioned X.509 Identity for iChat Signing and Encryption
>> Common Name: <user name>
>> Extended Key Usage:
>> Client Authentication (1.3.6.1.5.5.7.3.2)
>> Apple iChat Signing (1.2.840.113635.100.4.2 )
>> Apple iChat Encryption (1.2.840.113635.100.4.3)
>>
>> b) iChat Client "B" enables encryption via same method as "A"
>>
>> NOTE: It was/is also possible for folks to create these identities using "Certificate Assistant"
>> for use with iChat on Mac OS X 10.6.
>>
>> iChat "Encryption" came in multiple forms, but with different intent:
>> 1) iChat Client "A" <===> iChat Client "B" (direct Point-to-Point)
>>
>> a) iChat Client "A" selects iChat Client "B" to send Comms (txt, audio, video)
>>
>> b) iChat Client "A" encrypts content using recipients public key from MobileMe Certificate
>> Content is sent directly to iChat Client "B" (point-to-point)
>> NOTE: This is why folks had to open up additional Firewall ports for Audio/Video to work
>>
>> c) iChat Client "B" receives the encrypted content and decrypts it using their corresponding private key
>>
>> d) ... the process continues back and forth...
>>
>>
>> *OS X Lion":
>> Use FaceTime to perform the same encrypted Audio/Video between OSX/iOS clients
>>
>>
>> 2) iChat Client "A" <== "AOL" ==> iChat Client "B"
>>
>> a) iChat Client "A" selects iChat Client "B" to send Text Messages
>>
>> b) iChat Client "A" encrypts content using recipients public key from MobileMe Certificate
>>
>> c) Content is sent from iChat Client "A" through AOL (api.oscar.aol.com) to iChat Client "B"
>>
>> d) iChat Client "B" receives the encrypted content and decrypts it using their corresponding private key
>>
>> d) ... the process continues back and forth...
>>
>>
>> *OS X Lion":
>> Select "Use SSL" setting in Preferences->Accounts->Server Settings to encrypt channel
>> This is the same as having a Browser-based SSL communication
>> AOL Servers can access content, since this is comms between Client-Server
>>
>>
>> 3) iChat Client "A" <== Jabber Server ==> iChat Client "B"
>>
>> a) Jabber Server Admin configures Server to enable SSL - Server Cert (default: port 443)
>>
>> b) iChat Client "A" selects iChat Client "B" to send Text Messages
>>
>> c) Content is sent from iChat Client "A" to Jabber Server using SSL
>>
>> d) Content is sent from Jabber Server to iChat Client "B" using SSL
>>
>> *OS X Lion":
>> This is still available.
>>
>>
>> Relevant Apple Knowledge Base Articles that should be helpful:
>>
>> MobileMe: "Secure iChat" is unavailable in OS X Lion
>> http://support.apple.com/kb/TS3902
>>
>> Creating a Secure iChat certificate
>> http://docs.info.apple.com/article.html?path=MobileMeBack/Account/en/acct17035.html
>>
>> iChat 5.0 Help
>> ============
>> - Setting up secure chatting
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/9759.html
>>
>> - Security pane of Accounts preferences
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/20004.html
>>
>> - Revoking a Secure iChat certificate
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/9771.html
>>
>> - If you're having problems with secure chatting
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/9770.html
>>
>> - Sending messages directly to another person
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/9718.html
>>
>> - Sharing your screen with a buddy
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/11883.html
>>
>> - About screen sharing security
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/17157.html
>>
>> - About video chatting with AIM buddies
>> http://docs.info.apple.com/article.html?path=iChat/5.0/en/9758.html
>>
>>
>> -Shawn
>>
>> On Jan 3, 2012, at 12:06 PM, Joel Esler wrote:
>>> Not it is not safe. I think the 443 may be the authentication piece.
>>>
>>> As one of the people that writes detection for Snort, no, AIM is not encrypted.
>>>
>>> J
>>>
>>> On Dec 20, 2011, at 12:04 PM, Pike, Michael (IHS/HQ) wrote:
>>>
>>>> but it is safe to say that local sniffing is not possible?
>>>>
>>>> On Dec 20, 2011, at 7:52 AM, Danziger, Alan D. wrote:
>>>>
>>>>> Not really - you're conflating "travels over encrypted pipe" (SSL) vs.
>>>>> "Contents are encrypted between sender and recipient" (secure chat).
>>>>>
>>>>> Misleading would be implying that you ARE fully secured, just because the
>>>>> pipe between you and the chat server is secure. If a vendor is to err, I
>>>>> strongly prefer they imply something is less secure than it actually is,
>>>>> than the vice versa.
>>>>>
>>>>> -=Alan
>>>>>
>>>>> On 12/19/11 11:04 PM, "Pike, Michael (IHS/HQ)" <email@hidden>
>>>>> wrote:
>>>>>
>>>>>> The why does it communicate with Oscar.aol.com<http://Oscar.aol.com> on
>>>>>> SSL? Port 443?
>>>>>>
>>>>>> Isn't that misleading?
>>>>>>
>>>>>> Transcribed by Siri on my iPhone 4S
>>>>>>
>>>>>> On Dec 19, 2011, at 7:19 PM, "Ruben Brochner"
>>>>>> <email@hidden<mailto:email@hidden>> wrote:
>>>>>>
>>>>>> For OS X Lion, see:
>>>>>> "MobileMe: 'Secure iChat' is unavailable in OS X Lion"
>>>>>> http://support.apple.com/kb/TS3902
>>>>>>
>>>>>> For 10.4.3 through 10.6.8, see:
>>>>>> "MobileMe: Setting up and troubleshooting secure iChat"
>>>>>> http://support.apple.com/kb/HT1952
>>>>>>
>>>>>> - Ruben
>>>>>>
>>>>>> On Dec 19, 2011, at 5:42 PM, Pike, Michael (IHS/HQ) wrote:
>>>>>>
>>>>>> I looked all around, and there was a support article on Apple¹s website
>>>>>> which is now gone, so I am hoping someone here can answer it.
>>>>>>
>>>>>> iChat used to have an encryption mechanism, however, since upgrading to
>>>>>> Lion it is gone. I did however notice SSL on port 443 is used for the
>>>>>> Oscar aim serverŠ
>>>>>>
>>>>>> Can anyone on here confirm or deny that traffic is being encrypted
>>>>>> between chats? Or is it subject to network sniffing?
>>>>>>
>>>>>> Thanks,
>>>>>> Mike
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden