[Adium-devl] Java-based libraries... a ponder, a thought, an apology

Colin Barrett timber at lava.net
Fri Dec 8 05:24:58 UTC 2006 

On Dec 7, 2006, at 11:51 PM, Augie Fackler wrote:

>
> On Dec 7, 2006, at 9:31 PM, Evan Schoenberg wrote:
>
>>>> 4) Trillan SecureIM compatibility
>>>
>>> Can't answer to this one.  I only partially looked at it.  Since  
>>> Fire had GPG, and then later OTR, I just didn't see the point.  In  
>>> terms of implementation, I remember thinking it should be a  
>>> plugin, like OTR, but have extra "meta-data" support by the  
>>> library to work with it.  I would have to look at how secureIM is  
>>> implemented again in order to expound on this idea.
>> Indeed -- I don't expect that there's any real reason to implement  
>> SecureIM. Multiple encryption methods seems to add a lot of  
>> complexity which most users simply don't need.
>>
>>> Wasn't there something about supporting AIM's encryption for IMs  
>>> in there as well?
>> I'm not sure... there may well have been.
>>
>
> Trillian SecureIM is not all that useful - I'm actually actively  
> *opposed* to including support for it in Adium, because it's bad. I  
> can't find the site for reference - but the long and short of it is  
> that SecureIM has no way of verifying the authenticity of who you're  
> talking to...which OTR provides. Honestly, I'd be inclined to say we  
> should start broadcasting a capability block for OTR, and encourage  
> everyone else to start doing the same - and try and get some real  
> clients supporting OTR.

I definitely agree here. OTR is a great encryption protocol designed  
for realtime communications, and it's open (and the developers seem to  
take security very seriously and are quick to respond to exploits— 
remember that design flaw a while back that caused them to bump the  
major version #?). The more people we can get using OTR, the better.  
We should definitely be evangelizing it in our documentation and what  
press we do write. People request GPG and PGP support a lot and the  
only reason it would be useful would be a large number of keys and  
such built up over time. But that wouldn't be that hard to replicate  
with OTR, anyway. Just send a signed GPG message with your OTR finger  
print, and bam.

> AIM does have their own encryption protocol, using SSL certs for  
> verafiability.

Not as good as OTR—deniability ftw.

More information about the devel mailing list