AIM Encrypt: A Case Study of the Dangers of Cryptographic Urban Legends

Locasto, Michael E.

Like e--mail, instant messaging (IM) has become an integral part of life in a networked society. Until recently, IM software has been lax about providing confidentiality and integrity of these conversations. With the introduction of AOL's version 5.2.3211 of the AIM client, users can optionally encrypt and protect the integrity of their conversation. Taking advantage of the encryption capabilities of the AIM client requires that signed certificates for both parties be available. AIM (through VeriSign) makes such certificates available for purchase. However, in a "public service" effort to defray the cost of purchasing personal certificates to protect IM conversations, a website ( is offering a certificate free of cost for download. Unfortunately, the provided certificate is the same for everyone; this mistake reveals the dangers of a public undereducated about computer security, especially public key cryptography.



More About This Work

Academic Units
Computer Science
Department of Computer Science, Columbia University
Columbia University Computer Science Technical Reports, CUCS-030-03
Published Here
April 26, 2011