powered by Jive Software

Are AOL IM conversions secure\encrpted?

Hi everyone,

Just downloaded and installed Openfire today in response to my company wanting an internal IM server. I do have one questions off the start that I hope someone can answer me quickly on…

I’'ve installed the IM gateway and have successfully logged into AOL thru the spark client and see all my contacts. I have the server configured to only allow secured connections from the client.

My questions is…will AOL instant messages between users using the spark client and outside users using the AOL client be secure or encrypted or will they be free to sniff out?

Look forward to your responses.



No, the connections from the server to the AOL network are not going to be encrypted. Only between the client and server.

Thanks for the response…

I kind of thought this would be the case…

I’'m wondering now if a AOL sniffer would pick up intranet AOL conversations if the client to server connection is secure…do you have any thoughts?

We’'re trying to decide whether to block all AOL traffic and just use Spark and the Openfire server or allow AOL traffic using the plugin\gateway.



If the sniffer is on your intranet, they would need the private key to the SSL certificate on the Openfire server. The only vunerability would be whatever sits between your Openfire server and the AOL servers. If you are on a switched network you should be safe.

We are on a switched network and we won’‘t be broadcasting the private key on the Openfire server so it looks like we’'ll be good…

Thanks so much for your responses…


With AOL you mean ICQ? Do you have read their use policy?

You agree that by posting any material or information anywhere on the ICQ Services and Information you surrender your copyright and any other proprietary right in the posted material or information. You further agree that ICQ Inc. is entitled to use at its own discretion any of the posted material or information in any manner it deems fit, including, but not limited to, publishing the material or distributing it.

I think AIM will have a similar policy.

Regardless of you are using SSL or not, AOL will be able to read your messages.

If your company has any secret or important information (I would say every company has…) you should use your own internal server. An other way would be an end-to-end encryption with OpenPGP or OTR, but this will result in some problems because the transport doesn’'t support it correctly. Between multiple Jabber-Server its no problem, only both clients have to support it.


I think the worry is with people in-company reading IM’'s. Once it hits the internet its pretty much fair game unless some real encryption techniques (like the ones you describe) are used.

Of course, if they are discussing important private/secret information in-company, it would be going via xmpp and stay internal, right ? I think IM is a poor place to discuss things with any sort of privacy importance anyway, since either client may be storing log files in an insecure method. Or the server might be recording conversations. If you just want it out of the general public it works fine. If you are discussing DoD classified material (for example) you need to be sure of a lot of things first.

My worry was with people in-company readings IM’'s.

We tell employees never to discuss or reveal important info over IM or even email for that matter, but not everyone listens.

The purpose of the internal IM server was to give just a little more protection for those that do feel the need to discuss such info internally. With IM’'s from the clients to the openfire server being passed over a secure connection, I think this solution will do what we want…agreed?

I realize info over the internet is fair game, but I’'m only concerned with intranet information exchange.


I think this solution will do what we want…agreed?

Yes, I think. If an attacker would be able to compromise your internal openfire server, he would be able to get the information by other ways, too.

Coolcat wrote:

With AOL you mean ICQ? Do you have read their use policy?

Notice that they say “posting any material or information anywhere on the ICQ Services and Information”. They’'re talking about some kind of forum on their web site, not IM. They clarified that in an interview a while ago.

stephenpayne73 wrote:

My worry was with people in-company readings IM’'s.

As long as you’‘re using a switched network, and the routers/switches are all safe, there shouldn’‘t be a problem with any kind of communication that stays within the LAN, no matter if it’'s encrypted or not.

Unless someone maliciously installs a proxy server on his/her machine and tells someone else’'s computer to use it, of course. But then they could simply install a keylogger there anyways.