Shoutbox

Encryption suggestion (important) - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! General (/forumdisplay.php?fid=23)
+----- Thread: Encryption suggestion (important) (/showthread.php?tid=84420)

Encryption suggestion (important) by kazen_90 on 06-20-2008 at 10:29 AM

In sweden there is a new law, that passed a few days ago. It allows the military to listen to all telephone calls, read all e-mails, MSN-conversations and so on. We who live in sweden are very upset about this, we don't like Big Brother to get involved in everything we do, so we want to protect us. Now I've heard about an MSN encryption software named SimpLite-MSN <a href="http://www.secway.fr/us/products/simplite_msn/home.php">link</a> but it requires all persons in the conversations to have it installed if its going to work, and almost nobody have it installed. But MPL is used by millions of people, so if it is bundeled with SimpLite-MSN it will get much more secure.
Could you start a partnership with Secway so we can get it bundeled or integrated?


RE: Encryption suggestion (important) by mattisdada on 06-20-2008 at 01:24 PM

[Moderator edit: removed reply to deleted post]

So back to the point at hand.

I dont belive it will be possible for MP!L to partner up with Secway.

MP!L although DOES have an encryption algrothem on chat logs, im not sure if it can protect your conversations as there taking place..... Look at some of the other MP!L "extensions".

Like a-msn(something like that), and Messenger Discovery :) Im fairly sure Discovery can.... You might have to look into that.

But you never know, Secway and Patchou(the guy that makes MP!L) may partner up to make encrypted chats.
Now, im not sure about Sweedish law or anything, but would blocking the Miltary from reading your conv's be indeed illegall?

Hope that sorta ansewered your question :)

Oh and Panos, how would you like it if someone was stalking you? Its not what they find out, its more the breech of your privacy. And no, you being mean to everyone is not regarded as normall...... We all have real life friends, but when we come back from a long day at work, we sit back and relax and talk to some friendly people on a forum.....

EDIT: http://live.msgdiscovery.com/1.5preview.php

The 1.5 Preview does have it. But its not relesed. The regular 1.4 does not have it unfortunetly.


RE: RE: Encryption suggestion (important) by High Speed Chaser on 06-21-2008 at 04:39 AM

quote:
Originally posted by mattisdada


MP!L although DOES have an encryption algrothem on chat logs, im not sure if it can protect your conversations as there taking place..... Look at some of the other MP!L "extensions".



It doesn't protect conversations in real time, only the chat logs.



Msgplus is not going to be bundled with any program (besides C2M Media or what ever) I'm sure it wouldn't be too hard to meet your contacts in person and tell them about the site and download it. I might wait for Discover 5. But if the military has the legal right to listen to your conversations, then its probably illegal to obstruct it with encryption software.

Surely Sweden has some sort of constitution that prevents this law. Maybe all of Sweden should have a peaceful protest.
RE: Encryption suggestion (important) by Thor on 06-21-2008 at 04:51 AM

quote:
Originally posted by mattisdada

Now, im not sure about Sweedish law or anything, but would blocking the Miltary from reading your conv's be indeed illegall?
There's a difference from blocking the militarys access and simply encrypting your stream of data. No, it's not illegal.

Although, I do support a encryption feature in WLM.
RE: RE: Encryption suggestion (important) by High Speed Chaser on 06-21-2008 at 05:30 AM

quote:
Originally posted by Nitro
quote:
Originally posted by mattisdada

Now, im not sure about Sweedish law or anything, but would blocking the Miltary from reading your conv's be indeed illegall?
There's a difference from blocking the militarys access and simply encrypting your stream of data. No, it's not illegal.

Although, I do support a encryption feature in WLM.

But encrypting data for the purpose of hiding it from the military might still be illegal. There might be loop-whole in the law though.
RE: Encryption suggestion (important) by CookieRevised on 06-21-2008 at 06:16 AM

[some related personal thoughts, but otherwise off-topic]

Why would you want to encrypt it?

Do you have anything to hide? Don't you think they will get MORE suspicious if they find out you are encrypting your conversations?

What I mean is: so now you know they can (note: can and not will*) monitor your conversations... So what? What is the big deal, for you personally I mean? If you got nothing to hide, you shouldn't worry about it.

Privacy? Maybe... on the other hand, you obviously know they can monitor it now (you made a post about it), and there is the big difference. Since you know it, and since it is a new 'law' which is hopefully publically know, you actually can not call in privacy issues I think.

A matter of principle? Yeah, that's for sure...

But it would be only when they may not, by law (thus without any suspicion), monitor your data and they still do it, that you could call in privacy issues I think...

The chance that your boss, coworker, network admin, family member, etc reads your emails or chats is millions times higher than that the governement would.

Anyways, the bottom line is: *they are not interested in your chats!! And I very highly doubt there will be hundreds of people sitting at a desk day in and out reading all the millions of chats...  In fact, what they probably will do is using so called 'data mining software' to search for sensitive keywords. There might even be a fine print saying that all data monitoring must remain annonymous too (aka, just the chats, no real names, no emails, no IPs, etc), unless they come across some suspicious data.

Again, if you got nothing to hide, why would you wanna take the trouble of encrypting stuff?

Also note that even if there would be an encryption system in Messenger itself, or in Plus!, or another widely used product, it might also be perfectly possible by law that the military must know the encryption/decryption methods being used so that they can decrypt it and monitor it! In other words, an encryption system might not solve the issue of 'hiding' stuff in such cases. It would hide data from your network admin though, since he might not have the right to monitor it. It all depends on the laws, the fine print, etc...

Als note that in many countries something like this (but not to this extend though) already exists. Sure there are always outcries, but I never read any reports that it was being abused or that there are problems with it. At least not for the common public who got nothing to hide anyways or who don't do anything bad. On the contrary, it seems like such stuff helps in fighting (international) crime, catch pedos, etc...

[/some related personal thoughts]


RE: Encryption suggestion (important) by Shiroi on 07-05-2008 at 08:33 AM

I do support an encryption feature for MP!L too.
Privacy through encryption  is and will be in future a big topic. To say "I don't care if others can read my conversations" is very careless in my opinion.
I think an encryption functionality inside of WLM will make it even more attractive and actually in my opinion encryption features should be a very basic of every new IM. Pidgin, Kopete, Miranda, Adium, etc. are using message encryption (in this case OTR Messaging) why not MP!L? 

I took a look on SimpLite-MSN but in my opinion this is not a good solution.
I would like to suggest OTR (Off-the-Record Messaging) http://www.cypherpunks.ca/otr/ as a possible candidate for encryption. It has the advantage towards PGP that is supports PFS (perfect forward secrecy) and "deniable authentication" and it stands under the LGPL, so it's free the use.

quote:
the military must know the encryption/decryption methods being used so that they can decrypt it and monitor it!

This is not correct. Like OTR everybody can look how the encryption is working but as long they don't have your privacy key they can't decrypt your message (well they can but I think they won't life long enough to see the result as it might take.. "a few years" ... ) And as OTR is using only temporary keys nobody will be able to decrypt closed conversations (PFS).

I can only beg the MP!L team to think about an implementation of message decryption because it is definitely a serious topic, for now and in the future.

A worried user.
RE: Encryption suggestion (important) by CookieRevised on 07-05-2008 at 09:24 AM

quote:
Originally posted by Shiroi
are using message encryption (in this case OTR Messaging) why not MP!L? 
Because Plus! can not do it. Messenger Plus! is not an IM-client.

There is no way to know who uses the Plus! addon or not, because of privacy reasons. And even if there would be such a system, you would be able to disable it. In other words, besides that it can't be done in Plus! (you don't know who has Plus! and would be able to read the encryption), it would also be useless (because even if they have Plus!, it can be disabled).


quote:
Originally posted by Shiroi
quote:
the military must know the encryption/decryption methods being used so that they can decrypt it and monitor it!

This is not correct. Like OTR everybody can look how the encryption is working but as long they don't have your privacy key they can't decrypt your message (well they can but I think they won't life long enough to see the result as it might take.. "a few years" ... ) And as OTR is using only temporary keys nobody will be able to decrypt closed conversations (PFS).
this isn't about being correct or not. I did not say that as a fact. I said it is possible that they have the right to know the encryption method/keys/whatever needed to be able to monitor messages, by law.

This is nothing new and happens already with other things. So you would be able to hide your stuff from your family, snooping brother, admin, ISP, etc. But you may not/can not hide it from the government.
RE: Encryption suggestion (important) by Shiroi on 07-05-2008 at 11:46 AM

Yes right MP!L is not an IM-Client but I thought it may operate on the layer between Windows Live Messenger and the port it communicates through.
If that's not the case, yes it might be very troublesome to implement encryption.
But if it's operating on this layer it should be possible to allow encryption without knowing if the the other person supports this encryption or not. Because on the very begin of conversation OTR must share the temporary keys between the conversation partner (in a safe way that there is no man in the middle) that he will be able to decrypt your message. If this fails (because you get no answer from the other client on this request) you know that he can't decrypt your message.
Well I didn't read now the documentation of the OTR but overall that's the idea how such is working.
Actually there is already software available called otrproxy which allows to encrypt Microsoft Live Messenger messages but it seems like they stopped developing on it.

About law, well I am not a lawyer so I have no guess what is now allowed or not.
What I can say is that they can't forbid you to use a encrypted communication channels but yes they have the right to ask you for the key and the password to activate this key that they can decrypt your messages.
So that's why OTR uses only temporary keys. If the communication channel gets closed the key will be removed. So there is no key existing any long which they could ask for. And as there is no digital signature on the encrypted message they also can't say that you've send this message. That's the idea of deniability and perfect forward secrecy OTR is using.

Well of course law can forbid that you remove this key but you can be sure that they can't decrypt your messages on the fly and need to get first access on your PC to get this key. I have nothing to hide when I am talking via MSN Messenger because I would never send sensible data through it but it gives me a feeling of security and privacy if I know only me and my discussion partner can read what we are talking. They don't need to know every detail of your life.

Of course I could stop using Windows Live Messenger but many of my contacts are using it and they won't change to another IM because they have also many contacts using this messenger too. And I like the GUI and the feeling of talking via the Live Messenger.

So that's why I am asking the team of MP!L that they think about an implementation of message encryption into their software to support personal privacy.


RE: RE: Encryption suggestion (important) by CookieRevised on 07-05-2008 at 01:18 PM

You're focussing too much on a specific type of encryption and forgetting one important thing I think.

The problem is the _implementation_ of the encryption, whatever kind of encryption that is or however it uses public, private or whatever keys, doesn't matter:

quote:
Originally posted by Shiroi
Yes right MP!L is not an IM-Client but I thought it may operate on the layer between Windows Live Messenger and the port it communicates through. If that's not the case, yes it might be very troublesome to implement encryption.
Even if it operates in that layer, the same restrictions still apply though: not everybody uses Plus!, and most importantly: there is no way to know who uses it and who doesn't.

(you don't want to have people recieving gibberish and not knowing what todo with it).

quote:
But if it's operating on this layer it should be possible to allow encryption without knowing if the the other person supports this encryption or not. Because on the very begin of conversation OTR must share the temporary keys between the conversation partner (in a safe way that there is no man in the middle) that he will be able to decrypt your message. If this fails (because you get no answer from the other client on this request) you know that he can't decrypt your message.
That is purely based on the fact that you send out hidden information first. That is exactly what Plus! will not do because of privacy reasons. And that is the entire point why an encryption function (again, no matter what encryption) wont work.

quote:
Actually there is already software available called otrproxy which allows to encrypt Microsoft Live Messenger messages but it seems like they stopped developing on it.
Just like everything else, both parties must use it in order for it to work. And you can't know if the other party uses the exact same thing as you.

Bottom line: a proper encryption system is never going to work/be popular when implemented with addons or other 3rd party IM clients using the MSN Network.

If proper encryption is needed for the MSN Network, then it must be done on protocol/server level within the main client (Windows Live Messenger) itself.

In that way you can make sure that whatever you encrypt (or not), the other party can read it. Any other method using 3rd party stuff has severe limitations and thus will never be successfull since what is the point of using encryption if your contact can't read it.

As such, I think you should instead request encryption to the Windows Live Messenger team itself (http://support.live.com or via the main menu: Help > Send feedback).

;)