Langa Letter: More Instant-Messaging Security HolesLanga Letter: More Instant-Messaging Security Holes
<b>Fred Langa</b> warns that hyper-aggressive IM installations may end-run your online safeguards.
September 24, 2001
All this is bad enough, but it's made worse when an IM vendor actively seeks to circumvent your online security settings. For example:
AOL/Netscape Undermines Your Browser Security Settings
AOL/Netscape's abuse of browser security settings first came to my attention when reader Michael G. Baker, Jr. sent this alarming E-mail:
"When a user downloads or updates AIM, free.aol.com is added to the users' IE Trusted Sites Zone. This also happens if you download Netscape6.x with integrated AIM. It is one thing for them to put that free.aol.com link everywhere when you download N6, even in IE's bookmarks, but quite another thing to mess with security settings. Although mostly harmless, it is the principle. I don't think this is right. If this was Microsoft messing with a Netscape security setting, all hell would break loose."
It's true. Without so much as a by-your-leave, AOL software inserts "free.aol.com" into your IE browser's "Trusted Zone." Talk about an aggressive installation routine!
The IE Trusted Zone's security permissions are intentionally relaxed. Scripts and ActiveX components can run (some with no prompting); downloads are enabled; Java safety is low; cross-domain data-sourcing is allowed; there's no alert when a site's security certificate is missing or revoked; and so on. Normally, that's OK, because the only sites in the Trusted Zone are those you put there yourself, after you decide that a site is entirely above-board. (Even so, many security-conscious users put no sites in the Trusted Zone, leaving nothing to chance or goodwill, and instead enforcing at least the "Internet Zone" restrictions on all Web sites.)
By automatically placing its own site in the Trusted Zone, AOL creates a double security threat. If you (or your users) download and install Netscape 6.x, AIM, or any product with integrated AIM, not only do you have to cope with the inherent problems of an IM client itself, but you'll also have AOL set up as trusted site. That can bypass the browser security settings you've established for normal Internet connections.
To me, this is clearly a very wrong thing to do. No site, from any vendor, should set itself up to bypass your normal browser security settings. (Microsoft's browser should not allow such changes to be made covertly--but IE's problems are a whole other issue.) Free.aol.com may be relatively harmless, but there's nothing to prevent a malicious site from trying to set itself up as either a trusted site on its own, or as a spoofed, malicious version of free.aol.com.
AOL Admits The Dangers
Think I'm being alarmist? Note that AOL freely admits its IM products are insecure, and specifically recommends against using them for sensitive communication. For example, the ICQ user agreement explicitly states that using the ICQ software puts you at risk for:
"... unauthorized exposure of information and material you listed or sent, on or through the ICQ system to other users, the general public, or any other specific entities for which the information and material was not intended by you ... If you do not wish to be subjected to these risks, you are advised not to use the ICQ service and software. Furthermore, please do not use the ICQ service and software for 'Mission Critical' or 'Content Sensitive' applications and purposes. For the purpose of this section, 'Mission Critical' applications and purposes shall mean applications and use that may result in damage; 'Content Sensitive' shall mean any information or data you do not wish to be freely accessible and generally available to Internet users."
In the above, I bold-faced the key phrase for emphasis: AOL is specifically telling you not to trust ICQ for anything important!
AIM is almost as bad; its agreement states:
"... AOL and its officers, directors, employees, and agents are not responsible for any files you send or receive ... You also understand that files you share with other Service users may be redistributed and used without your knowledge. In sending and receiving files, other Service users may also be able to determine your IP address ..."
Although MSN Messenger hasn't had as many built-in security problems as have AIM and ICQ, it does rely on Microsoft's separate "Passport" service, which contains its own set of vulnerabilities and security issues. See, for example, Risks of the Passport Single Sign-On Protocol, Passport Is Cracked, or Microsoft's Passport sparks concern.
In short, all the major IM software carries significant security risks.
Toys, Not Tools
Instant messaging was never, ever originally intended as a secure channel for sensitive information. In fact, IM's initial major application was for entertainment--it was an online toy originally used mainly for dating and cyber sex. (ICQ's name even derives from the phrase "I seek you.")
Despite these decidedly informal origins, huge numbers of businesses now routinely use IM to discuss delicate personnel matters, private schedules, sensitive strategic issues, non-public budgets, and more.
Frankly, it's nuts--especially when the major vendor of IM tools freely admits that the medium is fundamentally insecure. And it's even more nuts when we see vendors (like AOL) diddling with browser security settings, or (like Microsoft) relying on a flawed log-in system.
I strongly recommend against using any form of public IM client for sensitive communication of any kind--business or private. The risks are simply too great.
But what's your take? Do you or your business use IM for sensitive communication? Were you aware of the risks? What steps do you take to prevent snooping, eavesdropping, identity theft, and the host of other problems that IM invites? What secure forms of online communication do you use to supplant IMs? Are there any kinds of business communication that IM is good for? Join the discussion!
About the Author(s)
You May Also Like