RE: In regards to the insecurity of AOL Instant Messenger

[Jason Barbour <jbarbo1 () umbc edu>]

> Does the AIM protocol have any kind of authentication to defeat MiM attacks
> whereby an attacker couldn't drop himself in the middle and log all outgoing
> conversations and change the actual conversation if he wanted?  I don't know
> much about the protocol and I'm pretty sure it's closed source, but has
> enough work been done by researchers into the protocol to determine if this
> is possible.  It seems to be it would be trivial for AOL's server to have a
> random id generated upon every successful login attempt by a user that would
> need to be included with every message and action on the client side in order
> for it to register.  This would at least prevent an attack by hopping into
> the middle of a conversation and would require a more extensive attack by
> being in the middle for the initial login.

A good document on AIM/Oscar can be found at aimdoc.sourceforge.net/OSCARdoc
It appears that when you signon you first connect to an authorization server, 
which issues you a cookie to logon to the other servers. With this, isn't 
still possible for man-in-the-middle attacks? On a side note, I guess it could 
be possible to write a simple encryption tool, that just encrypted your 
message and sent the encrypted results. Just a pain that each person would 
need to have the tool and any needed keys. Could be a nifty little tool in my 
opinion.

--- Jason