Cerulean Studios Releases Trillian IM Protocol Specifications 95
Runefox writes "Cerulean Studios, the company behind the long-lived Trillian instant messaging client, has released preliminary specifications to their proprietary "Astra" protocol, now named IMPP (Instant Messaging and Presence Protocol), which provides continuous client functionality as well as mandatory TLS encryption for clients. According to their blog, Cerulean Studios' motivation for the release is to promote interoperability among the throngs of IM services and clients available by allowing others to also use the protocol. Future concepts include federation with XMPP. While the documentation is in an early state and the protocol is claimed to still be in development, it is hoped that it will help decentralize the very heavily fragmented messaging ecosystem. It's implied that, in turn, greater options for privacy may become available in the wake of the PRISM scandal via privately-run federated servers, unaffiliated with major networks, yet still able to communicate with them."
Too little too late (Score:4, Insightful)
Re:Too little too late (Score:4, Interesting)
Ironic really, their "business choices" included enabling access to IM networks whose protocols weren't open...now they're making a big deal out of their own proprietary protocol's "specifications" (i.e. useless advertising material) available.
And the captcha word of the day is "surreal," no less.
Re: (Score:1)
Keeping OS X users off the network is a feature, not a flaw.
Re: (Score:3)
I used to use Trillian for a while but then I switched to the open-source Miranda IM client. Talks to most of the networks I need (IRC, ICQ, MSN, AIM) and has all the features I need (even more so with extra plugins). 100% open source so I can hack on it if I wanted to.
Only thing it doesn't do is Skype but you can thank Microsoft for that, not Trillian.
Re: (Score:2)
Re: (Score:2)
No. Not on its own it doesn't. It still requires the binary blob from Skype.
Re: (Score:1)
Re: (Score:2)
Nope, it's Skype Communications SarL's fault. That restriction existed long before the Microsoft purchase.
Re: (Score:1)
No, you can thank Miranda for that.
Trillian does Skype just fine, without even needing Skype installed, or at least it did, when I last used it. Now that Skype does Bookface and MSN, I just stick with that. Though I did quite like the way Trillian handles Twitter. In any case,. Skype-Kit has been around for a while, people have been bugging the Miranda team about it for a few years now, and as far as I know, Microsoft hasn't pulled the plug on it.
As far as I know, there's no reason for the Miranda team not to be able to support Skype via Skypekit, unless there's some sort of aversion to using Skype's library.
Seriously, what the fuck?
Why WOULDN'T you check your facts before posting?
Re: (Score:2)
Re:Too little too late (Score:5, Interesting)
I actually still use Trillian, expressly for the continuous client functionality. As there is also the iPhone app, OS X, Windows, etc, not every IM service allows you to log in in multiple locations simultaneously, and allow you to start a conversation on a mobile device, continue on a Windows box, then finish it on a Mac, and have the IM logs and history available on each one. And since a lot of my friends, coworkers, etc, don't rely only on Facebook chat, and I occasionally will send something important to someone, or they to me via IM, being able to look at 1 unified history for that person, and not needing to look on system A, B and C to find the logs, is quite beneficial.
I've seen some other clients that will do similar things, though mainly on the mobile side only (IM+). Pidgin also does not have a released binary for OS X. You can use one of the ports (Fink/MacPorts), or compile from source (people here may not have issues with that, average desktop types will), or use Adium, which uses the core of pidgin, but, so far, the only decent, and frequently updated, all in one IM program with persistence over multiple clients is Trillian.
IM itself has been overtaken (Score:2)
I think its fairer to say Trillian did not fail because of their own efforts, but because the whole Instant Messaging scene was overtaken by mobile. Trillian is not the only IM service hurting today. Users have been quitting ICQ, AIM, MSN and other services for a while now.
Most people if they want to broadcast would send out a tweet. If they want to message a smaller circle of friends, mobile apps such as Whatsapp, LINE, Kakao etc. work nicely.
If Trillian could figure out a way to tap into the networks of W
TLS (Score:3)
TLS is useless against PRISM which simply takes records from the server.
You need end-to-end encryption like OTR over XMPP. Afaik all the good XMPP clients like Adium and Jitsi include OTR be default. Of course OTR does nothing against traffic analysis. Worse, OTR is not a mandatory part of the protocol.
TorChat is resistant to traffic analysis, but nobody uses it. Also, it's badly designed so that, if many people did use it, then it'd be hard on the Tor network.
Pond is a new attempt traffic analysis resi
I'm Not OK With This (Score:4, Funny)
I'm concerned that if this encryption is unbreakable to the authorities, this could be problematic in thwarting terrorists and other evildoers.
I'm not sure its so good that communications is completely unbreakable, there should be some mechanism whereby the government and agencies trying to keep us safe can intercept and decode them.
Re: (Score:1)
Yeah, wouldn't want any tea partiers to start a nonprofit without the IRS knowing about it.
Re: I'm Not OK With This (Score:1)
Ha ha ha ha ha! Good one! ....oh, wait. You're serious, aren't you?
Re: (Score:2)
How dare someone critize government or corporate intrests. They might as well be blowing up buildings.
Re: (Score:2)
But those laws can't possibly work once the allow the end users to use standard public/private encryption schemes rather than foisting some proprietary solution that relies on the central node being able to decrypt every message.
Once more applications start using key pairs to encrypt payload the three letter agencies will have to brute force decrypt everything.
Routing data is still harder to deal with.
Re: (Score:1)
But those laws can't possibly work once the allow the end users to use standard public/private encryption schemes rather than foisting some proprietary solution that relies on the central node being able to decrypt every message.
Once more applications start using key pairs to encrypt payload the three letter agencies will have to brute force decrypt everything.
Routing data is still harder to deal with.
You can't have a turn-key encrypted communications program without trusting the implementation, and the key management system. You can do it all yourself... today. If you want wide acceptance, it's going to have to be the turn-key approach.
Most people don't care, you know. It's not that everyone has a "I'm not hiding something so I don't care" attitude, it's just not worth the effort to actively attempt to defeat every possible surveillance tool, it's not practical.
Re: (Score:2)
Re: (Score:3)
Exchanging keys over the inernet?
Why would you do that?
Send me an encrypted email. My public key is easily found via my email address. You don't have to unconditionally trust my key, so don't give me the address and combination to your safe. But you can send me email and build a relationship
Re: (Score:2)
Do you have a single clue how Public Key encryption works do you?
Start here: http://computer.howstuffworks.com/encryption3.htm [howstuffworks.com]
Re: (Score:2)
Re: (Score:2)
If the protocol featuri
Re: (Score:2)
Re: (Score:1)
It's implemented using a question and answer that should be known only to the two participants.
From a cryptographic standpoint, this information forms the key, and is subject to all of the paranoia of any other secret key. From a practical/stenographic standpoint, this sort of information is much easier to conceal from surveillance than exactly four thousand ninety six uuencoded bits, and is probably much less likely to be intercepted auto-magically.
I don't know if that counts as secure to you.
When the secret knowledge is known by both parties, but not the NSA, it is a secure methodology. That sort of secret knowledge seems to be a precious c
Re: (Score:2)
Management of your private key is the only burden.
Keeping that backed up, yet available on every device upon which you need it is admittedly a minor hassle.
Once you get used to doing that, its pretty easy to deal with this for email.
The longer this NSA issue hangs in the press the more likely people will accept this task.
I can see some company coming along that offers Zero Knowledge storage, where they can't decrypt anything you send them, even at gunpoint, because they don't have your decryption key.
You co
Re: (Score:2)
SpiderOak does that right now, as a DropBox like service, and CrashPlan offers it as one of their security options for their backup service. I highly recommend both of them. It really isn't that hard to manage your private keys. I really wish people would start doing it for email as well, but I guess everybody just uses FaceBook these days anyway. Sigh.
Re: (Score:2)
I'm a SpiderOak paying customer, and while they do have zero knowledge storage, but they don't have a way to just fetch them when they are needed, say, to drcrypt an email. You have to copy those keys to your local device. I'd prefer not to store private keys on a portable and easily lost device.
Re: (Score:2)
Many devices support encryption, and it seems to be becoming more common. It takes a lot of the worry out of it.
Unimpressed (Score:3, Informative)
There has been a lot of backlash on their blog about this: Why didn't they just go with XMPP? What their protocol have that XMPP doesn't, or couldn't be extended to support?
Personally - just a guess (also, btw, disclaimer: I'm a subscriber) - I think they're dying. Their client haven't been getting any significant development for the past year, current issues with some protocols have been going unaddressed, and new features like Lync protocol support (which there are working OSS implementations) have been going completely ignored despite many people clamoring for it.
So, they have been silent for a long time, and now this. It's fishy.
Re:Unimpressed (Score:4, Insightful)
Why didn't they just go with XMPP? What their protocol have that XMPP doesn't, or couldn't be extended to support?
http://xkcd.com/927/ [xkcd.com]
Re: (Score:3, Informative)
XMPP doesn't provide for much in the way of security unless you are using strictly private single servers.
Once your contacts are scattered across multiple jabber servers all bets are off as far as security.
Your server will almost surely end up forwarding your message to other servers insecurely.
XMPP also struggles with binary blobs (images) etc.
Re: (Score:1)
Disclaimer: I run a small ejabberd server.
> Your server will almost surely end up forwarding your message to other servers insecurely
Eh? Require your server to only federate using SSL/TLS. (Granted, what other servers do with your bits is beyond your control, but *any* communication over the internet has this problem.)
> Once your contacts are scattered across multiple jabber servers...
AFAIK, this doesn't happen. [citation needed]
Re: (Score:2)
Virtually none of the people i communicate use the same jabber service as I do. Most are overseas, some in countries that don't allow encryption. So even though my service offers encrypted connections, I know that its not encrypted as it travels from my server to their server and then on to the other end.
I use a service, I don't run my own.
Re: (Score:2)
So each user gets to choose what service they use.. If you individually aren't concerned about privacy then you can use a service which doesn't support encryption, if you are concerned then you can run your own service.
Ultimately you have to trust the party your communicating with, even if you talk to them securely you have no control over what they do with your communication after receiving it.
Re: (Score:3)
XMPP doesn't provide for much in the way of security unless you are using strictly private single servers.
Once your contacts are scattered across multiple jabber servers all bets are off as far as security.
Your server will almost surely end up forwarding your message to other servers insecurely.
XMPP also struggles with binary blobs (images) etc.
a) There's GPG for XMPP, which is not so uncommon.
b) They intend to federate to XMPP, so, all this applies to IMPP.
c) SSL isn't end-to-end.
As for binary blobs, there's jingle.
Re: (Score:2)
What their protocol have that XMPP doesn't, or couldn't be extended to support?
It has TLS, which is a bad idea for chat. Unless you're taking a deposition, or something, where you want provable identity, most chat is expected to be ephemeral and reputable. Picture two people sitting quietly chatting in a secure room. That's the goal for most online chat.
You want to use OTR [cypherpunks.ca] for most chat, not TLS. It offers repudiation as well as authentication, security, and perfect forward secrecy. It's even obnoxious
Re: (Score:2)
You can deal with Authentication using GPG.
Re: (Score:2)
You can deal with Authentication using GPG.
Certainly. GPG offers authentication, like TLS, and of course security through encryption, but neither offer repudiation or perfect forward secrecy, which are essential features of OTR and ought to be for any protocol implementing causal chat protocols. They'd be inappropriate features for the problems GPG and TLS are solving.
In general, you don't want to be able to prove that Alice or Bob said something in an online chat at some point in the future - that's not
Re: (Score:2)
And if Mallory captures their computing devices, you don't want him to be able to forge messages using their private keys that make it look like they said something they didn't.
Then I guess you don't want to be using OTR then, because this is one of its features.
From the OTR site:
The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you.
This is actually what gives you deniability. After the chat is completed, anyone can forge additional content. This means that no particular piece of content can be proven to be a part of the original conversation.
Re: (Score:2)
It has TLS, which is a bad idea for chat.
Wait, what? All you need to know with chat is that this message came from the same guy as the last message. TLS is fine for that.
Re: (Score:2)
As far as I understand it, XMPP doesn't allow direct client-to-client communication, you have to go through one or several third-party servers, which will get the content of your messages even if you use encryption.
It would have certainly been better to build this as an extension to file-transfer or audio/video chat rather than making a new protocol however. (I don't know XMPP that much, but I suppose those three things are direct client-to-client for efficiency reasons)
Re: (Score:2)
You don't have to use a third party server, you can run your own server for this purpose...
You can also use end to end encryption tools such as OTR so that the server never has any unencrypted data.
Good... but questionable. (Score:3)
On the one hand, yes, in a way it is dumb to "open it up" after all this time when XMPP is there. On the other hand, with Google having lost its Federation support and soon enough to lose XMPP support altogether; with MSN Messenger being eliminated in favor of the Outlook.com site or the Skype with a totally closed protocol, and who knows what else, it seemed that XMPP was the only choice. Well, still, for now at least it is probably the best choice--let's see how IMPP takes off--but at least it's no longer the only "open" choice. The promise of Federation with XMPP servers is also good. Overall, I think the extra choice prevails in importance over everyone just jumping blindly to XMPP (simply because it's all that there is left).
I mean nothing against XMPP--I will be using it unless IMPP proves itself and offers something superior, but I appreciate the choice and the opportunity for the two to compete on a level (open) playing field for the best features. This just means there will be more choice when using multi-protocol clients like Pidgin, and will likely spawn special IMPP "native" instant messaging clients, similarly to what Psy is to XMPP. In the end, I would say this is a welcome change, and with the recent turn of events the timing really isn't too late.
That reminds me... (Score:1)
Why don't we yet have a truly distributed and encrypted chatting protocol, sorta like email except with much lower latency? Have both feature to talk to individual persons, keep the list of it on your local machine (or synced to actual trusted servers, whatever works for you), and as well as joining a "chatroom" within the entire network (which is just a string or whatever), rather than having to rely on having specific servers.
I'm sure people can work out the smilies plugin and random misc things later o
Re: (Score:1)
If I'm not mistaken, Retroshare does what you ask for.
http://retroshare.sourceforge.net/
Re: (Score:2)
Re: (Score:1)
My advice-learn English, especially if you're claiming to live in America.
It's the provider, stupid ! (Score:4, Insightful)
We have XMPP+Jingle, SIP+SIMPLE, OMA IMPS [wikipedia.org], and now this IMPP joins the club. Guess why people stick to Live Messenger, Skype, Google Talk, Facebook and (gasp) ICQ? These have providers and a pre-existing audience, and people don't care about the inner workings. You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too? Yes, there are a few and we all know one; just wait until said project goes belly-up.
Re: (Score:3, Insightful)
You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too?
That's why you try to educate people on why they should use that "open" service instead of the increasingly-closed crap, offer to set it up for them (bonus: to register an XMPP account, typically no e-mail address or additional "personal" information is needed), install a good client, and just go on from there. If they like it and want to use it, great--if not, they can go back to whatever increasingly-closed service they were on to begin with. But from now on, they'll most likely only be able to find me
Re:It's the provider, stupid ! (Score:5, Insightful)
You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too?
That's why you try to educate people on why they should use that "open" service instead of the increasingly-closed crap, offer to set it up for them (bonus: to register an XMPP account, typically no e-mail address or additional "personal" information is needed), install a good client, and just go on from there. If they like it and want to use it, great--if not, they can go back to whatever increasingly-closed service they were on to begin with. But from now on, they'll most likely only be able to find me on XMPP.
This is precisely what WON'T work, except to alienate your acquaintances. They don't want to be lectured on the importance of openness - at most they'll acknowledge it's a neat idea but in the end what they care about is: Does it work (reliably)? Does it have nice features (voice, video, and possibly file transfers and emoticons)? Can I use it across my devices? For example, Skype mostly fits the bill here.
I once had a guy ("we all know one" in GPP) pull that hard-sell on me and some other friends, in the early days of Google Talk; he'd keep his Messenger account logged in only to tell us that any further chats would be over XMPP or not at all. Guess what happened.
Unfortunately, the chances of people actually choosing to use it (or even wiling to try it) is relatively slim. Not because of anything inherently wrong with XMPP itself, but primarily the extreme foothold shitty text messaging and Facebook has these days.
I'll give you one downside: *nobody* outside of us techies has heard of XMPP. So *their* acquaintances are not on XMPP either and they would let you install that client only to chat with you.
People for whatever reason these days love bending over with their pants down, paying ridiculous amounts for text messages (bragging "unlimited" this, "unlimited" that), and anything better (cheaper, not tied to one phone/system, security with TLS and OTR, etc.) is automatically shunned when the word "registration" pops up. Not to mention most people I talk to end up with a blank stare and do not care one bit when I bring up "security" and "privacy" in the conversation.
For a lot of people it really is an already-determined lost cause.
Not everybody has shitty SMS plans (mine is unlimited for all purposes). Not all people care about secure communications, especially when they're about dinner plans and random chit-chat. They also don't perceive eavesdropping as a significant risk (they trust Google and Microsoft, especially the latter since they made his O/S), much less their gov't snooping in ("Pfft... my emails would bore them sick"). No cause of theirs is lost.
Those people, I just won't "chat" with.
Do you have non-techy relatives and friends, who can't be arsed to install Pidgin in their Macs? And you make it harder for them to contact you because you can't be arsed to register a perfunctory email account (with a silly fake name and behind a proxy if you're so keen on protecting UltraZelda64's identity) and use the client (inside a virtual machine if you fear malware/rootkits) it to say "Hi, grab a coffee?" ? People before causes, bro.
Re: (Score:1)
People before causes, bro.
I don't agree with this. At some point you have to stick to your principles.
I totally agree that the networking phenomenon makes it difficult it to use solid communication protocols, and you do have to think honestly about how the average person will react. I've gone back and forth over time over where to draw that line.
However, corporations and the government manipulate this to their benefit. It's precisely because of this "people before causes" idea that they pull this, because people aren't willing to sa
Re: (Score:2)
I remember a time when people were willing to try different programs to communicate, and it was no big deal. It seems like over time, people have become more and more wedded to frameworks provided by big companies like Google, Microsoft, and Apple, rather than tools.
I noticed the same thing. I have also noticed that with the explosion of text messaging, people tend to just use that and avoid *anything* that requires any amount of setting up whatsoever. While people used to be more willing to change, it seems that these days they are far more resistant to stray from text messaging and Facebook. They tend to use the claims "I'm on Facebook" or "everyone I know is on Facebook," or for text messaging "I'm paying for it so I use it" or "I have unlimited text messaging."
B
Re: (Score:2)
They don't want to be lectured on the importance of openness
Which is why I'd go over the unique features above all else, and only briefly touch on the "openness" details... such as Federation and the freedom to even host your own server if you want. The way I see it, the "openness" (specifically, the Federation) is just a bonus.
at most they'll acknowledge it's a neat idea but in the end what they care about is: Does it work (reliably)? Does it have nice features (voice, video, and possibly file transfers and emoticons)? Can I use it across my devices? For example, Skype mostly fits the bill here.
Reliability--yeah, people care about that, but it's not something most people consider when choosing a service. Most people I know just get pissed when the service doesn't work, but as soon as it works again they forget all about it. Most
Re: (Score:2)
I no longer no anyone who uses AIM
WTF... did I seriously just type that? Wow, I really need to get new glasses... know, I obviously meant...
Where is the edit function when you need it?
Re: (Score:2)
There is an XMPP interface to Facebook chat which works pretty well. Works even better than GMail on some aspects.
Re: (Score:2)
Unfortunately, it:
1) Requires a Facebook account, and I would never trust that company enough to create an account there.
2) Is not really XMPP from what I understand, just an interface for compatibility purposes.
3) Does not support Federation with all the other XMPP servers out there.
But yeah--I agree that if you've already given your information to Facebook, then their "chat" service might not be too bad. Certainly it's got users out the ass.
Re: (Score:1)
Re: (Score:2)
We have XMPP+Jingle, SIP+SIMPLE, OMA IMPS [wikipedia.org], and now this IMPP joins the club. Guess why people stick to Live Messenger, Skype, Google Talk, Facebook and (gasp) ICQ? These have providers and a pre-existing audience, and people don't care about the inner workings. You can have the best-thought-out, most efficient, open and extensible gem of a protocol, but how many people are going to download a (likely clunky) client and nag their relatives, friends and coworkers into installing it too? Yes, there are a few and we all know one; just wait until said project goes belly-up.
People started caring about gtalk's inner workings when they realized they could not longer see a lot of their contacts (the non-google ones) in the new "hangouts" clients.
Jabber precedes Skype. XMPP precedes Gtalk.
Seems like most of your claims are invalid.
Also, there's a new XMPP<->SIP federation standards in the works (it's still a IETF draft though).
Re: (Score:2)
STANDARDS vs SERVICES. I can plan my life with Summer Glau from courtship to the kids to be had and retirement, and refine it until my fingertips bleed, but it's not getting me any closer to a material reality. Or rewrite the English language into perfect consistency. Hmm... a Dr. Esperanto came to mind.
Re: (Score:2)
It's not a service, it's a standard being drafted by the IETF, which would allow any xmpp or sip server to federate to the other protocol.
Re: (Score:2)
Guess why people stick to Live Messenger[...]?
No, they don't. Microsoft shut down Live Messenger in April. You're expected to use Skype instead.
My friends aren't exactly happy about that; Skype doesn't exactly have a great user interface. There's a reason why most of them have standardized on Jabber for IMs: You can use third-party clients with a reasonable user interface without running into compatibility issues. Additionally, most people also know someone who doesn't use their IM of choice and don't want to have multiple IM clients open at the same
Re: (Score:2)
No, they don't. Microsoft shut down Live Messenger in April. You're expected to use Skype instead.
So the news articles claimed but at least for me pidgin still seems to connect sucessfully to it and get the buddy list (though it's a while since i've actually tried to talk to anyone on it, been using irc more laterly)
Re: (Score:2)
IMPP name already taken. (Score:5, Interesting)
The IMPP name has already been used by the IETF for its own standard IM protocol. Its really something that they would have accidentally chosen the same name of an already existing protocol.
Trillian - Digsby - Facebook (Score:2)
I was a huge proponent of Trillian (and a paying customer) for quite some time. I used it to connect my AIM, ICQ, MSN, and Yahoo accounts.
At about the time I ditched ICQ, it seemed that Trillian was getting bigger and more bloated with features I didn't care about, and had frequent connection problems. And so I tried Digsby and loved it.
Then I believe I got a new computer, and for about a week I forgot to install Disgby. Turned out that nearly everyone I wanted to chat with was either on Facebook or SMS, an
that will help (Score:2)
Lets deal with protocol fragmentation by introducing another protocol.
Facebook uses XMPP (Score:1)
TLS encryption is junk (Score:2)
Self signed certs are worthless too. Most people will accept any ould cert without wondering why a new one was issued