Graduate student David Molnar knows firsthand how insecure instant messaging can be.
Molnar remembers when a friend would configure his laptop as a wireless network access point in cafes, eavesdropping on the conversations of women who connected to it—material he could use in conversations that led to first dates.
But thanks to the work of UC Berkeley graduate students, that tactic may not be effective in the future.
To enhance the privacy and security of instant messaging, fellow UC Berkeley graduate student Nikita Borisov and recent graduate Ian Goldberg developed software that allows users to encrypt messages and verify the identity of chat partners while leaving no evidence that the conversation ever occurred.
Off-the-Record, a plug-in available for free download from the pair’s Web site, improves on existing security measures by providing authentication. Users are digitally assured that their messages—scrambled using a code to prevent unauthorized viewing—reach their intended destinations directly, without any third party seeing them.
In addition, the program encrypts messages without attaching digital signatures, which identify who created specific messages.
As a third feature, the software achieves what cryptologists call “perfect forward security,” meaning unauthorized users are unable to unlock multiple conversations with just one key.
“Anything you decrypt today, you can’t decrypt tomorrow,” Borisov said of the program.
Borisov and Goldberg generated interest at CodeCon 2005, a recent software development conference, by highlighting the program’s appeal and necessity, said Molnar, a program coordinator for the conference.
Normally, “everyone thinks security software is a great idea, but no one wants to use it,” he said.
The program is primarily intended for those “ordinary people having day-to-day conversations” who want to eliminate the possibility of someone listening in and engaging in malicious activities like stealing passwords, Borisov said.
Another possible application rests with businesses seeking to transmit sensitive information electronically without the risk of competitors gaining access to it, he said.
Though the new technology has few implications for UC Berkeley, which does not monitor instant message traffic, Director of Communications and Network Services Clifford Frost said community members could benefit from encryption.
“You could be doing IM with someone in the next room and your traffic could be going over several different service providers’ networks,” he said in an e-mail.
Many students, however, said they are unconcerned about the security of their instant messages and are unsure if they would utilize the new program.
“I don’t think I’m important enough for anybody to mess with,” said UC Berkeley freshman Matt Mieckowski.