orions'

      While instant messaging may seem like a new technology, it is actually decades old. The first system,
IRC, was developed in 1988 by Jarkko Oikarinen3. Still in use, this system allows users to form ad-hoc
discussion groups, chat with one another, and exchange files. Since the introduction of IRC, many
new IM systems have been launched; for example, ICQ, AOL Instant Messenger, MSN Messenger, and
Yahoo Messenger. While each of these offers different features, they all provide the same basic
zxservice: peer-to-peer real-time chatting and file transfer capabilities.

INSTANT MESSAGING AND CLIENT-SERVER COMMUNICATIONS
Virtually all IM systems employ the same basic client-server
architecture. Users install instant messaging clients on their
client machines—desktop computers, wireless devices, or
PDAs, for example—and these clients communicate with an
IM server in the messaging provider’s infrastructure to locate
other users and exchange messages. In most instances,
messages are not sent directly from the initiating user’s
computer to the recipient’s computer, but are sent first to
an IM server, and then from the IM server to the intended
recipient. (See Figure 1.)
In the majority of client-server instant messaging systems,
data exchanged between users is plainly visible, making it
susceptible to eavesdropping.

INSTANT MESSAGING AND PEER-TO-PEER COMMUNICATIONS
While most instant messaging systems use centralized servers to
transmit all messages, some systems do offer peer-to-peer messaging.
In such a model, clients contact the IM server to locate other clients.
Once the client chat program has located its peer, it contacts the peer
directly.

INSTANT MESSAGING AND ENCRYPTION
Today few, if any, public instant messaging systems encrypt messages
as they travel from the client to the server and back to the second client.
This data is potentially visible to eavesdroppers anywhere along its
Internet path or within the IM provider’s network. Also, popular IM systems do not encrypt
peer-to-peer traffic. As shown in Figure 1, even if two users are sitting in adjacent cubicles, their
messages travel over the Internet, potentially revealing sensitive information.
Corporations should consider the confidentiality of instant messaging to be only as safe as sending all
internal and external company email using a public email service. For client-server-client
systems, traffic sent between two users can be assumed to travel unencrypted over the Internet. For
peer-to-peer systems, if either client is outside the corporate firewall, all traffic again flows unencrypted
over the Internet. In both cases, content can be intercepted by attackers with the proper tools.

INSTANT MESSAGING AND FILE TRANSFERS
In addition to sending messages between users, instant messaging systems allow users to exchange
files. Current systems transfer files directly between peers rather than through the server, as with text
messaging. In other words, the technique shown in Figure 2 is always used for file transfers. This
peer-to-peer scheme is used to eliminate the high bandwidth demands that server-centric file
transfers would place on the provider’s network.
Currently, none of the major instant messaging systems encrypt files transferred between instant
messaging clients. While the files do not directly flow through instant messaging servers, they may
flow over the Internet, over a corporate LAN or WAN, or over both. If both users are on the same
company network, file transfers will likely remain on the corporate network; however, if one of the
users is outside the network, files will be sent unencrypted over the Internet.

INSTANT MESSAGING AND SCRIPTING
A handful of instant messaging platforms offer scripting capabilities, enabling users to write Visual
Basic, JavaScript, proprietary script code, and other complex programs to control various features in
the messaging client. This functionality, while convenient, provides mechanisms that enable the spread
of computer worms and blended threats. Scripts such as these are able to instruct the instant messaging
client to do any number of things: contact other users, send files, change program settings, and/or
execute potentially malicious actions. A more detailed discussion surrounding these kinds of security
issues is provided in the following section on instant messaging vulnerabilities and exploits.

INSTANT MESSAGING AND OTHER FEATURES
Finally, in response to a highly competitive instant messaging market, some instant messaging
companies have added additional functionality to messaging clients to gain customers. For example,
ICQ contains a mini-Web server that allows users to run small Web sites directly from a desktop
computer. As with any Web-enabled software feature, such functionality creates the security risk that
the site could be hacked to break into a system.