I have searched online, and what I mostly come across is what these security issues are...
for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc.
but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger.
From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive the file from...
for now, i am thinking about using password encryption and centralized server (less chance of dos attack). other than that, what measures can I take to avoid security threats? i am writing the messenger in c#, if that helps?
also, any other benefit of using centralized server over p2p other than dos attacks?
5  3062  
Well, with a centralized server, you make it a single point of attack. If someone is able to compromise your server, they are then able to act as the server and intercept data - performing a man in the middle attack. You also then get into accountability. Are you going to log the data coming across your servers? What if it's military information? Death threats? How much logging and reporting will you do? What do you mean by password encryption? Just md5 or something? Not any sort of PGP or public/private key encryption? Are you going to allow other people to develop their own clients? What if someone reverse-engineers yours? Are you going to inherently trust data coming from a client? What if a legitimate user decides to become malicious to another user, and then develops their own client. They can then be authenticated as a "trusted user" but will you trust the data that is coming from them? Will the server process any of this data, or will it just pass it on?
Those are just a few "big picture" items you might want to think about, but some of them are just ideas, not really practical or should be too concerning to you. (In some cases, it can be beneficial to log everything in a central server, then you are able to cooperate with law enforcement if you so desire - then culpability is not on you. Also, if they have to connect with you, you can do validation. If they don't transmit the right version of a client, you can deny access until they upgrade - forcing them to be secure, in essence.)
Most of the vulnerabilities I have seen with chat clients such as AIM are in the way their periphreals are processed - the buddy icons, file transfers, etc... I would actually recommend Googling for old exploits - learning from the people who have done this before, and write your client so that it does not allow those vulnerabilities .
You have done your researching with the types of attacks, so how would you deny someone the ability to send a trojan? Don't allow file transfers, or make it so that the user knows exactly what is going on, the proper filename, have a pop-up warning about the file coming in for download telling the user to make sure they trust the person, or to chat with them to make sure they sent a file...
I'd also like to commend you on being security conscious before you began programming the app - that's a viewpoint that is slowly changing, and hasn't caught on too much, that security does need to be in the design.
I have searched online, and what I mostly come across is what these security issues are...
for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc.
but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger.
From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive the file from...
for now, i am thinking about using password encryption and centralized server (less chance of dos attack). other than that, what measures can I take to avoid security threats? i am writing the messenger in c#, if that helps?
also, any other benefit of using centralized server over p2p other than dos attacks?
hi, i am looking to create a server based messenger application using java. can you please describe in detail what ur messenger is and how did u create it? it would help me a lot
thanx
You know, you could look at the source for Pidgin or something... That might help you a bit more...
If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.
 sicarie 4,677
Recognized Expert Moderator Specialist
If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.
Wow, well that's just not true. Like, at all. Do you work for Microsoft? RIAA? SCO?
I mean, freeware vs closed source - Linux vs Windows. Look at stability and security (because there is a trade off between security and usability, and security directly relates to stability).
Or something like ISS's suite vs Snort/OSSIM. OSSIM not only contains Snort and captures everything ISS's suite does, but then has the OSSIM reporting functionality as well as things like Arpwatch.
For messaging, look at AIM vs Pidgin. All the worms that are spread through AIM, I think the only one that might have touched Pidgin was the icon vuln, and that was in the graphic.
I mean, do you research these claims before you make them?
Obviously the 'best of breed' application is going to have the most effort leveraged against it in the 'exploit' world just because it's used by the most amount of people, which is partly why Windows is so vulnerable, but they didn't do themselves any favors by writing bad code. This is what happened to Skype, but it's also fixed, and now better. But assuming that an app is more secure just because it is a commercial product is pure, unadulterated FUD.
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: |-|erc |
last post by:
<?php
// Get the names and values for vars sent by index.lib.php3
if (isset($HTTP_GET_VARS))
{
while(list($name,$value) = each($HTTP_GET_VARS))
{
$$name = $value;
};
};
|
by: Albert Sims |
last post by:
Afternoon all. I have a question, hope I'm in the right place. Since
installing the final of Service Pack 2, I find that, using Internet
Explorer, or MSN Messenger, I can no longer access the MSN chat rooms. I
have tinkered around with the security settings till I am blue in the
face. I subscribe to Hotmail Extra Storage to have access to the good
chat rooms. What happens when I go to the website or use the Messenger,
I hit "Sign In" .net...
|
by: Kevin Buchan |
last post by:
Obviously, having a link with 'http://' at the beginning of it
launches the default browser and navigates to the address listed.
A link with 'mailto:' at the beginning starts an email with the
addressee already identified.
I was wondering if there is some type of prefix that would allow a MSN
Messenger conversation to be initiated. My firm is already
standardized on MSN Messenger and IE 5.5, so if the solution required
these in a...
|
by: JM |
last post by:
Hi,
I made an ASP.NET chat application using remote scripting, so that the
entire page does not refresh when new messages arrive. The client-side
has a timer that accepts new messages every 5 seconds. All it does is
concatenate the new message to the existing chat message string. Now I
want to add emoticons just like MSN and Yahoo! Messenger. Can you guys
please give me an idea on how to make this work? Is it possible to
integrate...
|
by: Robert Dufour |
last post by:
I have an app that uses messenger service. When the app starts up it checks
to see if messenger is running on the computer and starts it if it is not.
The code works fine on my dev machine on which I have administrator
permissions.
I am wondering if someone starting the app with more restricted permissions
would also be able to have the code start the service or would the security
context prevent the start command on the messenger service...
| | |
by: nbt725 |
last post by:
Dear Sir,
Hello ! I want 1 to 1 chat script in php between client coming to site to chat with admin. And admin can chat with multiple client.There can be multiple admin. I want to disable login window also would supply login details if required thro' script/existing database.
I saw many free php chat scripts but they are many to many like messenger where as in this sort of requirement when customer comes and wants to chat with service...
|
by: vidhyapriya |
last post by:
Hi All
I am developing Messenger like Yahoo,Google Talk,MSN...I am using socket programming for sending instant message between two users.My code working within my network(Intranet),If i use it in Internet its not working...what to do to solve my problem...any one help me its urgent for my project...Thanx in advance
|
by: Maidenz08 |
last post by:
Can anyone tell how to capture both sides of the chat logs? I can capture the logs from my end using key strokes and capturing the title of the current active window the user is typing in. but any clue on how to capture incoming IM messages. I have read that reading a particular port will solve the problem. But some clients like yahoo messenger use dynamic multiple ports. I also want to know if once the chat is established will the chat continue...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
