473,836 Members | 1,554 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

chat messenger - security issues?

15 New Member
I have searched online, and what I mostly come across is what these security issues are...
for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc.

but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger.
From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive the file from...

for now, i am thinking about using password encryption and centralized server (less chance of dos attack). other than that, what measures can I take to avoid security threats? i am writing the messenger in c#, if that helps?

also, any other benefit of using centralized server over p2p other than dos attacks?
Jun 30 '07 #1
5 3063
Colloid Snake
144 New Member
Well, with a centralized server, you make it a single point of attack. If someone is able to compromise your server, they are then able to act as the server and intercept data - performing a man in the middle attack. You also then get into accountability. Are you going to log the data coming across your servers? What if it's military information? Death threats? How much logging and reporting will you do? What do you mean by password encryption? Just md5 or something? Not any sort of PGP or public/private key encryption? Are you going to allow other people to develop their own clients? What if someone reverse-engineers yours? Are you going to inherently trust data coming from a client? What if a legitimate user decides to become malicious to another user, and then develops their own client. They can then be authenticated as a "trusted user" but will you trust the data that is coming from them? Will the server process any of this data, or will it just pass it on?

Those are just a few "big picture" items you might want to think about, but some of them are just ideas, not really practical or should be too concerning to you. (In some cases, it can be beneficial to log everything in a central server, then you are able to cooperate with law enforcement if you so desire - then culpability is not on you. Also, if they have to connect with you, you can do validation. If they don't transmit the right version of a client, you can deny access until they upgrade - forcing them to be secure, in essence.)

Most of the vulnerabilities I have seen with chat clients such as AIM are in the way their periphreals are processed - the buddy icons, file transfers, etc... I would actually recommend Googling for old exploits - learning from the people who have done this before, and write your client so that it does not allow those vulnerabilities .

You have done your researching with the types of attacks, so how would you deny someone the ability to send a trojan? Don't allow file transfers, or make it so that the user knows exactly what is going on, the proper filename, have a pop-up warning about the file coming in for download telling the user to make sure they trust the person, or to chat with them to make sure they sent a file...

I'd also like to commend you on being security conscious before you began programming the app - that's a viewpoint that is slowly changing, and hasn't caught on too much, that security does need to be in the design.
Jul 3 '07 #2
andoshi
3 New Member
I have searched online, and what I mostly come across is what these security issues are...
for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc.

but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger.
From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive the file from...

for now, i am thinking about using password encryption and centralized server (less chance of dos attack). other than that, what measures can I take to avoid security threats? i am writing the messenger in c#, if that helps?

also, any other benefit of using centralized server over p2p other than dos attacks?
hi, i am looking to create a server based messenger application using java. can you please describe in detail what ur messenger is and how did u create it? it would help me a lot
thanx
Aug 27 '07 #3
Colloid Snake
144 New Member
You know, you could look at the source for Pidgin or something... That might help you a bit more...
Aug 29 '07 #4
anneyzz
2 New Member
If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.
Feb 28 '08 #5
sicarie
4,677 Recognized Expert Moderator Specialist
If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.
Wow, well that's just not true. Like, at all. Do you work for Microsoft? RIAA? SCO?

I mean, freeware vs closed source - Linux vs Windows. Look at stability and security (because there is a trade off between security and usability, and security directly relates to stability).

Or something like ISS's suite vs Snort/OSSIM. OSSIM not only contains Snort and captures everything ISS's suite does, but then has the OSSIM reporting functionality as well as things like Arpwatch.

For messaging, look at AIM vs Pidgin. All the worms that are spread through AIM, I think the only one that might have touched Pidgin was the icon vuln, and that was in the graphic.

I mean, do you research these claims before you make them?

Obviously the 'best of breed' application is going to have the most effort leveraged against it in the 'exploit' world just because it's used by the most amount of people, which is partly why Windows is so vulnerable, but they didn't do themselves any favors by writing bad code. This is what happened to Skype, but it's also fixed, and now better. But assuming that an app is more secure just because it is a commercial product is pure, unadulterated FUD.
Feb 28 '08 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

0
2461
by: |-|erc | last post by:
<?php // Get the names and values for vars sent by index.lib.php3 if (isset($HTTP_GET_VARS)) { while(list($name,$value) = each($HTTP_GET_VARS)) { $$name = $value; }; };
0
1977
by: Albert Sims | last post by:
Afternoon all. I have a question, hope I'm in the right place. Since installing the final of Service Pack 2, I find that, using Internet Explorer, or MSN Messenger, I can no longer access the MSN chat rooms. I have tinkered around with the security settings till I am blue in the face. I subscribe to Hotmail Extra Storage to have access to the good chat rooms. What happens when I go to the website or use the Messenger, I hit "Sign In" .net...
2
1825
by: Kevin Buchan | last post by:
Obviously, having a link with 'http://' at the beginning of it launches the default browser and navigates to the address listed. A link with 'mailto:' at the beginning starts an email with the addressee already identified. I was wondering if there is some type of prefix that would allow a MSN Messenger conversation to be initiated. My firm is already standardized on MSN Messenger and IE 5.5, so if the solution required these in a...
2
4424
by: JM | last post by:
Hi, I made an ASP.NET chat application using remote scripting, so that the entire page does not refresh when new messages arrive. The client-side has a timer that accepts new messages every 5 seconds. All it does is concatenate the new message to the existing chat message string. Now I want to add emoticons just like MSN and Yahoo! Messenger. Can you guys please give me an idea on how to make this work? Is it possible to integrate...
1
967
by: Robert Dufour | last post by:
I have an app that uses messenger service. When the app starts up it checks to see if messenger is running on the computer and starts it if it is not. The code works fine on my dev machine on which I have administrator permissions. I am wondering if someone starting the app with more restricted permissions would also be able to have the code start the service or would the security context prevent the start command on the messenger service...
4
2483
by: nbt725 | last post by:
Dear Sir, Hello ! I want 1 to 1 chat script in php between client coming to site to chat with admin. And admin can chat with multiple client.There can be multiple admin. I want to disable login window also would supply login details if required thro' script/existing database. I saw many free php chat scripts but they are many to many like messenger where as in this sort of requirement when customer comes and wants to chat with service...
0
1009
by: vidhyapriya | last post by:
Hi All I am developing Messenger like Yahoo,Google Talk,MSN...I am using socket programming for sending instant message between two users.My code working within my network(Intranet),If i use it in Internet its not working...what to do to solve my problem...any one help me its urgent for my project...Thanx in advance
2
1814
Maidenz08
by: Maidenz08 | last post by:
Can anyone tell how to capture both sides of the chat logs? I can capture the logs from my end using key strokes and capturing the title of the current active window the user is typing in. but any clue on how to capture incoming IM messages. I have read that reading a particular port will solve the problem. But some clients like yahoo messenger use dynamic multiple ports. I also want to know if once the chat is established will the chat continue...
0
9674
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10860
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
10604
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10261
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9389
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
6984
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5659
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5831
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4466
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.