473,320 Members | 1,883 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

chat messenger - security issues?

I have searched online, and what I mostly come across is what these security issues are...
for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc.

but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger.
From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive the file from...

for now, i am thinking about using password encryption and centralized server (less chance of dos attack). other than that, what measures can I take to avoid security threats? i am writing the messenger in c#, if that helps?

also, any other benefit of using centralized server over p2p other than dos attacks?
Jun 30 '07 #1
5 3034
Colloid Snake
144 100+
Well, with a centralized server, you make it a single point of attack. If someone is able to compromise your server, they are then able to act as the server and intercept data - performing a man in the middle attack. You also then get into accountability. Are you going to log the data coming across your servers? What if it's military information? Death threats? How much logging and reporting will you do? What do you mean by password encryption? Just md5 or something? Not any sort of PGP or public/private key encryption? Are you going to allow other people to develop their own clients? What if someone reverse-engineers yours? Are you going to inherently trust data coming from a client? What if a legitimate user decides to become malicious to another user, and then develops their own client. They can then be authenticated as a "trusted user" but will you trust the data that is coming from them? Will the server process any of this data, or will it just pass it on?

Those are just a few "big picture" items you might want to think about, but some of them are just ideas, not really practical or should be too concerning to you. (In some cases, it can be beneficial to log everything in a central server, then you are able to cooperate with law enforcement if you so desire - then culpability is not on you. Also, if they have to connect with you, you can do validation. If they don't transmit the right version of a client, you can deny access until they upgrade - forcing them to be secure, in essence.)

Most of the vulnerabilities I have seen with chat clients such as AIM are in the way their periphreals are processed - the buddy icons, file transfers, etc... I would actually recommend Googling for old exploits - learning from the people who have done this before, and write your client so that it does not allow those vulnerabilities.

You have done your researching with the types of attacks, so how would you deny someone the ability to send a trojan? Don't allow file transfers, or make it so that the user knows exactly what is going on, the proper filename, have a pop-up warning about the file coming in for download telling the user to make sure they trust the person, or to chat with them to make sure they sent a file...

I'd also like to commend you on being security conscious before you began programming the app - that's a viewpoint that is slowly changing, and hasn't caught on too much, that security does need to be in the design.
Jul 3 '07 #2
I have searched online, and what I mostly come across is what these security issues are...
for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc.

but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger.
From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive the file from...

for now, i am thinking about using password encryption and centralized server (less chance of dos attack). other than that, what measures can I take to avoid security threats? i am writing the messenger in c#, if that helps?

also, any other benefit of using centralized server over p2p other than dos attacks?
hi, i am looking to create a server based messenger application using java. can you please describe in detail what ur messenger is and how did u create it? it would help me a lot
thanx
Aug 27 '07 #3
Colloid Snake
144 100+
You know, you could look at the source for Pidgin or something... That might help you a bit more...
Aug 29 '07 #4
If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.
Feb 28 '08 #5
sicarie
4,677 Expert Mod 4TB
If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.
Wow, well that's just not true. Like, at all. Do you work for Microsoft? RIAA? SCO?

I mean, freeware vs closed source - Linux vs Windows. Look at stability and security (because there is a trade off between security and usability, and security directly relates to stability).

Or something like ISS's suite vs Snort/OSSIM. OSSIM not only contains Snort and captures everything ISS's suite does, but then has the OSSIM reporting functionality as well as things like Arpwatch.

For messaging, look at AIM vs Pidgin. All the worms that are spread through AIM, I think the only one that might have touched Pidgin was the icon vuln, and that was in the graphic.

I mean, do you research these claims before you make them?

Obviously the 'best of breed' application is going to have the most effort leveraged against it in the 'exploit' world just because it's used by the most amount of people, which is partly why Windows is so vulnerable, but they didn't do themselves any favors by writing bad code. This is what happened to Skype, but it's also fixed, and now better. But assuming that an app is more secure just because it is a commercial product is pure, unadulterated FUD.
Feb 28 '08 #6

Sign in to post your reply or Sign up for a free account.

Similar topics

0
by: |-|erc | last post by:
<?php // Get the names and values for vars sent by index.lib.php3 if (isset($HTTP_GET_VARS)) { while(list($name,$value) = each($HTTP_GET_VARS)) { $$name = $value; }; };
0
by: Albert Sims | last post by:
Afternoon all. I have a question, hope I'm in the right place. Since installing the final of Service Pack 2, I find that, using Internet Explorer, or MSN Messenger, I can no longer access the MSN...
2
by: Kevin Buchan | last post by:
Obviously, having a link with 'http://' at the beginning of it launches the default browser and navigates to the address listed. A link with 'mailto:' at the beginning starts an email with the...
2
by: JM | last post by:
Hi, I made an ASP.NET chat application using remote scripting, so that the entire page does not refresh when new messages arrive. The client-side has a timer that accepts new messages every 5...
1
by: Robert Dufour | last post by:
I have an app that uses messenger service. When the app starts up it checks to see if messenger is running on the computer and starts it if it is not. The code works fine on my dev machine on which...
4
by: nbt725 | last post by:
Dear Sir, Hello ! I want 1 to 1 chat script in php between client coming to site to chat with admin. And admin can chat with multiple client.There can be multiple admin. I want to disable login...
0
by: vidhyapriya | last post by:
Hi All I am developing Messenger like Yahoo,Google Talk,MSN...I am using socket programming for sending instant message between two users.My code working within my network(Intranet),If i use...
2
Maidenz08
by: Maidenz08 | last post by:
Can anyone tell how to capture both sides of the chat logs? I can capture the logs from my end using key strokes and capturing the title of the current active window the user is typing in. but any...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.