Encryption: Buyer Beware

Encryption is a buzzword that Instant Messaging (IM) vendors love to include in their advertisements. However, good security isn't easy to achieve, and many poorly written encryption implementations exist. When considering an IM client that offers encryption, look for a product that uses industry-accepted encryption standards. Some standards that have withstood substantial peer review and are considered good choices are Secure Sockets Layer (SSL), RSA, Advanced Encryption Standard (AES), Carlisle Adams's and Stafford Tavares's CAST algorithm, Triple DES (3DES), International Data Encryption Algorithm (IDEA), pretty good privacy (PGP), Blowfish, and Twofish.

Dozens of other algorithms exist, but be wary of vendors that claim to have a "new," "super-secret," or "unbreakable" encryption routine. Cryptology experts never make such claims, and vendors that do are revealing their limited understanding of encryption. Even software that uses an industry-trusted cipher might implement it incorrectly. A poorly written encryption application is like putting three dead-bolt locks on your front door and leaving spare keys under the doormat. Consider the vendor's reputation, and review the vendor's current client list. If the IM client list includes Fortune 500 companies and branches of the US military, you can be reasonably certain that those high-risk clients did a proper due-diligence review.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.