chat messenger - security issues?

Well, with a centralized server, you make it a single point of attack. If someone is able to compromise your server, they are then able to act as the server and intercept data - performing a man in the middle attack. You also then get into accountability. Are you going to log the data coming across your servers? What if it's military information? Death threats? How much logging and reporting will you do? What do you mean by password encryption? Just md5 or something? Not any sort of PGP or public/private key encryption? Are you going to allow other people to develop their own clients? What if someone reverse-engineers yours? Are you going to inherently trust data coming from a client? What if a legitimate user decides to become malicious to another user, and then develops their own client. They can then be authenticated as a "trusted user" but will you trust the data that is coming from them? Will the server process any of this data, or will it just pass it on?

Those are just a few "big picture" items you might want to think about, but some of them are just ideas, not really practical or should be too concerning to you. (In some cases, it can be beneficial to log everything in a central server, then you are able to cooperate with law enforcement if you so desire - then culpability is not on you. Also, if they have to connect with you, you can do validation. If they don't transmit the right version of a client, you can deny access until they upgrade - forcing them to be secure, in essence.)

Most of the vulnerabilities I have seen with chat clients such as AIM are in the way their periphreals are processed - the buddy icons, file transfers, etc... I would actually recommend Googling for old exploits - learning from the people who have done this before, and write your client so that it does not allow those vulnerabilities .

You have done your researching with the types of attacks, so how would you deny someone the ability to send a trojan? Don't allow file transfers, or make it so that the user knows exactly what is going on, the proper filename, have a pop-up warning about the file coming in for download telling the user to make sure they trust the person, or to chat with them to make sure they sent a file...

I'd also like to commend you on being security conscious before you began programming the app - that's a viewpoint that is slowly changing, and hasn't caught on too much, that security does need to be in the design.

hi, i am looking to create a server based messenger application using java. can you please describe in detail what ur messenger is and how did u create it? it would help me a lot
thanx

You know, you could look at the source for Pidgin or something... That might help you a bit more...

If you are using freewares even skype then you are most likely vulnerable to these bugs..Skype users just faces a worm threat last month. So its always better to go with professional solutions as Webex , Rhubcom, Gomeetnow etc.

Wow, well that's just not true. Like, at all. Do you work for Microsoft? RIAA? SCO?

I mean, freeware vs closed source - Linux vs Windows. Look at stability and security (because there is a trade off between security and usability, and security directly relates to stability).

Or something like ISS's suite vs Snort/OSSIM. OSSIM not only contains Snort and captures everything ISS's suite does, but then has the OSSIM reporting functionality as well as things like Arpwatch.

For messaging, look at AIM vs Pidgin. All the worms that are spread through AIM, I think the only one that might have touched Pidgin was the icon vuln, and that was in the graphic.

I mean, do you research these claims before you make them?

Obviously the 'best of breed' application is going to have the most effort leveraged against it in the 'exploit' world just because it's used by the most amount of people, which is partly why Windows is so vulnerable, but they didn't do themselves any favors by writing bad code. This is what happened to Skype, but it's also fixed, and now better. But assuming that an app is more secure just because it is a commercial product is pure, unadulterated FUD.