[JDEV] Fwd: [BUGTRAQ] First reflections on security of MSN Messenger

Vijay Saraswat vj at research.att.com
Fri Jul 23 10:52:31 CDT 1999


> Sounds almost like MSN's client also spoke AIM's protocol natively?
> It also sounds like AOL isn't too happy allowing others to utilize their
> AIM service w/o using their client, but there's not much they can do since
> it's their customer's choice to use a client that utilizes the
> reverse-engineered AIM protocol.
>

Yes, MSN Messenger does not speak TOC. It speaks OSCAR. During the login sequence it
identifies itself as "Compatible client", whereas AOL IM clients distributed by AOL
identify themselves as clients such as "AOL Instant Messenger (TM), Version
2.1.1236/WIN32". Apparently, AOL has tweaked their servers so that "Compatible client"s
are no longer compatible :)

I wouldnt be surprised to see this hit the courts very soon.

>
> One of the benifits of having the transport bits happening on the server
> side is so that when something like this happens and they "tweak" their
> servers to reject clones, the tweak can be fixed and transport replaced
> without affecting or reinstalling all of the clients :)
>

Sure, having central mediating servers helps.

Best,
Vijay




More information about the JDev mailing list