Instant messengers such as AIM, Google Chat and YIM present some interesting security challenges.  They can be exceedingly useful tools for a handy hybrid synchronous/asynchronous communication channel, but they also present some threats to both the user and those entities, be they an employer, government or other, that might wish to track and/or record an instant messaging conversation.  Controlling and protecting instant messaging may be an important task to users, network administrators and the aforementioned organizations but it isn't a simple task, further complicated by the continuing evolution of the applications.

I label most instant messengers as hybrid realtime/delayed communications media because so many are capable of storing messages when a 'buddy' is unavailable.  This allows instant messengers to degrade from an instantaneous channel to a more email-like 'get it when convenient' paradigm.  This also means that the owner of the IM server owns the contents of all these conversations as well.  So security from the vendor themselves is practically a lost cause.  This fact shows up even in a privately held, internal IM system (Hindocha, 2003), where messages stored on the server may subject to theft.  They may also be susceptible to deletion or corruption wherever they are stored.  Man in the middle, denial of service and hijacking are also possible as the messages traverse the network.  Therefore, as Ornaghi and Valleri (2003) point out, it's advisable to use cryptographic suites conscientiously and correctly.  However, given the growing penetration of instant messaging, it's heterogeneity of platforms and the aforementioned possible lack of control of the server, this could be as challenge in and of itself.  But as long as we remain aware of the issues we can educate users, achieve what encryption and authentication we can at lower layers and encourage the use of instant messengers that do make it available (Sourceforge, 2011).  Instant messaging is probably too useful an app to do entirely without so we should try to find ways to accommodate it without damaging our security models excessively.

Hindocha, N. (2003) Instant Insecurity: Security Issues of Instant Messaging [Online].  Available from: http://www.symantec.com/connect/articles/instant-insecurity-security-issues-instant-messaging (Accessed: 7 March, 2011)

Ornaghi, A. & Valleri, M. (2003) Man in the middle attacks [Online].  Available from: alor.antifork.org/talks/MITM-cisco.ppt (Accessed: 7 March, 2011)

Sourceforge.net (2011) Pidgin-Encryption [Online].  Available from: http://pidgin-encrypt.sourceforge.net/  (Accessed: 7 March, 2011)