Last week, the privacy conscious may have gotten a pleasant surprise. Adium, a Mac program which many people use for sending encrypted instant messages, received an update. That upgrade fixed a security issue which allowed an attacker to remotely execute code on the target's computer. Naturally, anyone who uses Adium—including journalists and activists—is probably relieved that this vulnerability has been plugged.
But, as Micah Lee from The Intercept pointed out on Twitter, this update came 19 months after the last one. In the context of computer security, that’s ancient history. And much larger problems that have members of the security community worried remain intact: that Adium, and another hugely popular chat client called Pidgin for Windows and Linux, are built on a vulnerability-prone code base.
“They were never really designed with security in mind,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard.
Both programs are based on libpurple, a notoriously buggy software library: it, and other libraries that Pidgin relies on, are “massive, written in C/C++, and are littered with memory corruption bugs,” Lee wrote on his blog way back in 2013.
“It’s great that bugs are actively getting fixed in software that experts recommend activists to use, but who knows how many more bugs haven’t been reported to the developers and are actively in use compromising the computers of people who put in extra work to remain secure,” Lee wrote.
Ethan Blanton, a developer of Pidgin, told Motherboard in an email, “I don't think that libpurple is going to be particularly larger than another multiprotocol IM library [libpurple works with Yahoo! and a number of other protocols on top of XMPP messaging], nor contain particularly more bugs.” He pointed out that the last major reported flaws were in late 2014.
Thijs Alkemade, lead developer of Adium, did not respond for a request for comment.
So why, years after it was clear that libpurple was essentially a large slab of digital Swiss-cheese, have people continued to use Pidgin and Adium? In part, it's because there just haven't been any decent, or well known, alternatives.
“It was really a choice of several, really bad, insecure options,” Soghoian said.
That might be starting to change, though.
One newish option is CoyIM, a chat program based on cryptographer Adam Langley's stripped down, command-line client written in the programming language Go—commonly seen as a safer language. It only works with the XMPP protocol, making it much smaller than anything based on the multiprotocol libpurple.
Off-the-record encryption, or OTR, used for securing messaging, is in CoyIM from the start, as well as support for Tor. Rather than being all bells and whistles, the creators wanted to choose the features that “are necessary to create a good chat experience, while keeping the attack surface of the system to a minimum,” the CoyIM website reads.
But it is very important to note that CoyIM has not received a security audit, and that it is very much an embryonic project.
“It is not ready for regular users,” Soghoian said.
There is also the recently launched Tor Messenger, made by the Tor Project, which, according to its website, does not use libpurple. However, the Tor Project make it clear that the software is only in beta, and it may have its own security issues.
Matthew Green, assistant professor at Johns Hopkins University, suggested in a Twitter message that people use Signal, a mobile phone app, for encrypted texts and calls.
“I use Adium for things I don't care about. I use Signal because it's probably a lot safer,” he said.
Although fully developed and vetted solutions for encrypted chats on desktop don’t exist quite yet, perhaps soon even non-technical users will be able to switch to a new, more secure XMPP client. That time could not come quick enough.