April 9th, 2014
OpenSSL Heartbleed Vulnerability Update
This past Monday, April 7th, the OpenSSL Project released an update to address a serious security issue – CVE-2014-0160 – nicknamed “Heartbleed“. Any server or client application that depends on impacted versions of OpenSSL is vulnerable to a leak of encrypted secrets to a remote attacker.
Trillian Cloud Infrastructure.
As of Tuesday, April 8th at 23:00 UTC, all of Trillian’s infrastructure has been updated and is no longer vulnerable. This includes our general-purpose web servers, the servers used to facilitate our web and mobile clients, and the IMPP servers that power our actual IM network. Because this attack could have exposed our TLS certificate, we’ve also generated a new private key and obtained a new certificate as a precaution.
Trillian for Windows versions 5.3.x.x to 220.127.116.11 are vulnerable to heartbleed. Although exploiting a client is a few orders of magnitude more difficult than exploiting a server, exploitation is still technically possible and we urge everyone to upgrade their clients as well. A new version, 18.104.22.168, is now available via auto-update and direct download. Other versions of Trillian, including Trillian for Mac, are not impacted by this vulnerability.
In-House Trillian Servers.
All versions of in-house Trillian Servers are vulnerable to heartbleed. An updated version, 22.214.171.124, has been released and all in-house customers will be sent additional information directly via email shortly. If you’re not sure if your company has updated its server and need assistance or clarification, please get in touch.
Because the surface area of this vulnerability is so large and impacts thousands of different companies, we recommend that all Trillian users change their passwords as a precautionary measure. The recommended way to change your password is from within Trillian itself, in preferences. This is also a good opportunity to review your overall password strategy: make sure you don’t share passwords between sites and that your passwords are as strong as possible!
Posted in Cerulean News
March 5th, 2014
This week, a competitor of ours (imo.im) decided to drop support for third-party IM networks and focus on building out their own platform instead. This got us thinking: reverse engineering other IM protocols is a thankless task and Facebook just acquired WhatsApp for ~19 billion dollars, so what the heck are we still doing here?
Interoperability is difficult.
To be perfectly clear, everything the imo team said is true: supporting third-party messaging networks is awful. Not only can it be frustrating technically, but you’re often left with a half-broken implementation for reasons completely outside of your control. Why isn’t AIM connecting today? Dunno. Why do half of your Facebook messages not show up on all of your devices? Blame feature gaps in their XMPP gateway. At some point, the temptation to punt and focus your company’s energy on building its own reliable messaging network is almost unbearable.
We’ve been there.
In fact, we’ve been running our own messaging network since 2006 in the form of what some of you know as Astra and others just as Trillian. Running our own messaging network has given us the opportunity to build our own awesome IM protocol, work on things like audio and video calls, reliable file transfers, native support for TLS, our “continuous client” dream, and generally learn all of the ins and outs of running a service. It’s been great, and we obviously believe our service is fantastic!
Trillian was started because Kevin and I had a problem: we were tired of having to load mIRC and AIM at the same time just to stay in touch with all of our contacts. Millions of people still rely on “legacy” networks like AIM, Yahoo, and Google Talk to get their jobs done and stay in touch with (ok, perhaps slightly older!) members of their families. We therefore believe it remains important that we keep up our efforts at providing interoperability in Trillian even as we continue to invest in our own network. Still, it’s important to remember that Trillian is not immune to industry change, and the day may come when we’re no longer able to provide interoperability for reasons outside of our control: Microsoft’s decision to shut down SkypeKit, for example, will eventually be the end of Skype in Trillian. That’s why we encourage everyone to use Trillian’s messaging network: share your Trillian username with your other Trillian-using friends and add each other to get started!
We wish the entire imo team the best of luck, and are obviously a little jealous of their newfound freedom from nights buried in assembly and network dumps. We hope that when they make their first billion that they remember our shared struggle send over a box of Cristal.
Posted in Cerulean News
June 12th, 2013
Right now, you can pick up the phone and call anyone in the world regardless of the telephone company they use. Email works this way, too: Gmail users can easily send emails to Yahoo! users and so on. Instant messaging has always lacked this back end glue – what we call “interoperability” – and so we’re left signing up with multiple service providers just to ensure coverage across our social network. The result is a mess: Mom is on Facebook, Dad is on Yahoo!, and our co-workers are on Skype. We think this should change, so today we’re making our own small contribution to interoperability by publishing the technical specifications that will allow the outside world to send messages to Trillian users. 1
Why are we doing this? As much as we’re happy to continue reverse engineering IM protocols, Cerulean Studios should also be doing its part to promote open and federated communication. We just so happen to have a great IM protocol we’ve been building and operating for the better part of the past decade – Trillian users will recognize it as the protocol that powers the Trillian IM network – and think the time is right to open it. We’re also laying the foundation to open our network to federation (which means our servers will talk to other servers in the same way an AT&T customer can call a Verizon customer) and continuing our commitment to run a business whose primary focus is its communication products, not advertising. This last point is important – it means we make money when we improve instant messaging, not when we gather enough eyeballs to show them ads.
Some technical bits: while our IM protocol is in production today, it should be considered under active development and therefore subject to (sometimes sweeping!) change. The documentation is also in an early state and should be considered “informational” only. If there’s enough interest in us continuing our documentation efforts we will do so; if not, we still believe publishing our protocol and opening Trillian to future federation is the right thing to do. Feel free to get in touch if you have comments or questions or want to help out in some way, and thanks for your support!
1. Relying on monolithic service providers has other disadvantages as well.
Posted in Cerulean News
January 23rd, 2013
Trillian 5.3 for Windows, Trillian for Business!
A couple of cool announcements today. To start with, we’re taking Trillian 5.3 for Windows out of beta and making it available to everyone. We’re also announcing a special business version of Trillian that tackles most of the commonly-requested, business-oriented features that customers have been requesting over the years. Take a look at what’s new!
Group chat improvements.
Save chats to your contact list, automatically join selected chats, stay in chat rooms even when closing the window, edit topics directly from the chat window, and much more!
Trillian group chats.
In addition to beefing up group chats across the board, we’re also unveiling Trillian group chats in 5.3! Right now you’ll need to be on the Windows client to take advantage of group chats but we’ll be rolling support out for other devices soon. Trillian group chats are a great way to keep a team connected – they’re persistent and cloud-history backed, ensuring you can catch up on conversation that happened while you weren’t around.
Our new in-game plugin exposes an overlay that works inside of full screen games to keep you chatting while you play! In-game chat supports tabbed chatting, alerts, and a cool “unread badge” that sticks around even when the overlay isn’t visible so you always know how many unread messages await you. You can enable the plugin in your “Chat Windows” preferences.
Trillian for Business.
Claim your domain with Trillian for Business! Small teams looking for an easy way to communicate without managing internal IM servers and larger teams looking to control client deployment and policies can both benefit from Trillian for Business. Learn more on our FAQ page.
5.3 vastly improves the way Trillian handles SSL certificate validation. The list of root certificate authorities that Trillian trusts is now bundled in a user-configurable text file, and when talking to servers with self-signed or otherwise invalid certificates Trillian will now let you know so that you can decide how to proceed.
The small stuff.
Lots of minor visual cleanups went into 5.3 as well, including some new status icons to make it more obvious who is online and who is away. Both message windows and the contact list have received some shiny new visual upgrades and general cleanups, our Skype integration should now work correctly on Windows 8, and Trillian users can now be invited to Google Talk chat rooms. We also spent some time improving the IRC engine in minor ways for 5.3. Check out the full changelog here, and thanks for supporting Trillian!
Posted in Cerulean News, Trillian for Windows
January 18th, 2013
Trillian and Windows Live Messenger
As many of you have heard by now, Microsoft is shutting down Windows Live Messenger and directing users to Skype. There are two important concepts at play here – the Messenger clients and the Messenger servers. When we talk about the Messenger client, we’re referring to the official Microsoft Windows Live Messenger software, not Trillian. We wanted to take a minute and list all of the things we know so far in order to give Trillian customers as much time as possible to decide how best to proceed.
1. Effective early this year, Microsoft will be disabling their own Messenger client software. This means if you or your friends use the Messenger client, you won’t be able to sign in. As far as we know, this will have no impact on Trillian or other third-party IM solutions as the change is software-specific.
2. Some time next year, Microsoft will begin to disable their Messenger servers. This move will impact every client, including Trillian and any other third-party IM software that you and your friends may be using. At this point, the Messenger service as you know it will cease to exist – you will not be able to sign in.
3. As a result, Microsoft is currently asking its customers to merge their Messenger and Skype accounts and install the latest version of the Skype software. Unfortunately, the Skype-sanctioned method that we use to communicate with Skype relies on an SDK known as “SkypeKit”, which as of this writing does not work with migrated accounts. This means that if you listen to Microsoft and merge your Skype and Messenger accounts, you will be bricking your copy of Trillian in terms of Skype access. We are hopeful that Skype will be issuing a new update to their SkypeKit SDK that works with migrated accounts but have no insight into if and/or when this will occur. In the meantime, consider hanging tight on the migration if you want to continue using Skype through Trillian. One point of later clarification: until Microsoft starts rejecting Skype logins from your original Skype usernames, you can still use Skype through Trillian with your Skype usernames. It won’t be until a Windows Account is required that Trillian in its current form will have trouble signing in, and hopefully the SDK will be updated by then.
To minimize possible service outages, we recommend that any of you using Trillian to talk to other Trillian users start taking steps to migrate over to the Trillian IM network (referred to as “Astra” in some places) or another Trillian-supported IM network as soon as possible. Your Trillian username can be shared with other Trillian users so that they can add you and start chatting right away. Like Messenger, the Trillian network supports buzzes, drawing, voice and video chats, file transfers, and strong privacy controls. Unlike Messenger, the Trillian network also uses SSL by default to encrypt your conversations over-the-wire, supports persistent group chats, and is more reliable in terms of online and offline message delivery. If you’re currently relying on Messenger at your business, be sure to also evaluate our business-centric offerings to see if they will work for your company. We’ll keep everyone posted as we learn more about Messenger and Skype; thanks for supporting Trillian!