Secure Encrypted Chat Module
Securing electronic communications over the Internet is more important today than ever before. Ensuring the privacy and security of communications is equally as important as submitting encrypted personal and credit card information during eCommerce transactions. Are your private chat communications being compromised? Guard them with three layers of protection using ParaChat's Secure Encrypted Chat Module:
Messages submitted and received through a ParaChat room are encrypted using a Secure Socket Layer (controlled by ParaChat).
The ParaChat applet class files are downloaded from a secure web server (secure applet code provided by ParaChat; implemented by customer in customer web site).
OPTIONAL: The web page that contains the ParaChat applet code may be served by a secure web server (controlled by customer for maximum security).
How ParaChat's Secure Encrypted Chat Module Works
1. Encrypting Chat Messages Sent Between ParaChat Client & Server
Because the ParaChat applet class files are downloaded from a secure web server, there is no cause for concern about having malicious chat code running on a user's computer. An applet is executed in a "sandbox" within a web browser window by Java Virtual Machine (Java VM). Any potential damage to an end-user's computer is quite limited because a Java applet has no access to files on the end-user's computer, and can only make a connection to one server -- the server from which the applet class files were downloaded.
Once the class files are executed by Java VM, a user inputs a user name (and perhaps an optional password) to log into the ParaChat room. The user is connected to a ParaChat server. The standard communication between a ParaChat room and a ParaChat server is via TCP/IP protocol or HTTP (HTTP tunneling) protocol. In either case, the communication is transmitted in plain text (just like email or a regular web page obtained using HTTP).
To secure the communication, encryption is needed. For this purpose, ParaChat chooses to use encryption SSL, which is an industry standard also supported by Java. The chat message encryption method is set up with a secure certificate. A certificate is a digital signature issued by a Certificate Authority to confirm the authenticity of a secure connection. A ParaChat applet gets the certificate during the first step of a secure connection. If the certificate cannot be verified, the secure connection will automatically abort.
2. ParaChat Applet Class Files Downloaded From Secure Server
Unlike an installed application (i.e. web browser, email client, IM client), ParaChat's client is a Java applet which is downloaded each time a user loads the web page that contains the applet, and before a user logs in to connect to the chat server. Applet class files are Java code that is executed by Java VM on each user's computer. To ensure the applet class files come from ParaChat, the class files must be downloaded from a secure server owned and operated by ParaChat, and certified as such by a Certificate Authority.
Because the Internet's IP protocol is not secure by nature, and DNS entries may also be maliciously changed, hacked or compromised without notice, the standard download of client applet code cannot guarantee that the client code is from the expected web server (just as there is no guarantee that a non-secure HTTP web page comes from the expected web server).
For example, when you view most any non-secure web page, the content may have been changed maliciously in transit. Additionally, the domain name in the URL points to a different IP address than expected, and the content is instead loaded from a malicious IP address. The standard ParaChat applet code appears as:
<applet codebase="http://host7.parachat.com/pchat/applet"
archive=papplet.jar code=pclient.main.ChatClient.class HEIGHT=400 WIDTH=560>
............
</applet>
In this example, the ParaChat client applet class files are download from a web server on host7.parachat.com. Suppose a hacker somehow manipulated DNS, whether on a user's computer, or a DNS server, so that the user's DNS points host7.parachat.com to a different IP address controlled by the hacker. The hacker could create Java class files that look similar to ParaChat's user interface so that the end-user cannot discern the difference. The end-user then inputs their user name and password to log into the ParaChat room. The user name and password are sent to the IP address controlled by the hacker, and the hacker would then acquire the end-user's user name and password. This practice is commonly known as "phishing".
In a second example, assume that the above applet code is embedded in a web page (i.e. http://example.com/.../chat.html). For brevity, assume DNS has been hacked, and example.com points to the IP address "9.9.9.9" controlled by a hacker. Because the hacker has access to the web server on IP address 9.9.9.9, the following applet code is downloaded by the end-user in the web page "chat.html":
<applet codebase="http://9.9.9.9/mychat"
archive=chat.jar code=hackedChat.class HEIGHT=400 WIDTH=560>
............
</applet>
Again, the applet could look like a ParaChat room, and trick an end-user into typing their user name and password. Only if the user looks at the web page's HTML source would they discover the applet code is not from a ParaChat domain name.
ParaChat's Secure Encrypted Chat Module offers a solution to this risk. When the module is activated, the ParaChat client class files are downloaded from a secure web server using HTTPS:
<applet codebase="https://secure.parachat.com/applet"
............
</applet>
3. Web Page That Contains ParaChat Applet Downloaded From Secure Server (OPTIONAL)
When a web page is served from a secure server, its web address will begin with HTTPS (HyperText Transfer Protocol Secure). HTTPS is ordinary HTTP protocol exchanged over a Secure Socket Layer (SSL) encrypted session. An encrypted connection to a web server protects data in transit between a user's computer and the web server that served the web page.
To prepare a web server for accepting HTTPS connections, the server administrator creates a public key certificate for the web server. This certificate should be signed by a Certificate Authority who certifies that the certificate holder is a legitimate entity.
ParaChat is implemented in a web page on your own web site by embedding applet HTML that we provide into the HTML source of the web page where you want to run ParaChat. If you have selected to activate the Secure Encrypted Chat Module, we strongly recommend that you implement ParaChat on a web page served by a secure server for maximum security. However, if the chat applet is implemented on a standard HTTP web page, the chat client applet files are still secure, and the chat messages are still encrypted.
For Added Security
Use the Secure Service Administration Web Page
ParaChat's service administration web page is generally accessed using regular HTTP protocol. ParaChat now offers access to the service administration web page using a secure HTTPS connection. Simply click the "Use Secure Log-in" link on the log-in page to log-in securely.
Do Not Enable "Email Daily Transcripts"
Email is not secure, and as such, emailing daily chat transcripts is not secure. To ensure transcript security, log into the secure service administration web page to view transcripts. Do not enable the "Email Daily Transcripts" feature. Use your web browser's "Save" or "Save As" file option to save a chat transcript file to your local computer when logged into the secure service administration web page.