Skip to content
A/S/L?

AOL will cut off older third-party app access to AIM [Updated]

Or to be more specific, AOL is pulling support for MD5 authentication.

Cyrus Farivar | 128
Credit: K W Reinsch
Credit: K W Reinsch

On Tuesday, AOL (yes, it’s still around) suddenly announced to users of AOL Instant Messenger (including yours truly) that it would be disabling older, and less-secure access to its network through at least one third-party messaging app (Adium) as of March 28.

UPDATE Wednesday 3:40pm ET: Specifically, the company is yanking support for the MD5 hash function associated with password authentication. For nearly a decade, that function has been dubbed as "cryptographically broken." Some third-party chat apps like Adium, Trillian, or Pidgin had been using MD5 to authenticate logins.

In a message posted to an e-mail list called "pidgin support," Donald Le, AIM's tech director, wrote last October:

All DistID used for login.oscar.aol.com and slogin.oscar.aol.com will be blocked. The date is tbd and AIM client upgrade will start Feb 24th 2017.

Ars was unaware of this posting until Wednesday morning, when @dekisu, a Pidgin developer, contacted us and pointed us to this e-mail exchange, and we got in touch with Le himself. Dekisu said that Pidgin will be releasing an update as of next week that would incorporate these new changes. However, users of Adium, which hasn't been updated in nearly a year, are seemingly out of luck.

"It presents a security hole, so we want them to move completely out," Le told Ars on Wednesday.

The service will continue to live on through AOL’s proprietary standalone chat app, which exists for MacOS, Windows, iOS, and Android.

One Ars editor reported no such message when using the Trillian app, while another editor reported that her AIM account would not connect via Adium at all.

Since the advent of Gmail and Gchat in 2005, AIM’s user base had been declining. In 2012, AOL gutted the AOL Instant Messenger group, essentially halting its development.

A former AOL employee who wished to stay anonymous told Ars that he guessed that part of the reason that AOL was making this move had to do with low AIM usage—he estimated that it had fallen to "single digit millions" and that maintaining OSCAR had become prohibitively expensive.

"In the years since, the frail network of old backend code was likely never rewritten and as people retired from the company or were forced out they had to let functionality go," he continued.

On Tuesday, AOL did not immediately respond to Ars’ request for comment.

UPDATE 2 Wednesday 6:38pm ET: Le e-mailed:

Our messaging to users with Pidgin/Adium/LibPurple (or Third party) at login was misleading.

We are sunsetting a large number of old clients (AIM and third party clients) and an older piece of the login infrastructure which is still been used. As part of this, Third party was asked to update their code with new identifiers (distID and devID) so we can disable the old Third party based clients.

Third party clients in general will not be disabled, only older Third party clients that cannot upgrade the authentication methods. We advise users to switch to AIM clients in this case.

Listing image: K W Reinsch

Photo of Cyrus Farivar
Cyrus Farivar Editor at Large
Cyrus is a former Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is out now from Melville House. He is based in Oakland, California.
128 Comments
Prev story
Next story