CERT® Incident Note IN-2000-08The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Chat Clients and Network SecurityDate: Wednesday, June 21, 2000
The CERT/CC has received reports and inquiries regarding the security issues inherent in the use of chat clients.
Internet chat applications, such as instant messenging applications and Internet Relay Chat (IRC) networks, provide a mechanism for information to be transmitted between computers within a network and computers at remote sites across network borders in both directions. Chat clients provide groups of individuals the means to exchange dialog, Web URL's, and in many cases, files of any type. As with any similar networked application (e.g., email), chat applications pose security risks when used in a networked environment.
The security model of chat clients is one that relies on each end-user to make independent security decisions rather than relying on a central enforceable security policy. The result is a broader base of exposure to risk across a network with less central control, making security policies that allow chat client usage difficult to implement and enforce.
There are several general security issues network and system administrators can consider when evaluating security policies and the use of chat clients.
A general security practice for system configuration is to disable all services that are not needed. The same concept can be applied to network configuration. Unless the services provided by chat clients are needed in your environment, we encourage you to consider disabling chat client functionality on your network.
Author: Kevin Houle
This document is available from: http://www.cert.org/incident_notes/IN-2000-08.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.