On Tuesday, AOL (yes, it’s still around) suddenly announced to users of AOL Instant Messenger (including yours truly) that it would be disabling older, and less-secure access to its network through at least one third-party messaging app (Adium) as of March 28.
UPDATE Wednesday 3:40pm ET: Specifically, the company is yanking support for the MD5 hash function associated with password authentication. For nearly a decade, that function has been dubbed as “cryptographically broken.” Some third-party chat apps like Adium, Trillian, or Pidgin had been using MD5 to authenticate logins.
In a message posted to an e-mail list called “pidgin support,” Donald Le, AIM’s tech director, wrote last October:
All DistID used for login.oscar.aol.com and slogin.oscar.aol.com will be blocked. The date is tbd and AIM client upgrade will start Feb 24th 2017.
Ars was unaware of this posting until Wednesday morning, when @dekisu, a Pidgin developer, contacted us and pointed us to this e-mail exchange, and we got in touch with Le himself. Dekisu said that Pidgin will be releasing an update as of next week that would incorporate these new changes. However, users of Adium, which hasn’t been updated in nearly a year, are seemingly out of luck.
“It presents a security hole, so we want them to move completely out,” Le toldon Wednesday.
Oneeditor reported no such message when using the Trillian app, while another editor reported that her AIM account would not connect via Adium at all.
Since the advent of Gmail and Gchat in 2005, AIM’s user base had been declining. In 2012, AOL gutted the AOL Instant Messenger group, essentially halting its development.
A former AOL employee who wished to stay anonymous toldthat he guessed that part of the reason that AOL was making this move had to do with low AIM usage—he estimated that it had fallen to “single digit millions” and that maintaining OSCAR had become prohibitively expensive.
“In the years since, the frail network of old backend code was likely never rewritten and as people retired from the company or were forced out they had to let functionality go,” he continued.
On Tuesday, AOL did not immediately respond to’ request for comment.
UPDATE 2 Wednesday 6:38pm ET: Le e-mailed:
Our messaging to users with Pidgin/Adium/LibPurple (or Third party) at login was misleading.
We are sunsetting a large number of old clients (AIM and third party clients) and an older piece of the login infrastructure which is still been used. As part of this, Third party was asked to update their code with new identifiers (distID and devID) so we can disable the old Third party based clients.
Third party clients in general will not be disabled, only older Third party clients that cannot upgrade the authentication methods. We advise users to switch to AIM clients in this case.