There is not "distinct absence" as you state. Although the encryption is *very weak* (XOR'd), it does exist in some format.(If you're talking about the message archive locally, unless you run the corporate version of YIM, which is SSL based.) This problem is easily solved if you do not trust those with access to your computer, disable message archiving and there is no .dat file stored with said messages. You being the only one with the power to re-enable it keeps things decent from a local perspective until you have one fluent in registry modifications, or you add a packet sniffer in the mix, but that can sometimes do relatively no good or add headache to the sniffing due to the YMSG protocol being MD5 CRYPT, comparable to many UNIX variants.


Quirk-

Not big on understanding hyperbole huh?

Because they haven't been taught and don't know the questions to ask. Computer Security is a relatively new field, not understood by all. Myself, I feel fortunate to have stumbled upon this forum by chance. I have learned, and continue to learn, things here that I would never learn from textbooks. With the recent viral attacks, (myDoom.A and B.), Odessa College computers were down for 2 days, because of the information that Qu|rk provided me, my pc at home has managed to elude any such problems. In short, people don't know because they haven't been provided the information. "Real world" is a constant learning experience.

Q: How do you get the cat out?
A: Send in the Pit Bull.

;)

MUAs do a really lousy job of informing the user whether or not the authorization mechanism is *ugh* plaintext or rather one of the many cryptographically secure authorization mechanisms such as HMAC-MD5 or HMAC-SHA1 is being used. Nor do MUAs make it particularly easy to disable plaintext authorization.

Of course the easiest way to ensure security is configure the entire session to operate over SSL...

The internet is a big wad of plain text. Email, Web, FTP... how many sites do you know that use SSL or even Secure Password Authentication? The problem is that everything installs itself without SSL support and too many people are idiots to install it all right. Public mail delivery server, private user mailbox server, SSL sessions... how hard is this? I didn't even have to setup a VPN!

Sure encrypted communication is a bit slower, but I think we could all bear the slowdown if the web suddenly became a REAL private and secure place.


-------------
EVERYTHING SSL

Most POP3 and IMAP daemons no longer support plaintext authentication by default, most notably UW IMAP, Dovecot, and Courier.

Sure, the Internet is a mess 'o plaintext. But ftp, telnet, and (to an extent) HTTP were all designed back in the Good Old Days when the Internet was just a bunch of universities that all knew each other, and security wasn't even an afterthought.

Instant messaging doesn't get to use that excuse. Since, oh, 1998 or so it's inexcusable to design any Internet app without adequate security. Instead of asking why users don't know YIM is sent in the clear, I'd ask why YIM is so poorly designed that users would need to know this.