MSN Chat

MSN Chat was the Microsoft Network version of IRCX (Internet Relay Chat extensions by Microsoft), which replaced Microsoft Chat, a set of Exchange-based IRCX servers first available in the Microsoft Comic Chat client, although Comic Chat was not required to connect.

History
According to the MSN Chat website, the following were required to use the MSN Chat Service:
 * Client Compatibility
 * Windows 95 or later
 * Internet Explorer 4.0 or later OR;
 * Netscape Navigator 4.x

The Microsoft Network Chat Control was developed as an ActiveX Component Object Model (COM) Object. ActiveX, being a Microsoft technology provided limited compatibility for other products. The other major platforms beside Internet Explorer that MSN Chat was supported on, was Netscape Navigator and MSNTV (formerly known as WebTV). To ensure the MSN Chat network was only being connected to by authorized clients, Microsoft created and implemented a SASL based Security Service Provider authentication package known as GateKeeper. This used a randomized session key to authorize users not using the Microsoft Passport (now Microsoft account) system. Microsoft used another SSP known as GateKeeperPassport, that worked from the same method but required certain attributes related to the user's account.


 * Defeating the "Authentication Challenge"

There have been various methods through the use of mIRC to access the MSN Chat Network. Most of the methods were through the use of the MSN Chat Control itself, yet others were more complicated.

In the beginning, shortly after the move from Microsoft Chat, the MSN Chat Network could be directly connected to through any IRC Client to irc.msn.com on port 6667. Perhaps because of abuse or other factors, such as the desire to authenticate users based on their Microsoft Passport, Microsoft implemented GateKeeper and GateKeeperPassport, and integrated both into their chat control. The weakness of GateKeeper and the fact the early MSN Chat Controls (1.0−3.0) had public functions for doing GateKeeper authentication seemed to indicate Microsoft wanted third parties to be able to access their network as before, but they wanted to be able to control automated abuse. In any event, these public functions allowed normal IRC clients to authorize themselves.

With the release of the MSN Chat Control 4.0, the public functions were removed. Users found a way to authorize by a "Proxy Method", forcing the Chat Control to bridge connections between mIRC and the Chat Network.

With the release of the MSN Chat Control 4.2 and later, they blocked this proxy method by having the chat control hash the IP address of the server to which it was instructed to connect into the response to the challenge in authentication. If the control was instructed to connect to any address other than the server, it would not match the server's hash and thus authentication would fail. A few later third party clients could authenticate without the control and were adjusted to compensate for this change.

Versions
The versions of MSN Chat were designed from IRC3 through to IRC8, Even with the newer versions, MSN Chat still had the possibility to replicate older MSN Chat versions by issuing the IRCVERS command.

It is believed that IRC referred to the original IRC Daemon, and IRC2 referred to IRCX.
 * IRC3
 * MSN Chat 1.0 was introduced as an ActiveX object for use within Internet Explorer.
 * GateKeeper (version 1) authentication was enabled. As the client did not specify a GUID, a random GateKeeper address was issued by the server.
 * Directory (better known as FINDS) servers were created to distribute the load between servers.
 * IRC4
 * - UNKNOWN. Further research is required.
 * IRC5
 * GateKeeper (version 2) authentication was enabled. The major difference between v1 and v2 was that the client specified a GUID that was stored in the Windows Registry, which allowed each client to have a unique, and semi-permanent GateKeeper address.
 * USER command is no longer required.
 * GateKeeperPassport was enabled, this allowed the client to relay cookies received from the passport.net service as a method of permanent authentication.
 * Non-passport nicknames must now be prefixed with a '>', which is displayed as 'Guest_' by the official client.
 * Passport user nicknames are no longer able to be changed without first disconnecting. Guest nicknames may still be changed, but the official client offers no way to do so.
 * Basic icons are shown next to the user's name, they identify MSN Staff (Sysops and Admins) with the MSN Butterfly, users who are away with a coffee cup, and spectators with a pair of glasses.
 * IRC6 -
 * IRC7:
 * MSN Chat introduces profile icons, Profile icons indicated if the member had a profile, gender (if known), and if the user had a picture
 * IRC8:
 * As MSN Chat had now become a Subscription Only (Premium) service, This introduced extra user and channel modes. The channel mode 'S' was added to indicated that only subscribers could talk. The user mode 'B' (to indicate the user was subscribed) and O (to indicate the user was not subscribed) were added. With the exception of Official MSN Staff. It was impossible for a user with the mode "O" to chat in a channel with the Channel Mode "S".
 * Update to the GateKeeper Authentication method (known as the "4.5 Auth", due to the MSN Chat Control 4.5 being the first to implement it). It was a slight change, that added the value taken from the Server Parameter (before the ":" (if one is present)) to a MD5 Checksum.

Third-party applications
The use of third-party applications on the MSN Chat Network was not prohibited, although it was unsupported. Third-party applications were required to use the same Authentication Methods as the MSN Chat Control.

The second change was the major part, allowing the Chat Control to bridge the connections between the Client and MSN Chat Service.

The most popular third-party applications were mIRC, IRC Dominator and Viperbot.

Scripts were often downloaded from sites such as TechGear007.

Notable features

 * Webchat using MSN's Chat Control
 * Chat nicknames
 * Profiles
 * Chatroom creation
 * Emoticons
 * Chatroom listings
 * User created rooms
 * MSN created rooms
 * MSN WebTV chats
 * Celebrity chats
 * Adult chats, moderate content chats, all aged chats
 * Integration with MSN groups

GateKeeper
The GateKeeper (and closely related GateKeeperPassport) authentication mechanisms are SASL authentication mechanisms as defined in the IRCX Drafts.

After the introduction of authentication on MSN Chat, Gatekeeper was the only authentication method that the public could use. During the initial handshake, the client would send a packet only containing the 16 byte header to the server, and the server would reply with a header, coupled with a 128 bit Cryptographic nonce. Finally, the client would create a 128 bit cryptographic hash of the nonce received from the server using a secret key, sending this as a subsequent authentication reply after the header, and immediately before a 16 byte GUID. The cryptographic hash function used was hmac-md5, and the secret key was "SRFMKSJANDRESKKC" (case sensitive).

Defeating GateKeeper
Early implementations of the GateKeeper authentication mechanism did not create a barrier to entry, as the authentication API that Microsoft had created was available to other program developers. After some time, Microsoft removed the ability for developers to use/see the API that had been embedded in the MSN Chat Control, and it can be safely assumed from this time that Microsoft wanted access to be from the official chat control only.

The GateKeeper authentication made an appearance in the WebTV/MSNTV client.

It was quickly realised that it was also possible to connect by creating a proxy that would load the MSN Chat Control temporarily as required, relaying nonce and hashes between the server and control, before closing the chat control. The difficulty with this method is that it was often slow, didn't work, or could crash applications due to requiring the ActiveX control to be used in Microsoft Internet Explorer, or MSIE based web controls. It is likely possibly that an alternative browser (such as Netscape Navigator, Firefox, etc) could have been used to host the MSN Chat Control, as there was a NPAPI version available from Microsoft. In July 2002, a user named zmic reverse engineered the MSN Chat Control, and produced a python script that was able to login without the use of the MSN Chat Control. The python script was buggy, but was later re-written in multiple programming languages by various authors. The user eXonyte had written some code which could be used (via WINE) on Linux. It's believed that this was the first time MSN Chat had been used outside of Windows.

When GateKeeper version 3 was introduced, it was a very minor change that had added the string of the server name (as defined in the Chat Control parameter "Server") to the hash. The additional string would not include a colon or port if they were present. This appeared to be an effort to defeat the proxy method of accessing the service, but was quickly overcome as users shared the information that the IP had been added to the hash. This information was likely leaked from someone in Microsoft, as there were rumours of the upcoming change before the new GateKeeper version was released.

It wasn't until around 2018 that the user JD noticed that the various keys from zmic's reverse engineering were likely derivatives of another key, and he was able to find the plain text key - before finding the algorithm used. Upon sharing this information with Sky, they quickly discovered the underlying cryptographic hash function was HMAC-MD5.

There are still just two bytes that are unknown in the GateKeeper authentication header, however it was tested against the MSN Chat Server many times, and the server didn't appear to differentiate between the values of those two bytes. There's a possibility that the two bytes are random bytes of memory.

NTLM
Like GateKeeper, NTLM and NTLMPassport were implemented as SASL authentication mechanisms as defined in the IRCX protocol.

NTLM Authentication was not available to be used by the MSN Chat Control, and the only known client implementation is in the MSN Chat Admin Client, which is a very basic client that was created to be used by MSN Chat staff, based on the publicly available MS Chat version 2.5. NTLM credentials were not available to normal users. It is believed that MSN Chat staff used NTLM to authenticate, and that they authenticated through Microsoft's Active Directory. It is possible that MSN Chat staff were connected directly to Microsoft's network, or connected via a virtual private network (VPN).

MSN Chat staff also had the ability to login via the less secure USER/PASS method documented in RFC 1459. This was used heavily with the official chat bots, as it required no knowledge of SASL authentication mechanisms.

Passport
GateKeeperPassport and NTLMPassport were extensions to the GateKeeper and NTLM authentication mechanisms. The Passport extensions allowed the user to identify with a '.net Passport' (later known as a Windows Live Passport, now known as a Microsoft Passport).

When a client attempted to register using a passport authentication extension, instead of receiving the usual asterisks to indicate that authentication is successful (as noted in IRCX drafts), they would be presented with a further subsequent authentication command, with only the string 'OK' as a parameter. The user would then send back an authentication command without the header, using two variables known as PassportTicket and PassportProfile (taken from the browser cookies MSPAuth and MSPProf) to identify themselves. Both variables were preceded by a string representation of an 8 digit hex number indicating the length of the variable, and must be presented in the correct order. When using GateKeeperPassport, the GUID specified after the GateKeeper hash should be a null GUID - Literally.

Example PassportTicket and PassportProfile being sent:

Whilst it is assumed the same format is used with NTLMPassport, it can not be confirmed as NTLMPassport usage has not been witnessed. Active MSN Chat staff were using NTLM and were considered Guests, although the Guest prefix ">" was not enforced, instead a "'" prefix was used, which is noted to be a Unicode nickname prefix in the IRCX Drafts.

User levels
MSN Chat had the following user levels:

Staff:
 * Admin
 * Sysop
 * Guide
 * Bot

Users:
 * Owner
 * Host
 * Participant
 * Spectator

Similar services
There are many chat networks attempting to simulate the service that was provided by the Microsoft Network, which use the "MSN Chat Control". These simulation chat networks are often referred to as "MSN Chat Clones". These are generally small chat networks, which often rely on home-made IRC servers, or IRCX servers. Many of the "MSN Chat Clones" are non-compliant and do not follow the RFC 1459 (IRC) or the "eXtensions to Internet Relay Chat" (IRCX) standards and often contain many bugs/exploits that may cause a denial of service with the MSN Chat Control.

Many of the MSN Chat Clones started up directly after MSN closed its services (2006), and additional networks have continued to spring up since then. There is speculation that these chat networks may have pulled potential subscribers away from MSN Chat, ultimately bringing on the demise of MSN Subscription Chat Services.

While the majority of MSN Clone Chat sites are free, most of them rely on adverts to provide a small income. In addition, some of the clones have begun to charge, or allow for donations.

The legality of sites offering the MSN Chat Control has been in question for some time due to many "Clone Sites" hosting the Chat Control. The Chat Control download is publicly available by Microsoft to download at.

Problems with MSN Chat
There were many documented problems from users about the MSN chat function. Most were directed to the “chat host.” This was a person who would enter the chat room under the name “host”, and act accordingly regulating the room. This service was useful for controlling the room, making sure that everyone was behaving accordingly, answering users’ questions about the rooms, and other assorted tasks. While the idea of a supervisor would put a lot of users at ease, there were reported disagreements between the two with what was considered appropriate.

A significant reason for MSN Chat shutting down was that it provided another opportunity for pedophiles and other sex-offenders to have access to youth through the chat rooms.

Closure
In 2001, Microsoft closed access via IRC clients (including Comic Chat), asking users to exclusively use their browser client instead. In 2003, Microsoft announced that it would close "unregulated" MSN Chat rooms in 28 countries, including "most of Asia" due to problems with spam and concerns about child sexual abuse material, with plans to convert to a subscription model for "better accountability." Messenger chat services remained open. MSN Chat became a subscription service for $20/year.

On August 31, 2006 Microsoft announced that MSN Chat would no longer be provided. On October 16, 2006 MSN Chat shut down their servers at about 11:30 a.m. EST. The service closed as allegedly MSN no longer deemed it profitable to run as a subscription service.