----- Original Message ----- From: "David Wagner" <[EMAIL PROTECTED]>
Subject: Simson Garfinkel analyses Skype - Open Society Institute

In article <[EMAIL PROTECTED]> you write:
Is Skype secure?

The answer appears to be, "no one knows". The report accurately reports that because the security mechanisms in Skype are secret, it is impossible to analyze meaningfully its security.

Actually that is not entirely true. While Skype has been getting more than it's fair share of publicity lately surrounding it's security the truth is that shortly after it's first release I personally had a discussion in their forums (should still be there if you find something by holomntn that's the correct one, I haven't discussed anything since). In that discussion it was shown that they clearly did not have a solid grasp on security, nor apparently had anyone of them read the SIP specification. During that conversation, and some future private ones, it has been revealed to me that Skype's security is questionable at best, and that they are in fact basically relying on security through obscurity. It is likely that this will work for quite some time simply because most IM conversations, and most phone conversations for that matter are simply not worth listening to.

With that said, in their favor they do have substantial qualities. Because they effectively form a routed network an intermediate evesdropping attempt will have to sort through a substantial amount of undesired traffic (see Rivest on Wheat and Chaff for explaination of the security offered), this is possible because although there are security holes, the end stream is difficult to determine from random (AES/CBC). This creates a substantial boost in the amount of effort required to acquire a stream of significance unless the endpoints are known. The other big thing in their favor is that apparently very few people want to be bothered by analysing the security, basically if no one is looking it is secure. Additionally, in version 1.1 Skype appears to have begun providing a moving target for a break, between version 1.0 and 1.1 Skype performed some changes to the protocol, while I do not know the exact nature of these, even a simple investigation of the GUI shows some changes (IM someone with a different version you will be cautioned about protocol changes even though security is not listed), this moving target creates the possibility to generate some security through obscurity, and the ability to upgrade the security at a moments notice.

Working against them. The biggest thing working against them is that a growing number of teenagers are using Skype (a significant portion of Gunderson High School in San Jose, Ca actually uses Skype during class, and has been busted by me for it). This poses a substantial risk for common hacking to occur. This is something that I am unclear on whether or not Skype has prepared. As the general populus begins to use Skype more the security question becomes of greater importance (reference the attacks on Windows that go on every day).

With all that said it is important to note that I have no access to the current Skype protocol and I only briefly had limited access to an early one, so my analysis may be substantially off.

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to