http://en.wikipedia.org/wiki/Skype
Security features
-
Secure communication
is a feature of Skype; encryption cannot be disabled, and is invisible
to the user. Skype reportedly uses non-proprietary, widely trusted
encryption techniques: RSA for key negotiation and the Advanced Encryption Standard
to encrypt conversations.[12]
Skype provides an uncontrolled registration system for users with
absolutely no proof of identity. This permits users to use the system
without revealing their identity to other users. It is trivial, of
course, for anybody to set up an account using any name; the displayed
caller's name is no guarantee of authenticity.
[edit] Issues
[edit] Security concerns
A third party paper analyzing the security and methodology of Skype
was presented at Black Hat Europe 2006.[13]
It analysed Skype and made these observations:
- Skype keeps chatting on the network, even when idle (even for
non-supernodes. May be used for NAT
traversal)
- Assumes a 'blind trust' of anything else speaking Skype
- Ability to build a parallel Skype network
- Skype makes it hard to enforce a (corporate) security policy
- No way to know if there is or will be a 'backdoor'
- In February 2007 it became known that Skype creates a file called
1.com in the temp directory which is capable of reading all BIOS data[14]
from a PC. According to Skype this is used to identify individual
computers and provide DRM
protection for plug-ins.[15][16]
- Skype is owned by eBay,
whose privacy policy is perhaps the least protective of customers of
any large corporation. eBay claims it goes above and beyond what it is
required to do by law, seeking out and giving police all the
information it stores about users excluding some financial data, for
which they require a subpoena.[17]
- The security and protection of privacy of traffic through Skype
is
controversial. Although Skype offers an encryption for the direct
communcation between users, a spokesperson of Skype did not want to
deny the ability to intercept the communiction.[18]
On the question of whether Skype could listen in on their users'
communication, Kurt Sauer, head of the security division of Skype,
replied evasively: "We provide a secure means of communication. I will
not say if we are listening in or not." The implementation of a text
filter in China [19]
suggests that Skype makes use of its eavesdropping capabilities if
necessary, or whenever it is in their economic interest. It is also
well known that the owner of Skype, eBay, is a
close and reliable partner of US authories when it comes to divulging
private information of their users. [20][21]
Skype service issues
- There have been a multitude of complaints about Skype's poor
customer support.[22]
As of September 2008, Skype did not provide a way to contact customer
support, offering indirect assistance through its web portal only.
There have also been criticisms of Skype blocking and disabling
customer accounts from using the SkypeOut service.[23]
- While available for Windows, Mac OS X
and Linux
(i386 platform) operating systems, there is no Skype version for
the Palm
OS, used in mobile devices like the Treo
700p smartphone.
- Skype has been criticized for bugs and delays in its Linux
version,
which is relatively undeveloped compared to the Mac and Windows
versions and many features included in the other versions are not found
in the Linux client.[24]
- SkypeOut does not support storing or (automatically) calling
numbers with extensions.[25]
Instead, a user must call the number (without the extension), wait for
the call to connect and then manually enter the extension. This means
that many business customers in practice need a separate contact list
that includes extensions, causing the built-in contact list to be of
little use. This is by many customers considered a fairly basic
feature, and other phone services typically support it by allowing
numbers to contain a symbol to represent a pause, as in "1-800-123-4567
x54321" or "1-800-123-4567,,,54321" where 54321 is the extension.
[edit]
Compliance with the Communications Assistance
for Law Enforcement Act
In the United States, the FCC has interpreted the Communications
Assistance for Law Enforcement Act as requiring digital phone
networks to allow wiretapping
in the presence of an FBI warrant, in the same way as traditional phone
service. Skype is not yet compliant with the act and has, so far,
stated that it does not plan to comply.[26]
[edit] German wiretapping
It has been reported that German authorities have been wiretapping
Skype conversations using a trojan horse.[27] A number of individuals involved in publicly
disclosing this information have been placed under investigation.[27]
[edit] Censorship in China
Skype is one of many companies (others include AOL, Google, Microsoft,
Yahoo, Cisco) which has cooperated with the Chinese
government in implementing a system of Internet
censorship in the People's Republic of China.
Niklas Zennström, chief executive to Skype, told reporters that its
joint venture partner in China is operating in compliance with domestic
law. "TOM Online
had implemented a text filter, which is what everyone else in that
market is doing," said Zennström. "Those are the regulations," he said.
"I may like or not like the laws and regulations to operate businesses
in the UK or Germany or the US, but if I do business there I choose to
comply with those laws and regulations. I can try to lobby to change
them, but I need to comply with them. China in that way is not
different."[28]
Since late September, users in China trying to download the Skype
software are redirected to the TOM site from which a modified Chinese
version can be downloaded. Activists in China are warned about the
possibility that TOM's versions have or will have more trojan capability.[29]
http://en.wikipedia.org/wiki/Skype_security
Security flaws
The main problem when examining Skype security is that Skype is not
open-source, rather it is proprietary and secret, thus one can only
rely on information from Skype itself or by continuous examination of
its performance under various attacks.
In an article by Simson Garfinkel - Voip
and Skype Security, the author says after analyzing Skype network that
it seems Skype indeed encrypts users' sessions, however other traffic
on the network including initiation of calls can be monitored by other
parties on the network which are not privileged to participate in the
specific session. Also in terms of privacy, Skype uses a "History" file
saved on the user's machine to record all communication between users.
This feature is enabled as default although not many users are aware of
that. This enables attackers to obtain the file through spyware or
other remote-control applications.
On October 2005 a pair of security flaws were discovered. Those
flaws made it possible for hackers to run hostile code on computers
running vulnerable versions of Skype.
The first security bug affected only Skype for Windows. It allowed the
attacker to use a buffer overflow in order to crash the system or to
force it to execute arbitrary code. The attacker was able to place a
malformed URL using the Skype URI format, and lure the user to use it
in order to execute the attack.
The second security bug affected all platforms; it used a heap-based
buffer overflow to make the system vulnerable.
Skype responded to the findings by fixing the bugs and issuing a
security patch.
The Skype code is proprietary and closed source, and it is not planned to become
open-source software,
according to one of Skype's co-founders:
"We could do it but only if we re-engineered the way it works and
we don't have the time right now."
– Niklas Zennström, co-founder
of Skype, responding to the Skype security model[1]
Que Publishing's book, Skype: The Definitive Guide[2]
points out:
- Skype can utilise other users' bandwidth. (Although this is
allowed for in the EULA, there is no way to tell how
much bandwidth is being used in this manner). There are some 20,000 supernodes out of many millions of
users logged on. Skype Guide for network administrators[1] claims that supernodes carry only control
traffic up to 5 kB/s
and relays may carry other user data traffic up to 10 kB/s (for one
video call). A relay should not normally handle more than one "relayed
connection".
- Skype's file-transfer function does not contain any programmatic
interfaces to antivirus products, although Skype claims to have tested
its product against antivirus "Shield" products.
- The lack of clarity as to content means that systems
administrators
cannot be sure what Skype is doing. (The combination of an invited and
a reverse-engineered study taken together suggest Skype is not doing
anything hostile). Skype can be easily blocked by firewalls.
- The actual communication of any given Skype conversation uses
modern encryption techniques to make conversations secure, as mentioned
in the above studies.
- Silver Needle in the Skype — Philippe Biondi [2]
- Voip and Skype Security - Simson Garfinkel [3]
- Skype Security Evaluation — Tom Berson [4]
- Skype Official web site — Skype security resource center [5]