Tuesday, January 11, 2005
Things to know about Skype security
"Skype"? What is "Skype"?
Skype is a convenient and powerful program for voice communication over the Internet and optionally to old-style telephones. The usual sales pitch is "free phone calls", but technical people are falling in love with it as the easiest way they've ever seen to arrange a conference call.
Where does security come in?
Well, it's a program that runs on your computer and talks over the network. Can it be taken over by toxic input? Can it spread viruses? Can nasty people intercept or interfere with your conversations?
There's been one security hole involving overly long addresses. This got fixed quickly and the program automatically updates itself, so everyone has the fix now.
Respected security author Simson Garfinkel answers the other questions in a highly readable report on Skype security.
Read the report, it's good and it's the kind of writing I try to deliver to my own clients. To condense it brutally:
That last point is the really important one. Spyware on your machine could record all your calls and email them to the Russian mafia or the National Enquirer. Once your voice is decrypted, anything can happen to it. A recent story illustrates what can happen if other software does something unexpected.
Blogger Andy Abramson got a surprise when he called another Skype user. The other user ran a program called Skype Answering Machine (which doesn't come from the Skype folks) to take calls when he was already in a call. It started recording Abramson, but due to a known bug in Skype Answering Machine Abramson started hearing the call that was in progress! That's right: install a buggy program and suddenly anyone can wiretap you just by calling. Obviously it'll get fixed, but it's a good example of what Garfinkel warned about.
PS: encrypted voice
Security guru and cipher designer Bruce Schneier warns in an essay about cryptography that
|
Skype is a convenient and powerful program for voice communication over the Internet and optionally to old-style telephones. The usual sales pitch is "free phone calls", but technical people are falling in love with it as the easiest way they've ever seen to arrange a conference call.
Where does security come in?
Well, it's a program that runs on your computer and talks over the network. Can it be taken over by toxic input? Can it spread viruses? Can nasty people intercept or interfere with your conversations?
There's been one security hole involving overly long addresses. This got fixed quickly and the program automatically updates itself, so everyone has the fix now.
Respected security author Simson Garfinkel answers the other questions in a highly readable report on Skype security.
Read the report, it's good and it's the kind of writing I try to deliver to my own clients. To condense it brutally:
- Your voice is "encrypted" (scrambled) but that's easy to do wrong
- Voice security depends heavily on trust in the company that produces Skype
- It lets you share files so of COURSE you could download a virus
- If you use Skype for text chat someone could impersonate the friend you think you're talking to
- If security is your top concern then run any chat program over a Virtual Private Network
- It's better security than just about anything else out there
- Security depends on what else is running on your machine
That last point is the really important one. Spyware on your machine could record all your calls and email them to the Russian mafia or the National Enquirer. Once your voice is decrypted, anything can happen to it. A recent story illustrates what can happen if other software does something unexpected.
Blogger Andy Abramson got a surprise when he called another Skype user. The other user ran a program called Skype Answering Machine (which doesn't come from the Skype folks) to take calls when he was already in a call. It started recording Abramson, but due to a known bug in Skype Answering Machine Abramson started hearing the call that was in progress! That's right: install a buggy program and suddenly anyone can wiretap you just by calling. Obviously it'll get fixed, but it's a good example of what Garfinkel warned about.
PS: encrypted voice
Security guru and cipher designer Bruce Schneier warns in an essay about cryptography that
"Few can do the science properly, and a little knowledge is a dangerous thing: inexperienced cryptographers almost always design flawed systems. Good cryptographers know that nothing substitutes for extensive peer review and years of analysis. Quality systems use published and well-understood algorithms and protocols; using unpublished or unproven elements in a design is risky at best."Skype's protocol design is unpublished and hasn't had the extensive peer review that makes security people stop fidgeting.
# posted by Frederick @ 8:20 PM Email to a friend:
Haloscan: they provide trackback