Skype and Security

There was much skepticism when Skype was first launched as to how secure the person-to-person calls using the VoIP were. For this post, I read a rather technical article about Skype's security protocols.

Annotation #7

Berson, T. (2005). Skype security evaluation. Anagram Laboratories. Retrieved from Google Scholar: http://74.125.155.132/scholar?q=cache:AU_InIsjOOcJ:scholar.google.com/+skype&hl=en

According to Tom Berson's website http://www.anagram.com/, he's a professional cryptographer who is now working with Skype to test their product, independently, for security flaws.

Here are some juicy, less technical tidbits from his lengthy report:

• "I started as a skeptic. I thought the system would be easy to defeat. However, my confidence in Skype grows daily. The more I find out about it, the more I like it." (p. 11)
  

• "The code implementing the Secure Hash Algorithm (SHA-1), is beautiful and tight." (p. 7)
  

• "The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently." (p. 11)
  

Berson explains in detail several tests he ran on Skype including "password guessing," "replay attack," and "Man in the Middle Attack." A replay attack is when a hacker tries to access Skype information using previously recorded data from an older session/call. A Man in the Middle Attack is when a hacker tries to impersonate the caller or the callee, logging on at the same time as them, to intercept their communication. In most cases, neither Skype user would know that this eavesdropping was occurring.

To me, this eavesdropping attack is the most frightening. When we pick up a phone, we are reasonably sure that there are government protections against eavesdropping, spying, etc. (Although in the Bush administration, domestic spying was found to have occurred frequently, without warrants, against innocent Americans). Following my previous theory that people treat Skype as the "telephone of the future," users expect the same degree of confidentiality and privacy with a VoIP call as with a landline or cellphone call.

After running his tests, Berson found that Skype has good protections in place to prevent common attacks like password guessing and eavesdropping. In Berson's final analysis: "The confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments." (p. 11)

Does this reassure me? Not completely, but it's a good start. If anything, the above sentence makes me reconsider the security of email! I have no reason to believe that Berson is in Skype's pocket; however, I have equally little proof that he is the independent cryptographer he claims to be. Additionally, this security test was conducted in 2005, at the dawn of Skype's popularity, possibly making it out-dated. I was not able to find a more current analysis of this kind.

Skype itself has fairly detailed yet easy-to-read privacy and security policies and FAQs, which can be found at: http://www.skype.com/intl/en/legal/privacy/general/. Berson's 2005 analysis does seem consistent with Skype's current policies. Berson highlights several aspects of Skype's Security Policy which go a little further towards reassuring me that my Skype calls are secure:

1. Skype usernames are unique.
2. Users or applications must present a Skype username and its associated authentication credential (e.g., password) before they exercise that username’s identity or privileges.
3. Each peer correctly provides the other with proof of its username and privileges whenever a Skype session is established. Each verifies the other’s proof before the session is allowed carry messages (e.g., voice, video, files, or text).
4. Messages transmitted through a Skype session are encrypted from Skype-end to Skype-end. No intermediary node, if any exist, has access to the meaning of these messages.

Moving from security and into privacy of personal information, Skype's policy, taken from their website, seems fairly vague:

"Skype may disclose personal information to respond to legal requirements, to protect Skype and eBay Group’s interests, to enforce our policies or to protect anyone's rights, property, or safety.

Skype may share your information with the eBay Group for certain purposes, and in particular insofar as necessary to (1) provide and invoice certain joint services (such as registration, transactions and customer support); (2) organise marketing or promotional operations, contests, games and similar events; and (3) fight against fraud." http://www.skype.com/intl/en/legal/privacy/general/#8v

I am taken aback by the statement that Skype might disclose your personal information to protect their own interests, although I'm not at all surprised that they might use your information to organize marketing events. "To protect Skype and eBay Group's interests" is rather ill-defined. What if it's in their interest to sell your Skypename to video-telemarketers? Or worse, to a government agency that has not yet produced a warrant to eavesdrop on you? This portion of the policy at least (in contrast to a sections on online safety and protecting yourself against fraud) seem designed to protect Skype's reputation rather than customer privacy.