[Dshield] Question on Skype

Kevin kkadow at gmail.com
Wed Mar 1 18:16:45 GMT 2006


On 2/18/06, Tom <dshield at oitc.com> wrote:
> For example, statements such as
>
> "Finally, it must be remembered that the security of the Skype system
> also depends entirely on the good will of Skype's programmers and the
> organization running Skype's back-end servers. It is possible that
> there are back doors Skype conversations."
>
> So how is this any different than software from Oracle, Microsoft,
> IBM, or even preconfigured "open sources" such as SuSE or RedHat or
> mySQL?  All of these could have been configured by a programmer with
> evil intentions to steal information

How it is different is that my Oracle servers are behind a firewall
with a policy which only permits the Oracle machine to communicate
with specific internal Oracle clients.

Additionally, the Oracle protocol can be audited, and the Oracle
application is not intentionally obfuscated and boobytrapped against
reverse-engineering.  Not so for Skype (see the URL at the end of this
email)

For Skype to be useful, your client needs to be able to exchange
arbitrary encrypted data with any Internet host.  Not only that, but
the software is designed to intentionally route traffic in a P2P
manner across arbitrary intermediate nodes, making it even more
difficult to detect whether there are any rogue connections or
unintended data transfer.


> If the messages are encrypted and authenticated (as Skype states and
> the article's author begrudgingly infers) then it is difficult to
> understand how the "evil ISP" can create a " malicious Skype node"
> unless they stole source code and cryto keys from Skype. If not, I
> don't see that this is any different risk that any other remote
> access scenario.

The encryption and authentication mechanisms are proprietary, not
based on open standards.  Unlike SSL where you can vet the code and
verify that the application is validating keys, there is no way to
audit Skype's communication protocol.

This is no different from any other remote access scenario where the
software and protocol is provided as a "black box" and must be
permitted to interact with any node on the Internet.

For more issues specific to Skype, see:
http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf


Kevin Kadow



More information about the list mailing list