Interesting People mailing list archives
more on Skype security evaluation
From: David Farber <dave () farber net>
Date: Mon, 24 Oct 2005 07:23:45 -0400
Begin forwarded message: From: Lauren Weinstein <lauren () vortex com> Date: October 23, 2005 6:56:50 PM EDT To: dave () farber net Cc: lauren () vortex com Subject: Re: [IP] Skype security evaluation Dave, The cited report appears to confirm what we reasonably would have expected -- that Skype has done a good job in their implemenation, and that apparently nothing nefarious is going on. However, the conundrum is represented by this very short excerpt: 1.1 Caveats This report represents a four-month evaluation. A longer evaluation effort might uncover problems not yet seen. The Version 1.3 code base was evaluated. *** The code base continues to evolve beyond that snapshot. *** [emphasis added] Naturally, the code is expected to continue its evolution. But the intractable problem with proprietary crypto systems is that even if we know what they are doing today, we don't necessarily have any way to figure out what they're doing tomorrow, either in terms of accidental or purposeful weaknesses. Yes, in theory Skype could release a new independent security audit of their code to accompany each new release, but this is hardly a practical solution. This is why proprietary encryption systems should be avoided, especially since high-quality, open alternatives now exist. --Lauren-- Lauren Weinstein lauren () pfir org or lauren () vortex com or lauren () eepi org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, EEPI - Electronic Entertainment Policy Initiative - http://www.eepi.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com - - -
Begin forwarded message: From: "Steven M. Bellovin" <smb () cs columbia edu> Date: October 23, 2005 9:48:37 AM EDT To: cryptography () metzdowd com Subject: Skype security evaluation Skype has released an external security evaluation of its product; you can find it at http://www.skype.com/security/files/2005-031%20security %20evaluation.pdf (Skype was also clueful enough to publish the PGP signature of the report, an excellent touch -- see http://www.skype.com/security/files/2005-031%20security% 20evaluation.pdf.sig)The author of the report, Tom Berson, has been in this business for manyyears; I have a great deal of respect for him. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo () metzdowd com
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Skype security evaluation David Farber (Oct 24)