Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Skype security evaluation

From: David Farber <dave () farber net>
Date: Mon, 24 Oct 2005 07:23:45 -0400


Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: October 23, 2005 6:56:50 PM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Re: [IP] Skype security evaluation


Dave,

The cited report appears to confirm what we reasonably would have
expected -- that Skype has done a good job in their implemenation,
and that apparently nothing nefarious is going on.

However, the conundrum is represented by this very short excerpt:

   1.1 Caveats

   This report represents a four-month evaluation. A
   longer evaluation effort might uncover problems not yet seen.
   The Version 1.3 code base was evaluated.
   *** The code base continues to evolve beyond that snapshot. ***
   [emphasis added]

Naturally, the code is expected to continue its evolution.  But the
intractable problem with proprietary crypto systems is that even if
we know what they are doing today, we don't necessarily have any way
to figure out what they're doing tomorrow, either in terms of
accidental or purposeful weaknesses.

Yes, in theory Skype could release a new independent security
audit of their code to accompany each new release, but this is
hardly a practical solution.

This is why proprietary encryption systems should be avoided,
especially since high-quality, open alternatives now exist.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com or lauren () eepi org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
  - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com


 - - -



Begin forwarded message:

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: October 23, 2005 9:48:37 AM EDT
To: cryptography () metzdowd com
Subject: Skype security evaluation


Skype has released an external security evaluation of its product; you
can find it at http://www.skype.com/security/files/2005-031%20security
%20evaluation.pdf
(Skype was also clueful enough to publish the PGP signature of the
report, an excellent touch -- see
http://www.skype.com/security/files/2005-031%20security%
20evaluation.pdf.sig)
The author of the report, Tom Berson, has been in this business for many 
years; I have a great deal of respect for him.

         --Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo () metzdowd com




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: